* [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 1:54 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 1:54 UTC (permalink / raw)
To: James Morris
Cc: LSM, LKLM, SE Linux, John Johansen, Eric Paris, Tetsuo Handa,
Kees Cook, Casey Schaufler
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
A level of indirection has been introduced in the handling of
security blobs. LSMs no longer access ->security fields directly,
instead they use an abstraction provided by lsm_[gs]et field
functions.
The XFRM hooks are only used by SELinux and it is not clear
that they can be shared. The First LSM that registers using
those hooks gets to use them. Any subsequent LSM that uses
those hooks is denied registration.
Secids have not been made shareable. Only one LSM that uses
secids (SELinux and Smack) can be used at a time. The first
to register wins.
The "security=" boot option takes a comma separated list of
LSMs, registering them in the order presented. The LSM hooks
will be executed in the order registered. Hooks that return
errors are not short circuited. All hooks are called even
if one of the LSM hooks fails. The result returned will be
that of the last LSM hook that failed.
Some hooks don't fit that model. setprocattr, getprocattr,
and a few others are special cased. All behavior from
security/capability.c has been moved into the hook handling.
The security/commoncap functions used to get called from
the LSM specific code. The handling of the capability
functions has been moved out of the LSMs and into the
hook handling.
The /proc/*/attr interfaces are given to one LSM. This
can be done by setting CONFIG_SECURITY_PRESENT. Additional
interfaces have been created in /proc/*/attr so that
each LSM has its own named interfaces.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/proc/base.c | 28 +-
include/linux/lsm.h | 174 ++++
include/linux/security.h | 255 +++++-
security/Kconfig | 79 +-
security/Makefile | 3 +-
security/apparmor/context.c | 10 +-
security/apparmor/domain.c | 19 +-
security/apparmor/include/context.h | 13 +-
security/apparmor/lsm.c | 66 +-
security/capability.c | 1081 -------------------------
security/commoncap.c | 6 -
security/inode.c | 79 +-
security/security.c | 1496 ++++++++++++++++++++++++++++-------
security/selinux/hooks.c | 410 +++++-----
security/selinux/include/objsec.h | 2 +
security/selinux/include/xfrm.h | 2 +-
security/selinux/netlabel.c | 13 +-
security/selinux/selinuxfs.c | 6 +-
security/selinux/xfrm.c | 9 +-
security/smack/smack.h | 14 +-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 367 ++++-----
security/smack/smackfs.c | 16 +-
security/tomoyo/common.h | 6 +-
security/tomoyo/domain.c | 2 +-
security/tomoyo/securityfs_if.c | 9 +-
security/tomoyo/tomoyo.c | 47 +-
security/yama/Kconfig | 7 -
security/yama/yama_lsm.c | 33 +-
29 files changed, 2226 insertions(+), 2028 deletions(-)
^ permalink raw reply [flat|nested] 67+ messages in thread
* [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 1:54 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 1:54 UTC (permalink / raw)
To: James Morris
Cc: LSM, LKLM, SE Linux, John Johansen, Eric Paris, Tetsuo Handa,
Kees Cook, Casey Schaufler
Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
A level of indirection has been introduced in the handling of
security blobs. LSMs no longer access ->security fields directly,
instead they use an abstraction provided by lsm_[gs]et field
functions.
The XFRM hooks are only used by SELinux and it is not clear
that they can be shared. The First LSM that registers using
those hooks gets to use them. Any subsequent LSM that uses
those hooks is denied registration.
Secids have not been made shareable. Only one LSM that uses
secids (SELinux and Smack) can be used at a time. The first
to register wins.
The "security=" boot option takes a comma separated list of
LSMs, registering them in the order presented. The LSM hooks
will be executed in the order registered. Hooks that return
errors are not short circuited. All hooks are called even
if one of the LSM hooks fails. The result returned will be
that of the last LSM hook that failed.
Some hooks don't fit that model. setprocattr, getprocattr,
and a few others are special cased. All behavior from
security/capability.c has been moved into the hook handling.
The security/commoncap functions used to get called from
the LSM specific code. The handling of the capability
functions has been moved out of the LSMs and into the
hook handling.
The /proc/*/attr interfaces are given to one LSM. This
can be done by setting CONFIG_SECURITY_PRESENT. Additional
interfaces have been created in /proc/*/attr so that
each LSM has its own named interfaces.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/proc/base.c | 28 +-
include/linux/lsm.h | 174 ++++
include/linux/security.h | 255 +++++-
security/Kconfig | 79 +-
security/Makefile | 3 +-
security/apparmor/context.c | 10 +-
security/apparmor/domain.c | 19 +-
security/apparmor/include/context.h | 13 +-
security/apparmor/lsm.c | 66 +-
security/capability.c | 1081 -------------------------
security/commoncap.c | 6 -
security/inode.c | 79 +-
security/security.c | 1496 ++++++++++++++++++++++++++++-------
security/selinux/hooks.c | 410 +++++-----
security/selinux/include/objsec.h | 2 +
security/selinux/include/xfrm.h | 2 +-
security/selinux/netlabel.c | 13 +-
security/selinux/selinuxfs.c | 6 +-
security/selinux/xfrm.c | 9 +-
security/smack/smack.h | 14 +-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 367 ++++-----
security/smack/smackfs.c | 16 +-
security/tomoyo/common.h | 6 +-
security/tomoyo/domain.c | 2 +-
security/tomoyo/securityfs_if.c | 9 +-
security/tomoyo/tomoyo.c | 47 +-
security/yama/Kconfig | 7 -
security/yama/yama_lsm.c | 33 +-
29 files changed, 2226 insertions(+), 2028 deletions(-)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* [PATCH v12 1/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 2:09 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 1/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Changes for AppArmor. Abstract access to security blobs.
Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/apparmor/context.c | 10 +++---
security/apparmor/domain.c | 19 ++++------
security/apparmor/include/context.h | 13 +++++--
security/apparmor/lsm.c | 66 +++++++++++++----------------------
4 files changed, 45 insertions(+), 63 deletions(-)
diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index 8a9b502..3d9e460 100644
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -76,7 +76,7 @@ void aa_dup_task_context(struct aa_task_cxt *new, const struct aa_task_cxt *old)
*/
int aa_replace_current_profile(struct aa_profile *profile)
{
- struct aa_task_cxt *cxt = current_cred()->security;
+ struct aa_task_cxt *cxt = lsm_get_cred(current_cred(), &apparmor_ops);
struct cred *new;
BUG_ON(!profile);
@@ -87,7 +87,7 @@ int aa_replace_current_profile(struct aa_profile *profile)
if (!new)
return -ENOMEM;
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {
/* if switching to unconfined or a different profile namespace
* clear out context state
@@ -123,7 +123,7 @@ int aa_set_current_onexec(struct aa_profile *profile)
if (!new)
return -ENOMEM;
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
aa_get_profile(profile);
aa_put_profile(cxt->onexec);
cxt->onexec = profile;
@@ -150,7 +150,7 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token)
return -ENOMEM;
BUG_ON(!profile);
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
if (!cxt->previous) {
/* transfer refcount */
cxt->previous = cxt->profile;
@@ -187,7 +187,7 @@ int aa_restore_previous_profile(u64 token)
if (!new)
return -ENOMEM;
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
if (cxt->token != token) {
abort_creds(new);
return -EACCES;
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 60f0c76..7ad4e26 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -353,14 +353,12 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
bprm->file->f_path.dentry->d_inode->i_mode
};
const char *name = NULL, *target = NULL, *info = NULL;
- int error = cap_bprm_set_creds(bprm);
- if (error)
- return error;
+ int error = 0;
if (bprm->cred_prepared)
return 0;
- cxt = bprm->cred->security;
+ cxt = lsm_get_cred(bprm->cred, &apparmor_ops);
BUG_ON(!cxt);
profile = aa_get_profile(aa_newest_version(cxt->profile));
@@ -539,15 +537,10 @@ cleanup:
*/
int apparmor_bprm_secureexec(struct linux_binprm *bprm)
{
- int ret = cap_bprm_secureexec(bprm);
-
/* the decision to use secure exec is computed in set_creds
* and stored in bprm->unsafe.
*/
- if (!ret && (bprm->unsafe & AA_SECURE_X_NEEDED))
- ret = 1;
-
- return ret;
+ return bprm->unsafe & AA_SECURE_X_NEEDED;
}
/**
@@ -557,7 +550,7 @@ int apparmor_bprm_secureexec(struct linux_binprm *bprm)
void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
{
struct aa_profile *profile = __aa_current_profile();
- struct aa_task_cxt *new_cxt = bprm->cred->security;
+ struct aa_task_cxt *new_cxt = lsm_get_cred(bprm->cred, &apparmor_ops);
/* bail out if unconfined or not changing profile */
if ((new_cxt->profile == profile) ||
@@ -634,7 +627,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
/* released below */
cred = get_current_cred();
- cxt = cred->security;
+ cxt = lsm_get_cred(cred, &apparmor_ops);
profile = aa_cred_profile(cred);
previous_profile = cxt->previous;
@@ -770,7 +763,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
}
cred = get_current_cred();
- cxt = cred->security;
+ cxt = lsm_get_cred(cred, &apparmor_ops);
profile = aa_cred_profile(cred);
/*
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index a9cbee4..8484e55 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -18,6 +18,7 @@
#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/sched.h>
+#include <linux/lsm.h>
#include "policy.h"
@@ -81,6 +82,8 @@ int aa_set_current_onexec(struct aa_profile *profile);
int aa_set_current_hat(struct aa_profile *profile, u64 token);
int aa_restore_previous_profile(u64 cookie);
+extern struct security_operations apparmor_ops;
+
/**
* __aa_task_is_confined - determine if @task has any confinement
* @task: task to check confinement of (NOT NULL)
@@ -89,7 +92,9 @@ int aa_restore_previous_profile(u64 cookie);
*/
static inline bool __aa_task_is_confined(struct task_struct *task)
{
- struct aa_task_cxt *cxt = __task_cred(task)->security;
+ struct aa_task_cxt *cxt;
+
+ cxt = lsm_get_cred(__task_cred(task), &apparmor_ops);
BUG_ON(!cxt || !cxt->profile);
if (unconfined(aa_newest_version(cxt->profile)))
@@ -108,7 +113,7 @@ static inline bool __aa_task_is_confined(struct task_struct *task)
*/
static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
{
- struct aa_task_cxt *cxt = cred->security;
+ struct aa_task_cxt *cxt = lsm_get_cred(cred, &apparmor_ops);
BUG_ON(!cxt || !cxt->profile);
return aa_newest_version(cxt->profile);
}
@@ -136,8 +141,10 @@ static inline struct aa_profile *__aa_current_profile(void)
*/
static inline struct aa_profile *aa_current_profile(void)
{
- const struct aa_task_cxt *cxt = current_cred()->security;
+ const struct aa_task_cxt *cxt;
struct aa_profile *profile;
+
+ cxt = lsm_get_cred(current_cred(), &apparmor_ops);
BUG_ON(!cxt || !cxt->profile);
profile = aa_newest_version(cxt->profile);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8c2a7f6..28d6fd4 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -48,8 +48,8 @@ int apparmor_initialized __initdata;
*/
static void apparmor_cred_free(struct cred *cred)
{
- aa_free_task_context(cred->security);
- cred->security = NULL;
+ aa_free_task_context(lsm_get_cred(cred, &apparmor_ops));
+ lsm_set_cred(cred, NULL, &apparmor_ops);
}
/*
@@ -62,7 +62,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (!cxt)
return -ENOMEM;
- cred->security = cxt;
+ lsm_set_cred(cred, cxt, &apparmor_ops);
return 0;
}
@@ -77,8 +77,8 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
if (!cxt)
return -ENOMEM;
- aa_dup_task_context(cxt, old->security);
- new->security = cxt;
+ aa_dup_task_context(cxt, lsm_get_cred(old, &apparmor_ops));
+ lsm_set_cred(new, cxt, &apparmor_ops);
return 0;
}
@@ -87,8 +87,8 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
*/
static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
{
- const struct aa_task_cxt *old_cxt = old->security;
- struct aa_task_cxt *new_cxt = new->security;
+ const struct aa_task_cxt *old_cxt = lsm_get_cred(old, &apparmor_ops);
+ struct aa_task_cxt *new_cxt = lsm_get_cred(new, &apparmor_ops);
aa_dup_task_context(new_cxt, old_cxt);
}
@@ -96,19 +96,11 @@ static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
static int apparmor_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- int error = cap_ptrace_access_check(child, mode);
- if (error)
- return error;
-
return aa_ptrace(current, child, mode);
}
static int apparmor_ptrace_traceme(struct task_struct *parent)
{
- int error = cap_ptrace_traceme(parent);
- if (error)
- return error;
-
return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
}
@@ -140,14 +132,11 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit)
{
struct aa_profile *profile;
- /* cap_capable returns 0 on success, else -EPERM */
- int error = cap_capable(cred, ns, cap, audit);
- if (!error) {
- profile = aa_cred_profile(cred);
- if (!unconfined(profile))
- error = aa_capable(current, profile, cap, audit);
- }
- return error;
+
+ profile = aa_cred_profile(cred);
+ if (!unconfined(profile))
+ return aa_capable(current, profile, cap, audit);
+ return 0;
}
/**
@@ -375,7 +364,7 @@ static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
static int apparmor_file_open(struct file *file, const struct cred *cred)
{
- struct aa_file_cxt *fcxt = file->f_security;
+ struct aa_file_cxt *fcxt = lsm_get_file(file, &apparmor_ops);
struct aa_profile *profile;
int error = 0;
@@ -409,8 +398,8 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
static int apparmor_file_alloc_security(struct file *file)
{
/* freed by apparmor_file_free_security */
- file->f_security = aa_alloc_file_context(GFP_KERNEL);
- if (!file->f_security)
+ lsm_set_file(file, aa_alloc_file_context(GFP_KERNEL), &apparmor_ops);
+ if (!lsm_get_file(file, &apparmor_ops))
return -ENOMEM;
return 0;
@@ -418,14 +407,15 @@ static int apparmor_file_alloc_security(struct file *file)
static void apparmor_file_free_security(struct file *file)
{
- struct aa_file_cxt *cxt = file->f_security;
+ struct aa_file_cxt *cxt = lsm_get_file(file, &apparmor_ops);
+ lsm_set_file(file, NULL, &apparmor_ops);
aa_free_file_context(cxt);
}
static int common_file_perm(int op, struct file *file, u32 mask)
{
- struct aa_file_cxt *fcxt = file->f_security;
+ struct aa_file_cxt *fcxt = lsm_get_file(file, &apparmor_ops);
struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
int error = 0;
@@ -472,7 +462,7 @@ static int common_mmap(int op, struct file *file, unsigned long prot,
struct dentry *dentry;
int mask = 0;
- if (!file || !file->f_security)
+ if (!file || !lsm_get_file(file, &apparmor_ops))
return 0;
if (prot & PROT_READ)
@@ -510,7 +500,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
struct aa_profile *profile;
/* released below */
const struct cred *cred = get_task_cred(task);
- struct aa_task_cxt *cxt = cred->security;
+ struct aa_task_cxt *cxt = lsm_get_cred(cred, &apparmor_ops);
profile = aa_cred_profile(cred);
if (strcmp(name, "current") == 0)
@@ -614,7 +604,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
-static struct security_operations apparmor_ops = {
+struct security_operations apparmor_ops = {
.name = "apparmor",
.ptrace_access_check = apparmor_ptrace_access_check,
@@ -878,6 +868,7 @@ static int param_set_mode(const char *val, struct kernel_param *kp)
*/
static int __init set_init_cxt(void)
{
+ int rc;
struct cred *cred = (struct cred *)current->real_cred;
struct aa_task_cxt *cxt;
@@ -886,9 +877,9 @@ static int __init set_init_cxt(void)
return -ENOMEM;
cxt->profile = aa_get_profile(root_ns->unconfined);
- cred->security = cxt;
+ rc = lsm_set_init_cred(cred, cxt, &apparmor_ops);
- return 0;
+ return rc;
}
static int __init apparmor_init(void)
@@ -913,12 +904,6 @@ static int __init apparmor_init(void)
goto register_security_out;
}
- error = register_security(&apparmor_ops);
- if (error) {
- AA_ERROR("Unable to register AppArmor\n");
- goto set_init_cxt_out;
- }
-
/* Report that AppArmor successfully initialized */
apparmor_initialized = 1;
if (aa_g_profile_mode == APPARMOR_COMPLAIN)
@@ -930,9 +915,6 @@ static int __init apparmor_init(void)
return error;
-set_init_cxt_out:
- aa_free_task_context(current->real_cred->security);
-
register_security_out:
aa_free_root_ns();
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 1/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 2:09 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 1/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Changes for AppArmor. Abstract access to security blobs.
Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/apparmor/context.c | 10 +++---
security/apparmor/domain.c | 19 ++++------
security/apparmor/include/context.h | 13 +++++--
security/apparmor/lsm.c | 66 +++++++++++++----------------------
4 files changed, 45 insertions(+), 63 deletions(-)
diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index 8a9b502..3d9e460 100644
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -76,7 +76,7 @@ void aa_dup_task_context(struct aa_task_cxt *new, const struct aa_task_cxt *old)
*/
int aa_replace_current_profile(struct aa_profile *profile)
{
- struct aa_task_cxt *cxt = current_cred()->security;
+ struct aa_task_cxt *cxt = lsm_get_cred(current_cred(), &apparmor_ops);
struct cred *new;
BUG_ON(!profile);
@@ -87,7 +87,7 @@ int aa_replace_current_profile(struct aa_profile *profile)
if (!new)
return -ENOMEM;
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {
/* if switching to unconfined or a different profile namespace
* clear out context state
@@ -123,7 +123,7 @@ int aa_set_current_onexec(struct aa_profile *profile)
if (!new)
return -ENOMEM;
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
aa_get_profile(profile);
aa_put_profile(cxt->onexec);
cxt->onexec = profile;
@@ -150,7 +150,7 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token)
return -ENOMEM;
BUG_ON(!profile);
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
if (!cxt->previous) {
/* transfer refcount */
cxt->previous = cxt->profile;
@@ -187,7 +187,7 @@ int aa_restore_previous_profile(u64 token)
if (!new)
return -ENOMEM;
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
if (cxt->token != token) {
abort_creds(new);
return -EACCES;
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 60f0c76..7ad4e26 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -353,14 +353,12 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
bprm->file->f_path.dentry->d_inode->i_mode
};
const char *name = NULL, *target = NULL, *info = NULL;
- int error = cap_bprm_set_creds(bprm);
- if (error)
- return error;
+ int error = 0;
if (bprm->cred_prepared)
return 0;
- cxt = bprm->cred->security;
+ cxt = lsm_get_cred(bprm->cred, &apparmor_ops);
BUG_ON(!cxt);
profile = aa_get_profile(aa_newest_version(cxt->profile));
@@ -539,15 +537,10 @@ cleanup:
*/
int apparmor_bprm_secureexec(struct linux_binprm *bprm)
{
- int ret = cap_bprm_secureexec(bprm);
-
/* the decision to use secure exec is computed in set_creds
* and stored in bprm->unsafe.
*/
- if (!ret && (bprm->unsafe & AA_SECURE_X_NEEDED))
- ret = 1;
-
- return ret;
+ return bprm->unsafe & AA_SECURE_X_NEEDED;
}
/**
@@ -557,7 +550,7 @@ int apparmor_bprm_secureexec(struct linux_binprm *bprm)
void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
{
struct aa_profile *profile = __aa_current_profile();
- struct aa_task_cxt *new_cxt = bprm->cred->security;
+ struct aa_task_cxt *new_cxt = lsm_get_cred(bprm->cred, &apparmor_ops);
/* bail out if unconfined or not changing profile */
if ((new_cxt->profile == profile) ||
@@ -634,7 +627,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
/* released below */
cred = get_current_cred();
- cxt = cred->security;
+ cxt = lsm_get_cred(cred, &apparmor_ops);
profile = aa_cred_profile(cred);
previous_profile = cxt->previous;
@@ -770,7 +763,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
}
cred = get_current_cred();
- cxt = cred->security;
+ cxt = lsm_get_cred(cred, &apparmor_ops);
profile = aa_cred_profile(cred);
/*
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index a9cbee4..8484e55 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -18,6 +18,7 @@
#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/sched.h>
+#include <linux/lsm.h>
#include "policy.h"
@@ -81,6 +82,8 @@ int aa_set_current_onexec(struct aa_profile *profile);
int aa_set_current_hat(struct aa_profile *profile, u64 token);
int aa_restore_previous_profile(u64 cookie);
+extern struct security_operations apparmor_ops;
+
/**
* __aa_task_is_confined - determine if @task has any confinement
* @task: task to check confinement of (NOT NULL)
@@ -89,7 +92,9 @@ int aa_restore_previous_profile(u64 cookie);
*/
static inline bool __aa_task_is_confined(struct task_struct *task)
{
- struct aa_task_cxt *cxt = __task_cred(task)->security;
+ struct aa_task_cxt *cxt;
+
+ cxt = lsm_get_cred(__task_cred(task), &apparmor_ops);
BUG_ON(!cxt || !cxt->profile);
if (unconfined(aa_newest_version(cxt->profile)))
@@ -108,7 +113,7 @@ static inline bool __aa_task_is_confined(struct task_struct *task)
*/
static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
{
- struct aa_task_cxt *cxt = cred->security;
+ struct aa_task_cxt *cxt = lsm_get_cred(cred, &apparmor_ops);
BUG_ON(!cxt || !cxt->profile);
return aa_newest_version(cxt->profile);
}
@@ -136,8 +141,10 @@ static inline struct aa_profile *__aa_current_profile(void)
*/
static inline struct aa_profile *aa_current_profile(void)
{
- const struct aa_task_cxt *cxt = current_cred()->security;
+ const struct aa_task_cxt *cxt;
struct aa_profile *profile;
+
+ cxt = lsm_get_cred(current_cred(), &apparmor_ops);
BUG_ON(!cxt || !cxt->profile);
profile = aa_newest_version(cxt->profile);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8c2a7f6..28d6fd4 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -48,8 +48,8 @@ int apparmor_initialized __initdata;
*/
static void apparmor_cred_free(struct cred *cred)
{
- aa_free_task_context(cred->security);
- cred->security = NULL;
+ aa_free_task_context(lsm_get_cred(cred, &apparmor_ops));
+ lsm_set_cred(cred, NULL, &apparmor_ops);
}
/*
@@ -62,7 +62,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (!cxt)
return -ENOMEM;
- cred->security = cxt;
+ lsm_set_cred(cred, cxt, &apparmor_ops);
return 0;
}
@@ -77,8 +77,8 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
if (!cxt)
return -ENOMEM;
- aa_dup_task_context(cxt, old->security);
- new->security = cxt;
+ aa_dup_task_context(cxt, lsm_get_cred(old, &apparmor_ops));
+ lsm_set_cred(new, cxt, &apparmor_ops);
return 0;
}
@@ -87,8 +87,8 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
*/
static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
{
- const struct aa_task_cxt *old_cxt = old->security;
- struct aa_task_cxt *new_cxt = new->security;
+ const struct aa_task_cxt *old_cxt = lsm_get_cred(old, &apparmor_ops);
+ struct aa_task_cxt *new_cxt = lsm_get_cred(new, &apparmor_ops);
aa_dup_task_context(new_cxt, old_cxt);
}
@@ -96,19 +96,11 @@ static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
static int apparmor_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- int error = cap_ptrace_access_check(child, mode);
- if (error)
- return error;
-
return aa_ptrace(current, child, mode);
}
static int apparmor_ptrace_traceme(struct task_struct *parent)
{
- int error = cap_ptrace_traceme(parent);
- if (error)
- return error;
-
return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
}
@@ -140,14 +132,11 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit)
{
struct aa_profile *profile;
- /* cap_capable returns 0 on success, else -EPERM */
- int error = cap_capable(cred, ns, cap, audit);
- if (!error) {
- profile = aa_cred_profile(cred);
- if (!unconfined(profile))
- error = aa_capable(current, profile, cap, audit);
- }
- return error;
+
+ profile = aa_cred_profile(cred);
+ if (!unconfined(profile))
+ return aa_capable(current, profile, cap, audit);
+ return 0;
}
/**
@@ -375,7 +364,7 @@ static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
static int apparmor_file_open(struct file *file, const struct cred *cred)
{
- struct aa_file_cxt *fcxt = file->f_security;
+ struct aa_file_cxt *fcxt = lsm_get_file(file, &apparmor_ops);
struct aa_profile *profile;
int error = 0;
@@ -409,8 +398,8 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
static int apparmor_file_alloc_security(struct file *file)
{
/* freed by apparmor_file_free_security */
- file->f_security = aa_alloc_file_context(GFP_KERNEL);
- if (!file->f_security)
+ lsm_set_file(file, aa_alloc_file_context(GFP_KERNEL), &apparmor_ops);
+ if (!lsm_get_file(file, &apparmor_ops))
return -ENOMEM;
return 0;
@@ -418,14 +407,15 @@ static int apparmor_file_alloc_security(struct file *file)
static void apparmor_file_free_security(struct file *file)
{
- struct aa_file_cxt *cxt = file->f_security;
+ struct aa_file_cxt *cxt = lsm_get_file(file, &apparmor_ops);
+ lsm_set_file(file, NULL, &apparmor_ops);
aa_free_file_context(cxt);
}
static int common_file_perm(int op, struct file *file, u32 mask)
{
- struct aa_file_cxt *fcxt = file->f_security;
+ struct aa_file_cxt *fcxt = lsm_get_file(file, &apparmor_ops);
struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
int error = 0;
@@ -472,7 +462,7 @@ static int common_mmap(int op, struct file *file, unsigned long prot,
struct dentry *dentry;
int mask = 0;
- if (!file || !file->f_security)
+ if (!file || !lsm_get_file(file, &apparmor_ops))
return 0;
if (prot & PROT_READ)
@@ -510,7 +500,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
struct aa_profile *profile;
/* released below */
const struct cred *cred = get_task_cred(task);
- struct aa_task_cxt *cxt = cred->security;
+ struct aa_task_cxt *cxt = lsm_get_cred(cred, &apparmor_ops);
profile = aa_cred_profile(cred);
if (strcmp(name, "current") == 0)
@@ -614,7 +604,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
-static struct security_operations apparmor_ops = {
+struct security_operations apparmor_ops = {
.name = "apparmor",
.ptrace_access_check = apparmor_ptrace_access_check,
@@ -878,6 +868,7 @@ static int param_set_mode(const char *val, struct kernel_param *kp)
*/
static int __init set_init_cxt(void)
{
+ int rc;
struct cred *cred = (struct cred *)current->real_cred;
struct aa_task_cxt *cxt;
@@ -886,9 +877,9 @@ static int __init set_init_cxt(void)
return -ENOMEM;
cxt->profile = aa_get_profile(root_ns->unconfined);
- cred->security = cxt;
+ rc = lsm_set_init_cred(cred, cxt, &apparmor_ops);
- return 0;
+ return rc;
}
static int __init apparmor_init(void)
@@ -913,12 +904,6 @@ static int __init apparmor_init(void)
goto register_security_out;
}
- error = register_security(&apparmor_ops);
- if (error) {
- AA_ERROR("Unable to register AppArmor\n");
- goto set_init_cxt_out;
- }
-
/* Report that AppArmor successfully initialized */
apparmor_initialized = 1;
if (aa_g_profile_mode == APPARMOR_COMPLAIN)
@@ -930,9 +915,6 @@ static int __init apparmor_init(void)
return error;
-set_init_cxt_out:
- aa_free_task_context(current->real_cred->security);
-
register_security_out:
aa_free_root_ns();
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 2/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 2:09 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 2/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Remove security/capability.c as there is no longer need
of a "default" LSM. Remove unused commoncap function.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/Makefile | 3 +-
security/capability.c | 1081 -------------------------------------------------
security/commoncap.c | 6 -
3 files changed, 1 insertion(+), 1089 deletions(-)
diff --git a/security/Makefile b/security/Makefile
index c26c81e..b1875b1 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -14,9 +14,8 @@ obj-y += commoncap.o
obj-$(CONFIG_MMU) += min_addr.o
# Object file lists
-obj-$(CONFIG_SECURITY) += security.o capability.o
+obj-$(CONFIG_SECURITY) += security.o
obj-$(CONFIG_SECURITYFS) += inode.o
-# Must precede capability.o in order to stack properly.
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
obj-$(CONFIG_AUDIT) += lsm_audit.o
diff --git a/security/capability.c b/security/capability.c
deleted file mode 100644
index 0fe5a02..0000000
--- a/security/capability.c
+++ /dev/null
@@ -1,1081 +0,0 @@
-/*
- * Capabilities Linux Security Module
- *
- * This is the default security module in case no other module is loaded.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- */
-
-#include <linux/security.h>
-
-static int cap_syslog(int type)
-{
- return 0;
-}
-
-static int cap_quotactl(int cmds, int type, int id, struct super_block *sb)
-{
- return 0;
-}
-
-static int cap_quota_on(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_bprm_check_security(struct linux_binprm *bprm)
-{
- return 0;
-}
-
-static void cap_bprm_committing_creds(struct linux_binprm *bprm)
-{
-}
-
-static void cap_bprm_committed_creds(struct linux_binprm *bprm)
-{
-}
-
-static int cap_sb_alloc_security(struct super_block *sb)
-{
- return 0;
-}
-
-static void cap_sb_free_security(struct super_block *sb)
-{
-}
-
-static int cap_sb_copy_data(char *orig, char *copy)
-{
- return 0;
-}
-
-static int cap_sb_remount(struct super_block *sb, void *data)
-{
- return 0;
-}
-
-static int cap_sb_kern_mount(struct super_block *sb, int flags, void *data)
-{
- return 0;
-}
-
-static int cap_sb_show_options(struct seq_file *m, struct super_block *sb)
-{
- return 0;
-}
-
-static int cap_sb_statfs(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_sb_mount(const char *dev_name, struct path *path,
- const char *type, unsigned long flags, void *data)
-{
- return 0;
-}
-
-static int cap_sb_umount(struct vfsmount *mnt, int flags)
-{
- return 0;
-}
-
-static int cap_sb_pivotroot(struct path *old_path, struct path *new_path)
-{
- return 0;
-}
-
-static int cap_sb_set_mnt_opts(struct super_block *sb,
- struct security_mnt_opts *opts)
-{
- if (unlikely(opts->num_mnt_opts))
- return -EOPNOTSUPP;
- return 0;
-}
-
-static void cap_sb_clone_mnt_opts(const struct super_block *oldsb,
- struct super_block *newsb)
-{
-}
-
-static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
-{
- return 0;
-}
-
-static int cap_inode_alloc_security(struct inode *inode)
-{
- return 0;
-}
-
-static void cap_inode_free_security(struct inode *inode)
-{
-}
-
-static int cap_inode_init_security(struct inode *inode, struct inode *dir,
- const struct qstr *qstr, char **name,
- void **value, size_t *len)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_inode_create(struct inode *inode, struct dentry *dentry,
- umode_t mask)
-{
- return 0;
-}
-
-static int cap_inode_link(struct dentry *old_dentry, struct inode *inode,
- struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_inode_unlink(struct inode *inode, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_symlink(struct inode *inode, struct dentry *dentry,
- const char *name)
-{
- return 0;
-}
-
-static int cap_inode_mkdir(struct inode *inode, struct dentry *dentry,
- umode_t mask)
-{
- return 0;
-}
-
-static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_mknod(struct inode *inode, struct dentry *dentry,
- umode_t mode, dev_t dev)
-{
- return 0;
-}
-
-static int cap_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
- struct inode *new_inode, struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_inode_readlink(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_follow_link(struct dentry *dentry,
- struct nameidata *nameidata)
-{
- return 0;
-}
-
-static int cap_inode_permission(struct inode *inode, int mask)
-{
- return 0;
-}
-
-static int cap_inode_setattr(struct dentry *dentry, struct iattr *iattr)
-{
- return 0;
-}
-
-static int cap_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
-{
- return 0;
-}
-
-static void cap_inode_post_setxattr(struct dentry *dentry, const char *name,
- const void *value, size_t size, int flags)
-{
-}
-
-static int cap_inode_getxattr(struct dentry *dentry, const char *name)
-{
- return 0;
-}
-
-static int cap_inode_listxattr(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_getsecurity(const struct inode *inode, const char *name,
- void **buffer, bool alloc)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_inode_setsecurity(struct inode *inode, const char *name,
- const void *value, size_t size, int flags)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_inode_listsecurity(struct inode *inode, char *buffer,
- size_t buffer_size)
-{
- return 0;
-}
-
-static void cap_inode_getsecid(const struct inode *inode, u32 *secid)
-{
- *secid = 0;
-}
-
-#ifdef CONFIG_SECURITY_PATH
-static int cap_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode,
- unsigned int dev)
-{
- return 0;
-}
-
-static int cap_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode)
-{
- return 0;
-}
-
-static int cap_path_rmdir(struct path *dir, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_path_unlink(struct path *dir, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_path_symlink(struct path *dir, struct dentry *dentry,
- const char *old_name)
-{
- return 0;
-}
-
-static int cap_path_link(struct dentry *old_dentry, struct path *new_dir,
- struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_path_rename(struct path *old_path, struct dentry *old_dentry,
- struct path *new_path, struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_path_truncate(struct path *path)
-{
- return 0;
-}
-
-static int cap_path_chmod(struct path *path, umode_t mode)
-{
- return 0;
-}
-
-static int cap_path_chown(struct path *path, kuid_t uid, kgid_t gid)
-{
- return 0;
-}
-
-static int cap_path_chroot(struct path *root)
-{
- return 0;
-}
-#endif
-
-static int cap_file_permission(struct file *file, int mask)
-{
- return 0;
-}
-
-static int cap_file_alloc_security(struct file *file)
-{
- return 0;
-}
-
-static void cap_file_free_security(struct file *file)
-{
-}
-
-static int cap_file_ioctl(struct file *file, unsigned int command,
- unsigned long arg)
-{
- return 0;
-}
-
-static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
- unsigned long prot)
-{
- return 0;
-}
-
-static int cap_file_lock(struct file *file, unsigned int cmd)
-{
- return 0;
-}
-
-static int cap_file_fcntl(struct file *file, unsigned int cmd,
- unsigned long arg)
-{
- return 0;
-}
-
-static int cap_file_set_fowner(struct file *file)
-{
- return 0;
-}
-
-static int cap_file_send_sigiotask(struct task_struct *tsk,
- struct fown_struct *fown, int sig)
-{
- return 0;
-}
-
-static int cap_file_receive(struct file *file)
-{
- return 0;
-}
-
-static int cap_file_open(struct file *file, const struct cred *cred)
-{
- return 0;
-}
-
-static int cap_task_create(unsigned long clone_flags)
-{
- return 0;
-}
-
-static void cap_task_free(struct task_struct *task)
-{
-}
-
-static int cap_cred_alloc_blank(struct cred *cred, gfp_t gfp)
-{
- return 0;
-}
-
-static void cap_cred_free(struct cred *cred)
-{
-}
-
-static int cap_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp)
-{
- return 0;
-}
-
-static void cap_cred_transfer(struct cred *new, const struct cred *old)
-{
-}
-
-static int cap_kernel_act_as(struct cred *new, u32 secid)
-{
- return 0;
-}
-
-static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
-{
- return 0;
-}
-
-static int cap_kernel_module_request(char *kmod_name)
-{
- return 0;
-}
-
-static int cap_kernel_module_from_file(struct file *file)
-{
- return 0;
-}
-
-static int cap_task_setpgid(struct task_struct *p, pid_t pgid)
-{
- return 0;
-}
-
-static int cap_task_getpgid(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_getsid(struct task_struct *p)
-{
- return 0;
-}
-
-static void cap_task_getsecid(struct task_struct *p, u32 *secid)
-{
- *secid = 0;
-}
-
-static int cap_task_getioprio(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_setrlimit(struct task_struct *p, unsigned int resource,
- struct rlimit *new_rlim)
-{
- return 0;
-}
-
-static int cap_task_getscheduler(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_movememory(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_wait(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid)
-{
- return 0;
-}
-
-static void cap_task_to_inode(struct task_struct *p, struct inode *inode)
-{
-}
-
-static int cap_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
-{
- return 0;
-}
-
-static void cap_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
-{
- *secid = 0;
-}
-
-static int cap_msg_msg_alloc_security(struct msg_msg *msg)
-{
- return 0;
-}
-
-static void cap_msg_msg_free_security(struct msg_msg *msg)
-{
-}
-
-static int cap_msg_queue_alloc_security(struct msg_queue *msq)
-{
- return 0;
-}
-
-static void cap_msg_queue_free_security(struct msg_queue *msq)
-{
-}
-
-static int cap_msg_queue_associate(struct msg_queue *msq, int msqflg)
-{
- return 0;
-}
-
-static int cap_msg_queue_msgctl(struct msg_queue *msq, int cmd)
-{
- return 0;
-}
-
-static int cap_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
- int msgflg)
-{
- return 0;
-}
-
-static int cap_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
- struct task_struct *target, long type, int mode)
-{
- return 0;
-}
-
-static int cap_shm_alloc_security(struct shmid_kernel *shp)
-{
- return 0;
-}
-
-static void cap_shm_free_security(struct shmid_kernel *shp)
-{
-}
-
-static int cap_shm_associate(struct shmid_kernel *shp, int shmflg)
-{
- return 0;
-}
-
-static int cap_shm_shmctl(struct shmid_kernel *shp, int cmd)
-{
- return 0;
-}
-
-static int cap_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
- int shmflg)
-{
- return 0;
-}
-
-static int cap_sem_alloc_security(struct sem_array *sma)
-{
- return 0;
-}
-
-static void cap_sem_free_security(struct sem_array *sma)
-{
-}
-
-static int cap_sem_associate(struct sem_array *sma, int semflg)
-{
- return 0;
-}
-
-static int cap_sem_semctl(struct sem_array *sma, int cmd)
-{
- return 0;
-}
-
-static int cap_sem_semop(struct sem_array *sma, struct sembuf *sops,
- unsigned nsops, int alter)
-{
- return 0;
-}
-
-#ifdef CONFIG_SECURITY_NETWORK
-static int cap_unix_stream_connect(struct sock *sock, struct sock *other,
- struct sock *newsk)
-{
- return 0;
-}
-
-static int cap_unix_may_send(struct socket *sock, struct socket *other)
-{
- return 0;
-}
-
-static int cap_socket_create(int family, int type, int protocol, int kern)
-{
- return 0;
-}
-
-static int cap_socket_post_create(struct socket *sock, int family, int type,
- int protocol, int kern)
-{
- return 0;
-}
-
-static int cap_socket_bind(struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int cap_socket_connect(struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int cap_socket_listen(struct socket *sock, int backlog)
-{
- return 0;
-}
-
-static int cap_socket_accept(struct socket *sock, struct socket *newsock)
-{
- return 0;
-}
-
-static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
-{
- return 0;
-}
-
-static int cap_socket_recvmsg(struct socket *sock, struct msghdr *msg,
- int size, int flags)
-{
- return 0;
-}
-
-static int cap_socket_getsockname(struct socket *sock)
-{
- return 0;
-}
-
-static int cap_socket_getpeername(struct socket *sock)
-{
- return 0;
-}
-
-static int cap_socket_setsockopt(struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int cap_socket_getsockopt(struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int cap_socket_shutdown(struct socket *sock, int how)
-{
- return 0;
-}
-
-static int cap_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
-{
- return 0;
-}
-
-static int cap_socket_getpeersec_stream(struct socket *sock,
- char __user *optval,
- int __user *optlen, unsigned len)
-{
- return -ENOPROTOOPT;
-}
-
-static int cap_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb, u32 *secid)
-{
- return -ENOPROTOOPT;
-}
-
-static int cap_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
-{
- return 0;
-}
-
-static void cap_sk_free_security(struct sock *sk)
-{
-}
-
-static void cap_sk_clone_security(const struct sock *sk, struct sock *newsk)
-{
-}
-
-static void cap_sk_getsecid(struct sock *sk, u32 *secid)
-{
-}
-
-static void cap_sock_graft(struct sock *sk, struct socket *parent)
-{
-}
-
-static int cap_inet_conn_request(struct sock *sk, struct sk_buff *skb,
- struct request_sock *req)
-{
- return 0;
-}
-
-static void cap_inet_csk_clone(struct sock *newsk,
- const struct request_sock *req)
-{
-}
-
-static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb)
-{
-}
-
-static int cap_secmark_relabel_packet(u32 secid)
-{
- return 0;
-}
-
-static void cap_secmark_refcount_inc(void)
-{
-}
-
-static void cap_secmark_refcount_dec(void)
-{
-}
-
-static void cap_req_classify_flow(const struct request_sock *req,
- struct flowi *fl)
-{
-}
-
-static int cap_tun_dev_create(void)
-{
- return 0;
-}
-
-static void cap_tun_dev_post_create(struct sock *sk)
-{
-}
-
-static int cap_tun_dev_attach(struct sock *sk)
-{
- return 0;
-}
-#endif /* CONFIG_SECURITY_NETWORK */
-
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
-static int cap_xfrm_policy_alloc_security(struct xfrm_sec_ctx **ctxp,
- struct xfrm_user_sec_ctx *sec_ctx)
-{
- return 0;
-}
-
-static int cap_xfrm_policy_clone_security(struct xfrm_sec_ctx *old_ctx,
- struct xfrm_sec_ctx **new_ctxp)
-{
- return 0;
-}
-
-static void cap_xfrm_policy_free_security(struct xfrm_sec_ctx *ctx)
-{
-}
-
-static int cap_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx)
-{
- return 0;
-}
-
-static int cap_xfrm_state_alloc_security(struct xfrm_state *x,
- struct xfrm_user_sec_ctx *sec_ctx,
- u32 secid)
-{
- return 0;
-}
-
-static void cap_xfrm_state_free_security(struct xfrm_state *x)
-{
-}
-
-static int cap_xfrm_state_delete_security(struct xfrm_state *x)
-{
- return 0;
-}
-
-static int cap_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 sk_sid, u8 dir)
-{
- return 0;
-}
-
-static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x,
- struct xfrm_policy *xp,
- const struct flowi *fl)
-{
- return 1;
-}
-
-static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
-{
- return 0;
-}
-
-#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-static void cap_d_instantiate(struct dentry *dentry, struct inode *inode)
-{
-}
-
-static int cap_getprocattr(struct task_struct *p, char *name, char **value)
-{
- return -EINVAL;
-}
-
-static int cap_setprocattr(struct task_struct *p, char *name, void *value,
- size_t size)
-{
- return -EINVAL;
-}
-
-static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
-{
- *secid = 0;
- return 0;
-}
-
-static void cap_release_secctx(char *secdata, u32 seclen)
-{
-}
-
-static int cap_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
-{
- return 0;
-}
-
-static int cap_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
-{
- return 0;
-}
-
-static int cap_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
-{
- return 0;
-}
-#ifdef CONFIG_KEYS
-static int cap_key_alloc(struct key *key, const struct cred *cred,
- unsigned long flags)
-{
- return 0;
-}
-
-static void cap_key_free(struct key *key)
-{
-}
-
-static int cap_key_permission(key_ref_t key_ref, const struct cred *cred,
- key_perm_t perm)
-{
- return 0;
-}
-
-static int cap_key_getsecurity(struct key *key, char **_buffer)
-{
- *_buffer = NULL;
- return 0;
-}
-
-#endif /* CONFIG_KEYS */
-
-#ifdef CONFIG_AUDIT
-static int cap_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
-{
- return 0;
-}
-
-static int cap_audit_rule_known(struct audit_krule *krule)
-{
- return 0;
-}
-
-static int cap_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
- struct audit_context *actx)
-{
- return 0;
-}
-
-static void cap_audit_rule_free(void *lsmrule)
-{
-}
-#endif /* CONFIG_AUDIT */
-
-#define set_to_cap_if_null(ops, function) \
- do { \
- if (!ops->function) { \
- ops->function = cap_##function; \
- pr_debug("Had to override the " #function \
- " security operation with the default.\n");\
- } \
- } while (0)
-
-void __init security_fixup_ops(struct security_operations *ops)
-{
- set_to_cap_if_null(ops, ptrace_access_check);
- set_to_cap_if_null(ops, ptrace_traceme);
- set_to_cap_if_null(ops, capget);
- set_to_cap_if_null(ops, capset);
- set_to_cap_if_null(ops, capable);
- set_to_cap_if_null(ops, quotactl);
- set_to_cap_if_null(ops, quota_on);
- set_to_cap_if_null(ops, syslog);
- set_to_cap_if_null(ops, settime);
- set_to_cap_if_null(ops, vm_enough_memory);
- set_to_cap_if_null(ops, bprm_set_creds);
- set_to_cap_if_null(ops, bprm_committing_creds);
- set_to_cap_if_null(ops, bprm_committed_creds);
- set_to_cap_if_null(ops, bprm_check_security);
- set_to_cap_if_null(ops, bprm_secureexec);
- set_to_cap_if_null(ops, sb_alloc_security);
- set_to_cap_if_null(ops, sb_free_security);
- set_to_cap_if_null(ops, sb_copy_data);
- set_to_cap_if_null(ops, sb_remount);
- set_to_cap_if_null(ops, sb_kern_mount);
- set_to_cap_if_null(ops, sb_show_options);
- set_to_cap_if_null(ops, sb_statfs);
- set_to_cap_if_null(ops, sb_mount);
- set_to_cap_if_null(ops, sb_umount);
- set_to_cap_if_null(ops, sb_pivotroot);
- set_to_cap_if_null(ops, sb_set_mnt_opts);
- set_to_cap_if_null(ops, sb_clone_mnt_opts);
- set_to_cap_if_null(ops, sb_parse_opts_str);
- set_to_cap_if_null(ops, inode_alloc_security);
- set_to_cap_if_null(ops, inode_free_security);
- set_to_cap_if_null(ops, inode_init_security);
- set_to_cap_if_null(ops, inode_create);
- set_to_cap_if_null(ops, inode_link);
- set_to_cap_if_null(ops, inode_unlink);
- set_to_cap_if_null(ops, inode_symlink);
- set_to_cap_if_null(ops, inode_mkdir);
- set_to_cap_if_null(ops, inode_rmdir);
- set_to_cap_if_null(ops, inode_mknod);
- set_to_cap_if_null(ops, inode_rename);
- set_to_cap_if_null(ops, inode_readlink);
- set_to_cap_if_null(ops, inode_follow_link);
- set_to_cap_if_null(ops, inode_permission);
- set_to_cap_if_null(ops, inode_setattr);
- set_to_cap_if_null(ops, inode_getattr);
- set_to_cap_if_null(ops, inode_setxattr);
- set_to_cap_if_null(ops, inode_post_setxattr);
- set_to_cap_if_null(ops, inode_getxattr);
- set_to_cap_if_null(ops, inode_listxattr);
- set_to_cap_if_null(ops, inode_removexattr);
- set_to_cap_if_null(ops, inode_need_killpriv);
- set_to_cap_if_null(ops, inode_killpriv);
- set_to_cap_if_null(ops, inode_getsecurity);
- set_to_cap_if_null(ops, inode_setsecurity);
- set_to_cap_if_null(ops, inode_listsecurity);
- set_to_cap_if_null(ops, inode_getsecid);
-#ifdef CONFIG_SECURITY_PATH
- set_to_cap_if_null(ops, path_mknod);
- set_to_cap_if_null(ops, path_mkdir);
- set_to_cap_if_null(ops, path_rmdir);
- set_to_cap_if_null(ops, path_unlink);
- set_to_cap_if_null(ops, path_symlink);
- set_to_cap_if_null(ops, path_link);
- set_to_cap_if_null(ops, path_rename);
- set_to_cap_if_null(ops, path_truncate);
- set_to_cap_if_null(ops, path_chmod);
- set_to_cap_if_null(ops, path_chown);
- set_to_cap_if_null(ops, path_chroot);
-#endif
- set_to_cap_if_null(ops, file_permission);
- set_to_cap_if_null(ops, file_alloc_security);
- set_to_cap_if_null(ops, file_free_security);
- set_to_cap_if_null(ops, file_ioctl);
- set_to_cap_if_null(ops, mmap_addr);
- set_to_cap_if_null(ops, mmap_file);
- set_to_cap_if_null(ops, file_mprotect);
- set_to_cap_if_null(ops, file_lock);
- set_to_cap_if_null(ops, file_fcntl);
- set_to_cap_if_null(ops, file_set_fowner);
- set_to_cap_if_null(ops, file_send_sigiotask);
- set_to_cap_if_null(ops, file_receive);
- set_to_cap_if_null(ops, file_open);
- set_to_cap_if_null(ops, task_create);
- set_to_cap_if_null(ops, task_free);
- set_to_cap_if_null(ops, cred_alloc_blank);
- set_to_cap_if_null(ops, cred_free);
- set_to_cap_if_null(ops, cred_prepare);
- set_to_cap_if_null(ops, cred_transfer);
- set_to_cap_if_null(ops, kernel_act_as);
- set_to_cap_if_null(ops, kernel_create_files_as);
- set_to_cap_if_null(ops, kernel_module_request);
- set_to_cap_if_null(ops, kernel_module_from_file);
- set_to_cap_if_null(ops, task_fix_setuid);
- set_to_cap_if_null(ops, task_setpgid);
- set_to_cap_if_null(ops, task_getpgid);
- set_to_cap_if_null(ops, task_getsid);
- set_to_cap_if_null(ops, task_getsecid);
- set_to_cap_if_null(ops, task_setnice);
- set_to_cap_if_null(ops, task_setioprio);
- set_to_cap_if_null(ops, task_getioprio);
- set_to_cap_if_null(ops, task_setrlimit);
- set_to_cap_if_null(ops, task_setscheduler);
- set_to_cap_if_null(ops, task_getscheduler);
- set_to_cap_if_null(ops, task_movememory);
- set_to_cap_if_null(ops, task_wait);
- set_to_cap_if_null(ops, task_kill);
- set_to_cap_if_null(ops, task_prctl);
- set_to_cap_if_null(ops, task_to_inode);
- set_to_cap_if_null(ops, ipc_permission);
- set_to_cap_if_null(ops, ipc_getsecid);
- set_to_cap_if_null(ops, msg_msg_alloc_security);
- set_to_cap_if_null(ops, msg_msg_free_security);
- set_to_cap_if_null(ops, msg_queue_alloc_security);
- set_to_cap_if_null(ops, msg_queue_free_security);
- set_to_cap_if_null(ops, msg_queue_associate);
- set_to_cap_if_null(ops, msg_queue_msgctl);
- set_to_cap_if_null(ops, msg_queue_msgsnd);
- set_to_cap_if_null(ops, msg_queue_msgrcv);
- set_to_cap_if_null(ops, shm_alloc_security);
- set_to_cap_if_null(ops, shm_free_security);
- set_to_cap_if_null(ops, shm_associate);
- set_to_cap_if_null(ops, shm_shmctl);
- set_to_cap_if_null(ops, shm_shmat);
- set_to_cap_if_null(ops, sem_alloc_security);
- set_to_cap_if_null(ops, sem_free_security);
- set_to_cap_if_null(ops, sem_associate);
- set_to_cap_if_null(ops, sem_semctl);
- set_to_cap_if_null(ops, sem_semop);
- set_to_cap_if_null(ops, netlink_send);
- set_to_cap_if_null(ops, d_instantiate);
- set_to_cap_if_null(ops, getprocattr);
- set_to_cap_if_null(ops, setprocattr);
- set_to_cap_if_null(ops, secid_to_secctx);
- set_to_cap_if_null(ops, secctx_to_secid);
- set_to_cap_if_null(ops, release_secctx);
- set_to_cap_if_null(ops, inode_notifysecctx);
- set_to_cap_if_null(ops, inode_setsecctx);
- set_to_cap_if_null(ops, inode_getsecctx);
-#ifdef CONFIG_SECURITY_NETWORK
- set_to_cap_if_null(ops, unix_stream_connect);
- set_to_cap_if_null(ops, unix_may_send);
- set_to_cap_if_null(ops, socket_create);
- set_to_cap_if_null(ops, socket_post_create);
- set_to_cap_if_null(ops, socket_bind);
- set_to_cap_if_null(ops, socket_connect);
- set_to_cap_if_null(ops, socket_listen);
- set_to_cap_if_null(ops, socket_accept);
- set_to_cap_if_null(ops, socket_sendmsg);
- set_to_cap_if_null(ops, socket_recvmsg);
- set_to_cap_if_null(ops, socket_getsockname);
- set_to_cap_if_null(ops, socket_getpeername);
- set_to_cap_if_null(ops, socket_setsockopt);
- set_to_cap_if_null(ops, socket_getsockopt);
- set_to_cap_if_null(ops, socket_shutdown);
- set_to_cap_if_null(ops, socket_sock_rcv_skb);
- set_to_cap_if_null(ops, socket_getpeersec_stream);
- set_to_cap_if_null(ops, socket_getpeersec_dgram);
- set_to_cap_if_null(ops, sk_alloc_security);
- set_to_cap_if_null(ops, sk_free_security);
- set_to_cap_if_null(ops, sk_clone_security);
- set_to_cap_if_null(ops, sk_getsecid);
- set_to_cap_if_null(ops, sock_graft);
- set_to_cap_if_null(ops, inet_conn_request);
- set_to_cap_if_null(ops, inet_csk_clone);
- set_to_cap_if_null(ops, inet_conn_established);
- set_to_cap_if_null(ops, secmark_relabel_packet);
- set_to_cap_if_null(ops, secmark_refcount_inc);
- set_to_cap_if_null(ops, secmark_refcount_dec);
- set_to_cap_if_null(ops, req_classify_flow);
- set_to_cap_if_null(ops, tun_dev_create);
- set_to_cap_if_null(ops, tun_dev_post_create);
- set_to_cap_if_null(ops, tun_dev_attach);
-#endif /* CONFIG_SECURITY_NETWORK */
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
- set_to_cap_if_null(ops, xfrm_policy_alloc_security);
- set_to_cap_if_null(ops, xfrm_policy_clone_security);
- set_to_cap_if_null(ops, xfrm_policy_free_security);
- set_to_cap_if_null(ops, xfrm_policy_delete_security);
- set_to_cap_if_null(ops, xfrm_state_alloc_security);
- set_to_cap_if_null(ops, xfrm_state_free_security);
- set_to_cap_if_null(ops, xfrm_state_delete_security);
- set_to_cap_if_null(ops, xfrm_policy_lookup);
- set_to_cap_if_null(ops, xfrm_state_pol_flow_match);
- set_to_cap_if_null(ops, xfrm_decode_session);
-#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-#ifdef CONFIG_KEYS
- set_to_cap_if_null(ops, key_alloc);
- set_to_cap_if_null(ops, key_free);
- set_to_cap_if_null(ops, key_permission);
- set_to_cap_if_null(ops, key_getsecurity);
-#endif /* CONFIG_KEYS */
-#ifdef CONFIG_AUDIT
- set_to_cap_if_null(ops, audit_rule_init);
- set_to_cap_if_null(ops, audit_rule_known);
- set_to_cap_if_null(ops, audit_rule_match);
- set_to_cap_if_null(ops, audit_rule_free);
-#endif
-}
diff --git a/security/commoncap.c b/security/commoncap.c
index 7ee08c7..296ddc2 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -988,9 +988,3 @@ int cap_mmap_addr(unsigned long addr)
}
return ret;
}
-
-int cap_mmap_file(struct file *file, unsigned long reqprot,
- unsigned long prot, unsigned long flags)
-{
- return 0;
-}
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 2/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 2:09 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 2/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Remove security/capability.c as there is no longer need
of a "default" LSM. Remove unused commoncap function.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/Makefile | 3 +-
security/capability.c | 1081 -------------------------------------------------
security/commoncap.c | 6 -
3 files changed, 1 insertion(+), 1089 deletions(-)
diff --git a/security/Makefile b/security/Makefile
index c26c81e..b1875b1 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -14,9 +14,8 @@ obj-y += commoncap.o
obj-$(CONFIG_MMU) += min_addr.o
# Object file lists
-obj-$(CONFIG_SECURITY) += security.o capability.o
+obj-$(CONFIG_SECURITY) += security.o
obj-$(CONFIG_SECURITYFS) += inode.o
-# Must precede capability.o in order to stack properly.
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
obj-$(CONFIG_AUDIT) += lsm_audit.o
diff --git a/security/capability.c b/security/capability.c
deleted file mode 100644
index 0fe5a02..0000000
--- a/security/capability.c
+++ /dev/null
@@ -1,1081 +0,0 @@
-/*
- * Capabilities Linux Security Module
- *
- * This is the default security module in case no other module is loaded.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- */
-
-#include <linux/security.h>
-
-static int cap_syslog(int type)
-{
- return 0;
-}
-
-static int cap_quotactl(int cmds, int type, int id, struct super_block *sb)
-{
- return 0;
-}
-
-static int cap_quota_on(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_bprm_check_security(struct linux_binprm *bprm)
-{
- return 0;
-}
-
-static void cap_bprm_committing_creds(struct linux_binprm *bprm)
-{
-}
-
-static void cap_bprm_committed_creds(struct linux_binprm *bprm)
-{
-}
-
-static int cap_sb_alloc_security(struct super_block *sb)
-{
- return 0;
-}
-
-static void cap_sb_free_security(struct super_block *sb)
-{
-}
-
-static int cap_sb_copy_data(char *orig, char *copy)
-{
- return 0;
-}
-
-static int cap_sb_remount(struct super_block *sb, void *data)
-{
- return 0;
-}
-
-static int cap_sb_kern_mount(struct super_block *sb, int flags, void *data)
-{
- return 0;
-}
-
-static int cap_sb_show_options(struct seq_file *m, struct super_block *sb)
-{
- return 0;
-}
-
-static int cap_sb_statfs(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_sb_mount(const char *dev_name, struct path *path,
- const char *type, unsigned long flags, void *data)
-{
- return 0;
-}
-
-static int cap_sb_umount(struct vfsmount *mnt, int flags)
-{
- return 0;
-}
-
-static int cap_sb_pivotroot(struct path *old_path, struct path *new_path)
-{
- return 0;
-}
-
-static int cap_sb_set_mnt_opts(struct super_block *sb,
- struct security_mnt_opts *opts)
-{
- if (unlikely(opts->num_mnt_opts))
- return -EOPNOTSUPP;
- return 0;
-}
-
-static void cap_sb_clone_mnt_opts(const struct super_block *oldsb,
- struct super_block *newsb)
-{
-}
-
-static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
-{
- return 0;
-}
-
-static int cap_inode_alloc_security(struct inode *inode)
-{
- return 0;
-}
-
-static void cap_inode_free_security(struct inode *inode)
-{
-}
-
-static int cap_inode_init_security(struct inode *inode, struct inode *dir,
- const struct qstr *qstr, char **name,
- void **value, size_t *len)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_inode_create(struct inode *inode, struct dentry *dentry,
- umode_t mask)
-{
- return 0;
-}
-
-static int cap_inode_link(struct dentry *old_dentry, struct inode *inode,
- struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_inode_unlink(struct inode *inode, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_symlink(struct inode *inode, struct dentry *dentry,
- const char *name)
-{
- return 0;
-}
-
-static int cap_inode_mkdir(struct inode *inode, struct dentry *dentry,
- umode_t mask)
-{
- return 0;
-}
-
-static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_mknod(struct inode *inode, struct dentry *dentry,
- umode_t mode, dev_t dev)
-{
- return 0;
-}
-
-static int cap_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
- struct inode *new_inode, struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_inode_readlink(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_follow_link(struct dentry *dentry,
- struct nameidata *nameidata)
-{
- return 0;
-}
-
-static int cap_inode_permission(struct inode *inode, int mask)
-{
- return 0;
-}
-
-static int cap_inode_setattr(struct dentry *dentry, struct iattr *iattr)
-{
- return 0;
-}
-
-static int cap_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
-{
- return 0;
-}
-
-static void cap_inode_post_setxattr(struct dentry *dentry, const char *name,
- const void *value, size_t size, int flags)
-{
-}
-
-static int cap_inode_getxattr(struct dentry *dentry, const char *name)
-{
- return 0;
-}
-
-static int cap_inode_listxattr(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_getsecurity(const struct inode *inode, const char *name,
- void **buffer, bool alloc)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_inode_setsecurity(struct inode *inode, const char *name,
- const void *value, size_t size, int flags)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_inode_listsecurity(struct inode *inode, char *buffer,
- size_t buffer_size)
-{
- return 0;
-}
-
-static void cap_inode_getsecid(const struct inode *inode, u32 *secid)
-{
- *secid = 0;
-}
-
-#ifdef CONFIG_SECURITY_PATH
-static int cap_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode,
- unsigned int dev)
-{
- return 0;
-}
-
-static int cap_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode)
-{
- return 0;
-}
-
-static int cap_path_rmdir(struct path *dir, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_path_unlink(struct path *dir, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_path_symlink(struct path *dir, struct dentry *dentry,
- const char *old_name)
-{
- return 0;
-}
-
-static int cap_path_link(struct dentry *old_dentry, struct path *new_dir,
- struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_path_rename(struct path *old_path, struct dentry *old_dentry,
- struct path *new_path, struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_path_truncate(struct path *path)
-{
- return 0;
-}
-
-static int cap_path_chmod(struct path *path, umode_t mode)
-{
- return 0;
-}
-
-static int cap_path_chown(struct path *path, kuid_t uid, kgid_t gid)
-{
- return 0;
-}
-
-static int cap_path_chroot(struct path *root)
-{
- return 0;
-}
-#endif
-
-static int cap_file_permission(struct file *file, int mask)
-{
- return 0;
-}
-
-static int cap_file_alloc_security(struct file *file)
-{
- return 0;
-}
-
-static void cap_file_free_security(struct file *file)
-{
-}
-
-static int cap_file_ioctl(struct file *file, unsigned int command,
- unsigned long arg)
-{
- return 0;
-}
-
-static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
- unsigned long prot)
-{
- return 0;
-}
-
-static int cap_file_lock(struct file *file, unsigned int cmd)
-{
- return 0;
-}
-
-static int cap_file_fcntl(struct file *file, unsigned int cmd,
- unsigned long arg)
-{
- return 0;
-}
-
-static int cap_file_set_fowner(struct file *file)
-{
- return 0;
-}
-
-static int cap_file_send_sigiotask(struct task_struct *tsk,
- struct fown_struct *fown, int sig)
-{
- return 0;
-}
-
-static int cap_file_receive(struct file *file)
-{
- return 0;
-}
-
-static int cap_file_open(struct file *file, const struct cred *cred)
-{
- return 0;
-}
-
-static int cap_task_create(unsigned long clone_flags)
-{
- return 0;
-}
-
-static void cap_task_free(struct task_struct *task)
-{
-}
-
-static int cap_cred_alloc_blank(struct cred *cred, gfp_t gfp)
-{
- return 0;
-}
-
-static void cap_cred_free(struct cred *cred)
-{
-}
-
-static int cap_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp)
-{
- return 0;
-}
-
-static void cap_cred_transfer(struct cred *new, const struct cred *old)
-{
-}
-
-static int cap_kernel_act_as(struct cred *new, u32 secid)
-{
- return 0;
-}
-
-static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
-{
- return 0;
-}
-
-static int cap_kernel_module_request(char *kmod_name)
-{
- return 0;
-}
-
-static int cap_kernel_module_from_file(struct file *file)
-{
- return 0;
-}
-
-static int cap_task_setpgid(struct task_struct *p, pid_t pgid)
-{
- return 0;
-}
-
-static int cap_task_getpgid(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_getsid(struct task_struct *p)
-{
- return 0;
-}
-
-static void cap_task_getsecid(struct task_struct *p, u32 *secid)
-{
- *secid = 0;
-}
-
-static int cap_task_getioprio(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_setrlimit(struct task_struct *p, unsigned int resource,
- struct rlimit *new_rlim)
-{
- return 0;
-}
-
-static int cap_task_getscheduler(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_movememory(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_wait(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid)
-{
- return 0;
-}
-
-static void cap_task_to_inode(struct task_struct *p, struct inode *inode)
-{
-}
-
-static int cap_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
-{
- return 0;
-}
-
-static void cap_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
-{
- *secid = 0;
-}
-
-static int cap_msg_msg_alloc_security(struct msg_msg *msg)
-{
- return 0;
-}
-
-static void cap_msg_msg_free_security(struct msg_msg *msg)
-{
-}
-
-static int cap_msg_queue_alloc_security(struct msg_queue *msq)
-{
- return 0;
-}
-
-static void cap_msg_queue_free_security(struct msg_queue *msq)
-{
-}
-
-static int cap_msg_queue_associate(struct msg_queue *msq, int msqflg)
-{
- return 0;
-}
-
-static int cap_msg_queue_msgctl(struct msg_queue *msq, int cmd)
-{
- return 0;
-}
-
-static int cap_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
- int msgflg)
-{
- return 0;
-}
-
-static int cap_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
- struct task_struct *target, long type, int mode)
-{
- return 0;
-}
-
-static int cap_shm_alloc_security(struct shmid_kernel *shp)
-{
- return 0;
-}
-
-static void cap_shm_free_security(struct shmid_kernel *shp)
-{
-}
-
-static int cap_shm_associate(struct shmid_kernel *shp, int shmflg)
-{
- return 0;
-}
-
-static int cap_shm_shmctl(struct shmid_kernel *shp, int cmd)
-{
- return 0;
-}
-
-static int cap_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
- int shmflg)
-{
- return 0;
-}
-
-static int cap_sem_alloc_security(struct sem_array *sma)
-{
- return 0;
-}
-
-static void cap_sem_free_security(struct sem_array *sma)
-{
-}
-
-static int cap_sem_associate(struct sem_array *sma, int semflg)
-{
- return 0;
-}
-
-static int cap_sem_semctl(struct sem_array *sma, int cmd)
-{
- return 0;
-}
-
-static int cap_sem_semop(struct sem_array *sma, struct sembuf *sops,
- unsigned nsops, int alter)
-{
- return 0;
-}
-
-#ifdef CONFIG_SECURITY_NETWORK
-static int cap_unix_stream_connect(struct sock *sock, struct sock *other,
- struct sock *newsk)
-{
- return 0;
-}
-
-static int cap_unix_may_send(struct socket *sock, struct socket *other)
-{
- return 0;
-}
-
-static int cap_socket_create(int family, int type, int protocol, int kern)
-{
- return 0;
-}
-
-static int cap_socket_post_create(struct socket *sock, int family, int type,
- int protocol, int kern)
-{
- return 0;
-}
-
-static int cap_socket_bind(struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int cap_socket_connect(struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int cap_socket_listen(struct socket *sock, int backlog)
-{
- return 0;
-}
-
-static int cap_socket_accept(struct socket *sock, struct socket *newsock)
-{
- return 0;
-}
-
-static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
-{
- return 0;
-}
-
-static int cap_socket_recvmsg(struct socket *sock, struct msghdr *msg,
- int size, int flags)
-{
- return 0;
-}
-
-static int cap_socket_getsockname(struct socket *sock)
-{
- return 0;
-}
-
-static int cap_socket_getpeername(struct socket *sock)
-{
- return 0;
-}
-
-static int cap_socket_setsockopt(struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int cap_socket_getsockopt(struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int cap_socket_shutdown(struct socket *sock, int how)
-{
- return 0;
-}
-
-static int cap_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
-{
- return 0;
-}
-
-static int cap_socket_getpeersec_stream(struct socket *sock,
- char __user *optval,
- int __user *optlen, unsigned len)
-{
- return -ENOPROTOOPT;
-}
-
-static int cap_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb, u32 *secid)
-{
- return -ENOPROTOOPT;
-}
-
-static int cap_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
-{
- return 0;
-}
-
-static void cap_sk_free_security(struct sock *sk)
-{
-}
-
-static void cap_sk_clone_security(const struct sock *sk, struct sock *newsk)
-{
-}
-
-static void cap_sk_getsecid(struct sock *sk, u32 *secid)
-{
-}
-
-static void cap_sock_graft(struct sock *sk, struct socket *parent)
-{
-}
-
-static int cap_inet_conn_request(struct sock *sk, struct sk_buff *skb,
- struct request_sock *req)
-{
- return 0;
-}
-
-static void cap_inet_csk_clone(struct sock *newsk,
- const struct request_sock *req)
-{
-}
-
-static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb)
-{
-}
-
-static int cap_secmark_relabel_packet(u32 secid)
-{
- return 0;
-}
-
-static void cap_secmark_refcount_inc(void)
-{
-}
-
-static void cap_secmark_refcount_dec(void)
-{
-}
-
-static void cap_req_classify_flow(const struct request_sock *req,
- struct flowi *fl)
-{
-}
-
-static int cap_tun_dev_create(void)
-{
- return 0;
-}
-
-static void cap_tun_dev_post_create(struct sock *sk)
-{
-}
-
-static int cap_tun_dev_attach(struct sock *sk)
-{
- return 0;
-}
-#endif /* CONFIG_SECURITY_NETWORK */
-
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
-static int cap_xfrm_policy_alloc_security(struct xfrm_sec_ctx **ctxp,
- struct xfrm_user_sec_ctx *sec_ctx)
-{
- return 0;
-}
-
-static int cap_xfrm_policy_clone_security(struct xfrm_sec_ctx *old_ctx,
- struct xfrm_sec_ctx **new_ctxp)
-{
- return 0;
-}
-
-static void cap_xfrm_policy_free_security(struct xfrm_sec_ctx *ctx)
-{
-}
-
-static int cap_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx)
-{
- return 0;
-}
-
-static int cap_xfrm_state_alloc_security(struct xfrm_state *x,
- struct xfrm_user_sec_ctx *sec_ctx,
- u32 secid)
-{
- return 0;
-}
-
-static void cap_xfrm_state_free_security(struct xfrm_state *x)
-{
-}
-
-static int cap_xfrm_state_delete_security(struct xfrm_state *x)
-{
- return 0;
-}
-
-static int cap_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 sk_sid, u8 dir)
-{
- return 0;
-}
-
-static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x,
- struct xfrm_policy *xp,
- const struct flowi *fl)
-{
- return 1;
-}
-
-static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
-{
- return 0;
-}
-
-#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-static void cap_d_instantiate(struct dentry *dentry, struct inode *inode)
-{
-}
-
-static int cap_getprocattr(struct task_struct *p, char *name, char **value)
-{
- return -EINVAL;
-}
-
-static int cap_setprocattr(struct task_struct *p, char *name, void *value,
- size_t size)
-{
- return -EINVAL;
-}
-
-static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
-{
- *secid = 0;
- return 0;
-}
-
-static void cap_release_secctx(char *secdata, u32 seclen)
-{
-}
-
-static int cap_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
-{
- return 0;
-}
-
-static int cap_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
-{
- return 0;
-}
-
-static int cap_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
-{
- return 0;
-}
-#ifdef CONFIG_KEYS
-static int cap_key_alloc(struct key *key, const struct cred *cred,
- unsigned long flags)
-{
- return 0;
-}
-
-static void cap_key_free(struct key *key)
-{
-}
-
-static int cap_key_permission(key_ref_t key_ref, const struct cred *cred,
- key_perm_t perm)
-{
- return 0;
-}
-
-static int cap_key_getsecurity(struct key *key, char **_buffer)
-{
- *_buffer = NULL;
- return 0;
-}
-
-#endif /* CONFIG_KEYS */
-
-#ifdef CONFIG_AUDIT
-static int cap_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
-{
- return 0;
-}
-
-static int cap_audit_rule_known(struct audit_krule *krule)
-{
- return 0;
-}
-
-static int cap_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
- struct audit_context *actx)
-{
- return 0;
-}
-
-static void cap_audit_rule_free(void *lsmrule)
-{
-}
-#endif /* CONFIG_AUDIT */
-
-#define set_to_cap_if_null(ops, function) \
- do { \
- if (!ops->function) { \
- ops->function = cap_##function; \
- pr_debug("Had to override the " #function \
- " security operation with the default.\n");\
- } \
- } while (0)
-
-void __init security_fixup_ops(struct security_operations *ops)
-{
- set_to_cap_if_null(ops, ptrace_access_check);
- set_to_cap_if_null(ops, ptrace_traceme);
- set_to_cap_if_null(ops, capget);
- set_to_cap_if_null(ops, capset);
- set_to_cap_if_null(ops, capable);
- set_to_cap_if_null(ops, quotactl);
- set_to_cap_if_null(ops, quota_on);
- set_to_cap_if_null(ops, syslog);
- set_to_cap_if_null(ops, settime);
- set_to_cap_if_null(ops, vm_enough_memory);
- set_to_cap_if_null(ops, bprm_set_creds);
- set_to_cap_if_null(ops, bprm_committing_creds);
- set_to_cap_if_null(ops, bprm_committed_creds);
- set_to_cap_if_null(ops, bprm_check_security);
- set_to_cap_if_null(ops, bprm_secureexec);
- set_to_cap_if_null(ops, sb_alloc_security);
- set_to_cap_if_null(ops, sb_free_security);
- set_to_cap_if_null(ops, sb_copy_data);
- set_to_cap_if_null(ops, sb_remount);
- set_to_cap_if_null(ops, sb_kern_mount);
- set_to_cap_if_null(ops, sb_show_options);
- set_to_cap_if_null(ops, sb_statfs);
- set_to_cap_if_null(ops, sb_mount);
- set_to_cap_if_null(ops, sb_umount);
- set_to_cap_if_null(ops, sb_pivotroot);
- set_to_cap_if_null(ops, sb_set_mnt_opts);
- set_to_cap_if_null(ops, sb_clone_mnt_opts);
- set_to_cap_if_null(ops, sb_parse_opts_str);
- set_to_cap_if_null(ops, inode_alloc_security);
- set_to_cap_if_null(ops, inode_free_security);
- set_to_cap_if_null(ops, inode_init_security);
- set_to_cap_if_null(ops, inode_create);
- set_to_cap_if_null(ops, inode_link);
- set_to_cap_if_null(ops, inode_unlink);
- set_to_cap_if_null(ops, inode_symlink);
- set_to_cap_if_null(ops, inode_mkdir);
- set_to_cap_if_null(ops, inode_rmdir);
- set_to_cap_if_null(ops, inode_mknod);
- set_to_cap_if_null(ops, inode_rename);
- set_to_cap_if_null(ops, inode_readlink);
- set_to_cap_if_null(ops, inode_follow_link);
- set_to_cap_if_null(ops, inode_permission);
- set_to_cap_if_null(ops, inode_setattr);
- set_to_cap_if_null(ops, inode_getattr);
- set_to_cap_if_null(ops, inode_setxattr);
- set_to_cap_if_null(ops, inode_post_setxattr);
- set_to_cap_if_null(ops, inode_getxattr);
- set_to_cap_if_null(ops, inode_listxattr);
- set_to_cap_if_null(ops, inode_removexattr);
- set_to_cap_if_null(ops, inode_need_killpriv);
- set_to_cap_if_null(ops, inode_killpriv);
- set_to_cap_if_null(ops, inode_getsecurity);
- set_to_cap_if_null(ops, inode_setsecurity);
- set_to_cap_if_null(ops, inode_listsecurity);
- set_to_cap_if_null(ops, inode_getsecid);
-#ifdef CONFIG_SECURITY_PATH
- set_to_cap_if_null(ops, path_mknod);
- set_to_cap_if_null(ops, path_mkdir);
- set_to_cap_if_null(ops, path_rmdir);
- set_to_cap_if_null(ops, path_unlink);
- set_to_cap_if_null(ops, path_symlink);
- set_to_cap_if_null(ops, path_link);
- set_to_cap_if_null(ops, path_rename);
- set_to_cap_if_null(ops, path_truncate);
- set_to_cap_if_null(ops, path_chmod);
- set_to_cap_if_null(ops, path_chown);
- set_to_cap_if_null(ops, path_chroot);
-#endif
- set_to_cap_if_null(ops, file_permission);
- set_to_cap_if_null(ops, file_alloc_security);
- set_to_cap_if_null(ops, file_free_security);
- set_to_cap_if_null(ops, file_ioctl);
- set_to_cap_if_null(ops, mmap_addr);
- set_to_cap_if_null(ops, mmap_file);
- set_to_cap_if_null(ops, file_mprotect);
- set_to_cap_if_null(ops, file_lock);
- set_to_cap_if_null(ops, file_fcntl);
- set_to_cap_if_null(ops, file_set_fowner);
- set_to_cap_if_null(ops, file_send_sigiotask);
- set_to_cap_if_null(ops, file_receive);
- set_to_cap_if_null(ops, file_open);
- set_to_cap_if_null(ops, task_create);
- set_to_cap_if_null(ops, task_free);
- set_to_cap_if_null(ops, cred_alloc_blank);
- set_to_cap_if_null(ops, cred_free);
- set_to_cap_if_null(ops, cred_prepare);
- set_to_cap_if_null(ops, cred_transfer);
- set_to_cap_if_null(ops, kernel_act_as);
- set_to_cap_if_null(ops, kernel_create_files_as);
- set_to_cap_if_null(ops, kernel_module_request);
- set_to_cap_if_null(ops, kernel_module_from_file);
- set_to_cap_if_null(ops, task_fix_setuid);
- set_to_cap_if_null(ops, task_setpgid);
- set_to_cap_if_null(ops, task_getpgid);
- set_to_cap_if_null(ops, task_getsid);
- set_to_cap_if_null(ops, task_getsecid);
- set_to_cap_if_null(ops, task_setnice);
- set_to_cap_if_null(ops, task_setioprio);
- set_to_cap_if_null(ops, task_getioprio);
- set_to_cap_if_null(ops, task_setrlimit);
- set_to_cap_if_null(ops, task_setscheduler);
- set_to_cap_if_null(ops, task_getscheduler);
- set_to_cap_if_null(ops, task_movememory);
- set_to_cap_if_null(ops, task_wait);
- set_to_cap_if_null(ops, task_kill);
- set_to_cap_if_null(ops, task_prctl);
- set_to_cap_if_null(ops, task_to_inode);
- set_to_cap_if_null(ops, ipc_permission);
- set_to_cap_if_null(ops, ipc_getsecid);
- set_to_cap_if_null(ops, msg_msg_alloc_security);
- set_to_cap_if_null(ops, msg_msg_free_security);
- set_to_cap_if_null(ops, msg_queue_alloc_security);
- set_to_cap_if_null(ops, msg_queue_free_security);
- set_to_cap_if_null(ops, msg_queue_associate);
- set_to_cap_if_null(ops, msg_queue_msgctl);
- set_to_cap_if_null(ops, msg_queue_msgsnd);
- set_to_cap_if_null(ops, msg_queue_msgrcv);
- set_to_cap_if_null(ops, shm_alloc_security);
- set_to_cap_if_null(ops, shm_free_security);
- set_to_cap_if_null(ops, shm_associate);
- set_to_cap_if_null(ops, shm_shmctl);
- set_to_cap_if_null(ops, shm_shmat);
- set_to_cap_if_null(ops, sem_alloc_security);
- set_to_cap_if_null(ops, sem_free_security);
- set_to_cap_if_null(ops, sem_associate);
- set_to_cap_if_null(ops, sem_semctl);
- set_to_cap_if_null(ops, sem_semop);
- set_to_cap_if_null(ops, netlink_send);
- set_to_cap_if_null(ops, d_instantiate);
- set_to_cap_if_null(ops, getprocattr);
- set_to_cap_if_null(ops, setprocattr);
- set_to_cap_if_null(ops, secid_to_secctx);
- set_to_cap_if_null(ops, secctx_to_secid);
- set_to_cap_if_null(ops, release_secctx);
- set_to_cap_if_null(ops, inode_notifysecctx);
- set_to_cap_if_null(ops, inode_setsecctx);
- set_to_cap_if_null(ops, inode_getsecctx);
-#ifdef CONFIG_SECURITY_NETWORK
- set_to_cap_if_null(ops, unix_stream_connect);
- set_to_cap_if_null(ops, unix_may_send);
- set_to_cap_if_null(ops, socket_create);
- set_to_cap_if_null(ops, socket_post_create);
- set_to_cap_if_null(ops, socket_bind);
- set_to_cap_if_null(ops, socket_connect);
- set_to_cap_if_null(ops, socket_listen);
- set_to_cap_if_null(ops, socket_accept);
- set_to_cap_if_null(ops, socket_sendmsg);
- set_to_cap_if_null(ops, socket_recvmsg);
- set_to_cap_if_null(ops, socket_getsockname);
- set_to_cap_if_null(ops, socket_getpeername);
- set_to_cap_if_null(ops, socket_setsockopt);
- set_to_cap_if_null(ops, socket_getsockopt);
- set_to_cap_if_null(ops, socket_shutdown);
- set_to_cap_if_null(ops, socket_sock_rcv_skb);
- set_to_cap_if_null(ops, socket_getpeersec_stream);
- set_to_cap_if_null(ops, socket_getpeersec_dgram);
- set_to_cap_if_null(ops, sk_alloc_security);
- set_to_cap_if_null(ops, sk_free_security);
- set_to_cap_if_null(ops, sk_clone_security);
- set_to_cap_if_null(ops, sk_getsecid);
- set_to_cap_if_null(ops, sock_graft);
- set_to_cap_if_null(ops, inet_conn_request);
- set_to_cap_if_null(ops, inet_csk_clone);
- set_to_cap_if_null(ops, inet_conn_established);
- set_to_cap_if_null(ops, secmark_relabel_packet);
- set_to_cap_if_null(ops, secmark_refcount_inc);
- set_to_cap_if_null(ops, secmark_refcount_dec);
- set_to_cap_if_null(ops, req_classify_flow);
- set_to_cap_if_null(ops, tun_dev_create);
- set_to_cap_if_null(ops, tun_dev_post_create);
- set_to_cap_if_null(ops, tun_dev_attach);
-#endif /* CONFIG_SECURITY_NETWORK */
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
- set_to_cap_if_null(ops, xfrm_policy_alloc_security);
- set_to_cap_if_null(ops, xfrm_policy_clone_security);
- set_to_cap_if_null(ops, xfrm_policy_free_security);
- set_to_cap_if_null(ops, xfrm_policy_delete_security);
- set_to_cap_if_null(ops, xfrm_state_alloc_security);
- set_to_cap_if_null(ops, xfrm_state_free_security);
- set_to_cap_if_null(ops, xfrm_state_delete_security);
- set_to_cap_if_null(ops, xfrm_policy_lookup);
- set_to_cap_if_null(ops, xfrm_state_pol_flow_match);
- set_to_cap_if_null(ops, xfrm_decode_session);
-#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-#ifdef CONFIG_KEYS
- set_to_cap_if_null(ops, key_alloc);
- set_to_cap_if_null(ops, key_free);
- set_to_cap_if_null(ops, key_permission);
- set_to_cap_if_null(ops, key_getsecurity);
-#endif /* CONFIG_KEYS */
-#ifdef CONFIG_AUDIT
- set_to_cap_if_null(ops, audit_rule_init);
- set_to_cap_if_null(ops, audit_rule_known);
- set_to_cap_if_null(ops, audit_rule_match);
- set_to_cap_if_null(ops, audit_rule_free);
-#endif
-}
diff --git a/security/commoncap.c b/security/commoncap.c
index 7ee08c7..296ddc2 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -988,9 +988,3 @@ int cap_mmap_addr(unsigned long addr)
}
return ret;
}
-
-int cap_mmap_file(struct file *file, unsigned long reqprot,
- unsigned long prot, unsigned long flags)
-{
- return 0;
-}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 3/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 2:09 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 3/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Handle any preconditions in the hooks directly.
Treat allocation and procattr hooks specially.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/security.c | 1496 ++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 1191 insertions(+), 305 deletions(-)
diff --git a/security/security.c b/security/security.c
index daa97f4..72bf9dc 100644
--- a/security/security.c
+++ b/security/security.c
@@ -25,30 +25,287 @@
#include <linux/personality.h>
#include <linux/backing-dev.h>
#include <net/flow.h>
+#include <linux/lsm.h>
+#include <linux/shm.h>
+#include <linux/string.h>
#define MAX_LSM_EVM_XATTR 2
+#define PRESENT_FIRST "FIRSTLSM"
/* Boot-time LSM user choice */
-static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
- CONFIG_DEFAULT_SECURITY;
-static struct security_operations *security_ops;
-static struct security_operations default_security_ops = {
- .name = "default",
-};
+static __initdata char specified_lsms[COMPOSER_MAX][SECURITY_NAME_MAX + 1];
+static __initdata char allowed_lsms[COMPOSER_NAMES_MAX];
+static __initdata char present_lsm[SECURITY_NAME_MAX + 1] =
+ CONFIG_PRESENT_SECURITY;
-static inline int __init verify(struct security_operations *ops)
+struct list_head lsm_hooks[LSM_MAX_HOOKS];
+struct security_operations *lsm_present;
+
+static int (*present_getprocattr)
+ (struct task_struct *p, char *name, char **value);
+static int (*present_setprocattr)
+ (struct task_struct *p, char *name, void *value, size_t size);
+
+static int lsm_count;
+
+#define for_each_hook(SOP, HOOK) \
+ list_for_each_entry(SOP, &lsm_hooks[lsm_##HOOK], list[lsm_##HOOK])
+
+/*
+ * Add an entry to a list of security operation vectors.
+ * The "interesting" logic is included here rather than in the
+ * caller to reduce the volume of the calling code.
+ */
+static void __init lsm_enlist(struct security_operations *ops,
+ const enum lsm_hooks_index index,
+ void *interesting)
{
- /* verify the security_operations structure exists */
- if (!ops)
- return -EINVAL;
- security_fixup_ops(ops);
- return 0;
+ struct security_operations *sop;
+
+ if (!interesting) {
+ INIT_LIST_HEAD(&ops->list[index]);
+ return;
+ }
+
+ if (list_empty(&lsm_hooks[index])) {
+ list_add_rcu(&ops->list[index], &lsm_hooks[index]);
+ return;
+ }
+
+ list_for_each_entry(sop, &lsm_hooks[index], list[index]) {
+ if (ops->order < sop->order) {
+ list_add_tail_rcu(&ops->list[index], &sop->list[index]);
+ return;
+ }
+ if (list_is_last(&sop->list[index], &lsm_hooks[index])) {
+ list_add_rcu(&ops->list[index], &sop->list[index]);
+ return;
+ }
+ }
+}
+
+static void __init lsm_enlist_ops(struct security_operations *sop)
+{
+ lsm_enlist(sop, lsm_ptrace_access_check, sop->ptrace_access_check);
+ lsm_enlist(sop, lsm_ptrace_traceme, sop->ptrace_traceme);
+ lsm_enlist(sop, lsm_capget, sop->capget);
+ lsm_enlist(sop, lsm_capset, sop->capset);
+ lsm_enlist(sop, lsm_capable, sop->capable);
+ lsm_enlist(sop, lsm_quotactl, sop->quotactl);
+ lsm_enlist(sop, lsm_quota_on, sop->quota_on);
+ lsm_enlist(sop, lsm_syslog, sop->syslog);
+ lsm_enlist(sop, lsm_settime, sop->settime);
+ lsm_enlist(sop, lsm_vm_enough_memory, sop->vm_enough_memory);
+ lsm_enlist(sop, lsm_bprm_set_creds, sop->bprm_set_creds);
+ lsm_enlist(sop, lsm_bprm_check_security, sop->bprm_check_security);
+ lsm_enlist(sop, lsm_bprm_committing_creds, sop->bprm_committing_creds);
+ lsm_enlist(sop, lsm_bprm_committed_creds, sop->bprm_committed_creds);
+ lsm_enlist(sop, lsm_bprm_secureexec, sop->bprm_secureexec);
+ lsm_enlist(sop, lsm_sb_alloc_security, sop->sb_alloc_security);
+ lsm_enlist(sop, lsm_sb_free_security, sop->sb_free_security);
+ lsm_enlist(sop, lsm_sb_copy_data, sop->sb_copy_data);
+ lsm_enlist(sop, lsm_sb_remount, sop->sb_remount);
+ lsm_enlist(sop, lsm_sb_kern_mount, sop->sb_kern_mount);
+ lsm_enlist(sop, lsm_sb_show_options, sop->sb_show_options);
+ lsm_enlist(sop, lsm_sb_statfs, sop->sb_statfs);
+ lsm_enlist(sop, lsm_sb_mount, sop->sb_mount);
+ lsm_enlist(sop, lsm_sb_umount, sop->sb_umount);
+ lsm_enlist(sop, lsm_sb_pivotroot, sop->sb_pivotroot);
+ lsm_enlist(sop, lsm_sb_set_mnt_opts, sop->sb_set_mnt_opts);
+ lsm_enlist(sop, lsm_sb_clone_mnt_opts, sop->sb_clone_mnt_opts);
+ lsm_enlist(sop, lsm_sb_parse_opts_str, sop->sb_parse_opts_str);
+ lsm_enlist(sop, lsm_inode_alloc_security, sop->inode_alloc_security);
+ lsm_enlist(sop, lsm_inode_free_security, sop->inode_free_security);
+ lsm_enlist(sop, lsm_inode_init_security, sop->inode_init_security);
+#ifdef CONFIG_SECURITY_PATH
+ lsm_enlist(sop, lsm_path_mknod, sop->path_mknod);
+ lsm_enlist(sop, lsm_path_mkdir, sop->path_mkdir);
+ lsm_enlist(sop, lsm_path_rmdir, sop->path_rmdir);
+ lsm_enlist(sop, lsm_path_unlink, sop->path_unlink);
+ lsm_enlist(sop, lsm_path_symlink, sop->path_symlink);
+ lsm_enlist(sop, lsm_path_link, sop->path_link);
+ lsm_enlist(sop, lsm_path_rename, sop->path_rename);
+ lsm_enlist(sop, lsm_path_truncate, sop->path_truncate);
+ lsm_enlist(sop, lsm_path_chmod, sop->path_chmod);
+ lsm_enlist(sop, lsm_path_chown, sop->path_chown);
+ lsm_enlist(sop, lsm_path_chroot, sop->path_chroot);
+#endif
+ lsm_enlist(sop, lsm_inode_create, sop->inode_create);
+ lsm_enlist(sop, lsm_inode_link, sop->inode_link);
+ lsm_enlist(sop, lsm_inode_unlink, sop->inode_unlink);
+ lsm_enlist(sop, lsm_inode_symlink, sop->inode_symlink);
+ lsm_enlist(sop, lsm_inode_mkdir, sop->inode_mkdir);
+ lsm_enlist(sop, lsm_inode_rmdir, sop->inode_rmdir);
+ lsm_enlist(sop, lsm_inode_mknod, sop->inode_mknod);
+ lsm_enlist(sop, lsm_inode_rename, sop->inode_rename);
+ lsm_enlist(sop, lsm_inode_readlink, sop->inode_readlink);
+ lsm_enlist(sop, lsm_inode_follow_link, sop->inode_follow_link);
+ lsm_enlist(sop, lsm_inode_permission, sop->inode_permission);
+ lsm_enlist(sop, lsm_inode_setattr, sop->inode_setattr);
+ lsm_enlist(sop, lsm_inode_getattr, sop->inode_getattr);
+ lsm_enlist(sop, lsm_inode_setxattr, sop->inode_setxattr);
+ lsm_enlist(sop, lsm_inode_post_setxattr, sop->inode_post_setxattr);
+ lsm_enlist(sop, lsm_inode_getxattr, sop->inode_getxattr);
+ lsm_enlist(sop, lsm_inode_listxattr, sop->inode_listxattr);
+ lsm_enlist(sop, lsm_inode_removexattr, sop->inode_removexattr);
+ lsm_enlist(sop, lsm_inode_need_killpriv, sop->inode_need_killpriv);
+ lsm_enlist(sop, lsm_inode_killpriv, sop->inode_killpriv);
+ lsm_enlist(sop, lsm_inode_getsecurity, sop->inode_getsecurity);
+ lsm_enlist(sop, lsm_inode_setsecurity, sop->inode_setsecurity);
+ lsm_enlist(sop, lsm_inode_listsecurity, sop->inode_listsecurity);
+ lsm_enlist(sop, lsm_inode_getsecid, sop->inode_getsecid);
+ lsm_enlist(sop, lsm_file_permission, sop->file_permission);
+ lsm_enlist(sop, lsm_file_alloc_security, sop->file_alloc_security);
+ lsm_enlist(sop, lsm_file_free_security, sop->file_free_security);
+ lsm_enlist(sop, lsm_file_ioctl, sop->file_ioctl);
+ lsm_enlist(sop, lsm_mmap_file, sop->mmap_file);
+ lsm_enlist(sop, lsm_mmap_addr, sop->mmap_addr);
+ lsm_enlist(sop, lsm_file_mprotect, sop->file_mprotect);
+ lsm_enlist(sop, lsm_file_lock, sop->file_lock);
+ lsm_enlist(sop, lsm_file_fcntl, sop->file_fcntl);
+ lsm_enlist(sop, lsm_file_set_fowner, sop->file_set_fowner);
+ lsm_enlist(sop, lsm_file_send_sigiotask, sop->file_send_sigiotask);
+ lsm_enlist(sop, lsm_file_receive, sop->file_receive);
+ lsm_enlist(sop, lsm_file_open, sop->file_open);
+ lsm_enlist(sop, lsm_task_create, sop->task_create);
+ lsm_enlist(sop, lsm_task_free, sop->task_free);
+ lsm_enlist(sop, lsm_cred_alloc_blank, sop->cred_alloc_blank);
+ lsm_enlist(sop, lsm_cred_free, sop->cred_free);
+ lsm_enlist(sop, lsm_cred_prepare, sop->cred_prepare);
+ lsm_enlist(sop, lsm_cred_transfer, sop->cred_transfer);
+ lsm_enlist(sop, lsm_kernel_act_as, sop->kernel_act_as);
+ lsm_enlist(sop, lsm_kernel_create_files_as,
+ sop->kernel_create_files_as);
+ lsm_enlist(sop, lsm_kernel_module_request, sop->kernel_module_request);
+ lsm_enlist(sop, lsm_kernel_module_from_file,
+ sop->kernel_module_from_file);
+ lsm_enlist(sop, lsm_task_fix_setuid, sop->task_fix_setuid);
+ lsm_enlist(sop, lsm_task_setpgid, sop->task_setpgid);
+ lsm_enlist(sop, lsm_task_getpgid, sop->task_getpgid);
+ lsm_enlist(sop, lsm_task_getsid, sop->task_getsid);
+ lsm_enlist(sop, lsm_task_getsecid, sop->task_getsecid);
+ lsm_enlist(sop, lsm_task_setnice, sop->task_setnice);
+ lsm_enlist(sop, lsm_task_setioprio, sop->task_setioprio);
+ lsm_enlist(sop, lsm_task_getioprio, sop->task_getioprio);
+ lsm_enlist(sop, lsm_task_setrlimit, sop->task_setrlimit);
+ lsm_enlist(sop, lsm_task_setscheduler, sop->task_setscheduler);
+ lsm_enlist(sop, lsm_task_getscheduler, sop->task_getscheduler);
+ lsm_enlist(sop, lsm_task_movememory, sop->task_movememory);
+ lsm_enlist(sop, lsm_task_kill, sop->task_kill);
+ lsm_enlist(sop, lsm_task_wait, sop->task_wait);
+ lsm_enlist(sop, lsm_task_prctl, sop->task_prctl);
+ lsm_enlist(sop, lsm_task_to_inode, sop->task_to_inode);
+ lsm_enlist(sop, lsm_ipc_permission, sop->ipc_permission);
+ lsm_enlist(sop, lsm_ipc_getsecid, sop->ipc_getsecid);
+ lsm_enlist(sop, lsm_msg_msg_alloc_security,
+ sop->msg_msg_alloc_security);
+ lsm_enlist(sop, lsm_msg_msg_free_security, sop->msg_msg_free_security);
+ lsm_enlist(sop, lsm_msg_queue_alloc_security,
+ sop->msg_queue_alloc_security);
+ lsm_enlist(sop, lsm_msg_queue_free_security,
+ sop->msg_queue_free_security);
+ lsm_enlist(sop, lsm_msg_queue_associate, sop->msg_queue_associate);
+ lsm_enlist(sop, lsm_msg_queue_msgctl, sop->msg_queue_msgctl);
+ lsm_enlist(sop, lsm_msg_queue_msgsnd, sop->msg_queue_msgsnd);
+ lsm_enlist(sop, lsm_msg_queue_msgrcv, sop->msg_queue_msgrcv);
+ lsm_enlist(sop, lsm_shm_alloc_security, sop->shm_alloc_security);
+ lsm_enlist(sop, lsm_shm_free_security, sop->shm_free_security);
+ lsm_enlist(sop, lsm_shm_associate, sop->shm_associate);
+ lsm_enlist(sop, lsm_shm_shmctl, sop->shm_shmctl);
+ lsm_enlist(sop, lsm_shm_shmat, sop->shm_shmat);
+ lsm_enlist(sop, lsm_sem_alloc_security, sop->sem_alloc_security);
+ lsm_enlist(sop, lsm_sem_free_security, sop->sem_free_security);
+ lsm_enlist(sop, lsm_sem_associate, sop->sem_associate);
+ lsm_enlist(sop, lsm_sem_semctl, sop->sem_semctl);
+ lsm_enlist(sop, lsm_sem_semop, sop->sem_semop);
+ lsm_enlist(sop, lsm_d_instantiate, sop->d_instantiate);
+ lsm_enlist(sop, lsm_getprocattr, sop->getprocattr);
+ lsm_enlist(sop, lsm_setprocattr, sop->setprocattr);
+ lsm_enlist(sop, lsm_netlink_send, sop->netlink_send);
+ lsm_enlist(sop, lsm_secid_to_secctx, sop->secid_to_secctx);
+ lsm_enlist(sop, lsm_secctx_to_secid, sop->secctx_to_secid);
+ lsm_enlist(sop, lsm_release_secctx, sop->release_secctx);
+ lsm_enlist(sop, lsm_inode_notifysecctx, sop->inode_notifysecctx);
+ lsm_enlist(sop, lsm_inode_setsecctx, sop->inode_setsecctx);
+ lsm_enlist(sop, lsm_inode_getsecctx, sop->inode_getsecctx);
+#ifdef CONFIG_SECURITY_NETWORK
+ lsm_enlist(sop, lsm_unix_stream_connect, sop->unix_stream_connect);
+ lsm_enlist(sop, lsm_unix_may_send, sop->unix_may_send);
+ lsm_enlist(sop, lsm_socket_create, sop->socket_create);
+ lsm_enlist(sop, lsm_socket_post_create, sop->socket_post_create);
+ lsm_enlist(sop, lsm_socket_bind, sop->socket_bind);
+ lsm_enlist(sop, lsm_socket_connect, sop->socket_connect);
+ lsm_enlist(sop, lsm_socket_listen, sop->socket_listen);
+ lsm_enlist(sop, lsm_socket_accept, sop->socket_accept);
+ lsm_enlist(sop, lsm_socket_sendmsg, sop->socket_sendmsg);
+ lsm_enlist(sop, lsm_socket_recvmsg, sop->socket_recvmsg);
+ lsm_enlist(sop, lsm_socket_getsockname, sop->socket_getsockname);
+ lsm_enlist(sop, lsm_socket_getpeername, sop->socket_getpeername);
+ lsm_enlist(sop, lsm_socket_getsockopt, sop->socket_getsockopt);
+ lsm_enlist(sop, lsm_socket_setsockopt, sop->socket_setsockopt);
+ lsm_enlist(sop, lsm_socket_shutdown, sop->socket_shutdown);
+ lsm_enlist(sop, lsm_socket_sock_rcv_skb, sop->socket_sock_rcv_skb);
+ lsm_enlist(sop, lsm_socket_getpeersec_stream,
+ sop->socket_getpeersec_stream);
+ lsm_enlist(sop, lsm_socket_getpeersec_dgram,
+ sop->socket_getpeersec_dgram);
+ lsm_enlist(sop, lsm_sk_alloc_security, sop->sk_alloc_security);
+ lsm_enlist(sop, lsm_sk_free_security, sop->sk_free_security);
+ lsm_enlist(sop, lsm_sk_clone_security, sop->sk_clone_security);
+ lsm_enlist(sop, lsm_req_classify_flow, sop->req_classify_flow);
+ lsm_enlist(sop, lsm_sock_graft, sop->sock_graft);
+ lsm_enlist(sop, lsm_inet_conn_request, sop->inet_conn_request);
+ lsm_enlist(sop, lsm_inet_csk_clone, sop->inet_csk_clone);
+ lsm_enlist(sop, lsm_inet_conn_established, sop->inet_conn_established);
+ lsm_enlist(sop, lsm_secmark_relabel_packet,
+ sop->secmark_relabel_packet);
+ lsm_enlist(sop, lsm_secmark_refcount_inc, sop->secmark_refcount_inc);
+ lsm_enlist(sop, lsm_secmark_refcount_dec, sop->secmark_refcount_dec);
+ lsm_enlist(sop, lsm_tun_dev_create, sop->tun_dev_create);
+ lsm_enlist(sop, lsm_tun_dev_post_create, sop->tun_dev_post_create);
+ lsm_enlist(sop, lsm_tun_dev_attach, sop->tun_dev_attach);
+#endif
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+ lsm_enlist(sop, lsm_xfrm_policy_alloc_security,
+ sop->xfrm_policy_alloc_security);
+ lsm_enlist(sop, lsm_xfrm_policy_clone_security,
+ sop->xfrm_policy_clone_security);
+ lsm_enlist(sop, lsm_xfrm_policy_free_security,
+ sop->xfrm_policy_free_security);
+ lsm_enlist(sop, lsm_xfrm_policy_delete_security,
+ sop->xfrm_policy_delete_security);
+ lsm_enlist(sop, lsm_xfrm_state_alloc_security,
+ sop->xfrm_state_alloc_security);
+ lsm_enlist(sop, lsm_xfrm_state_delete_security,
+ sop->xfrm_state_delete_security);
+ lsm_enlist(sop, lsm_xfrm_state_free_security,
+ sop->xfrm_state_free_security);
+ lsm_enlist(sop, lsm_xfrm_policy_lookup, sop->xfrm_policy_lookup);
+ lsm_enlist(sop, lsm_xfrm_state_pol_flow_match,
+ sop->xfrm_state_pol_flow_match);
+ lsm_enlist(sop, lsm_xfrm_decode_session, sop->xfrm_decode_session);
+#endif
+#ifdef CONFIG_KEYS
+ lsm_enlist(sop, lsm_key_alloc, sop->key_alloc);
+ lsm_enlist(sop, lsm_key_free, sop->key_free);
+ lsm_enlist(sop, lsm_key_permission, sop->key_permission);
+ lsm_enlist(sop, lsm_key_getsecurity, sop->key_getsecurity);
+#endif
+#ifdef CONFIG_AUDIT
+ lsm_enlist(sop, lsm_audit_rule_init, sop->audit_rule_init);
+ lsm_enlist(sop, lsm_audit_rule_known, sop->audit_rule_known);
+ lsm_enlist(sop, lsm_audit_rule_free, sop->audit_rule_free);
+ lsm_enlist(sop, lsm_audit_rule_match, sop->audit_rule_match);
+#endif
+
+ lsm_enlist(sop, lsm_name, sop->name);
}
static void __init do_security_initcalls(void)
{
initcall_t *call;
+
call = __security_initcall_start;
while (call < __security_initcall_end) {
(*call) ();
@@ -63,24 +320,71 @@ static void __init do_security_initcalls(void)
*/
int __init security_init(void)
{
- printk(KERN_INFO "Security Framework initialized\n");
+ enum lsm_hooks_index i;
+
+ for (i = 0; i < LSM_MAX_HOOKS; i++)
+ INIT_LIST_HEAD(&lsm_hooks[i]);
+
+ pr_info("Security Framework initialized\n");
- security_fixup_ops(&default_security_ops);
- security_ops = &default_security_ops;
do_security_initcalls();
return 0;
}
-void reset_security_ops(void)
+/*
+ * Only SELinux calls reset_security_ops.
+ */
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+
+static void lsm_delist_ops(struct security_operations *sop)
{
- security_ops = &default_security_ops;
+ enum lsm_hooks_index i;
+
+ for (i = 0; i < LSM_MAX_HOOKS; i++)
+ if (sop->list[i].next && !list_empty(&sop->list[i]))
+ list_del_rcu(&sop->list[i]);
+ return;
}
-/* Save user chosen LSM */
+int reset_security_ops(struct security_operations *ops)
+{
+ /*
+ * This LSM is configured to own /proc/.../attr.
+ */
+ if (lsm_present == ops)
+ lsm_present = NULL;
+
+ lsm_delist_ops(ops);
+
+ return 0;
+}
+
+#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
+
+/* Save user chosen LSM(s) */
static int __init choose_lsm(char *str)
{
- strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
+ char *cp;
+ char *ep;
+ int i;
+
+ strncpy(allowed_lsms, str, COMPOSER_NAMES_MAX);
+ cp = allowed_lsms;
+
+ for (i = 0; i < COMPOSER_MAX; i++) {
+ ep = strchr(cp, ',');
+ if (ep != NULL)
+ *ep = '\0';
+ if (strlen(cp) > SECURITY_NAME_MAX)
+ pr_warn("LSM \"%s\" is invalid and ignored.\n", cp);
+ else
+ strncpy(specified_lsms[i], cp, SECURITY_NAME_MAX);
+ if (ep == NULL)
+ break;
+ cp = ep + 1;
+ }
+
return 1;
}
__setup("security=", choose_lsm);
@@ -94,74 +398,303 @@ __setup("security=", choose_lsm);
* to check if your LSM is currently loaded during kernel initialization.
*
* Return true if:
- * -The passed LSM is the one chosen by user at boot time,
- * -or the passed LSM is configured as the default and the user did not
- * choose an alternate LSM at boot time.
+ * -The passed LSM is on the list of LSMs specified at boot time,
+ * -or no boot list was specified.
* Otherwise, return false.
*/
int __init security_module_enable(struct security_operations *ops)
{
- return !strcmp(ops->name, chosen_lsm);
-}
+ struct security_operations *sop;
+ int i;
-/**
- * register_security - registers a security framework with the kernel
- * @ops: a pointer to the struct security_options that is to be registered
- *
- * This function allows a security module to register itself with the
- * kernel security subsystem. Some rudimentary checking is done on the @ops
- * value passed to this function. You'll need to check first if your LSM
- * is allowed to register its @ops by calling security_module_enable(@ops).
- *
- * If there is already a security module registered with the kernel,
- * an error will be returned. Otherwise %0 is returned on success.
- */
-int __init register_security(struct security_operations *ops)
-{
- if (verify(ops)) {
- printk(KERN_DEBUG "%s could not verify "
- "security_operations structure.\n", __func__);
- return -EINVAL;
+ /*
+ * Set up the operation vector early, but only once.
+ * This allows LSM specific file systems to check to see if they
+ * should come on line.
+ */
+ if (ops == NULL) {
+ pr_debug("%s could not verify security_operations.\n",
+ __func__);
+ return 0;
}
+ /*
+ * Return success if the LSM is already resistered
+ */
+ for_each_hook(sop, name)
+ if (sop == ops)
+ return 1;
- if (security_ops != &default_security_ops)
- return -EAGAIN;
+ /*
+ * This LSM has not yet been ordered.
+ */
+ ops->order = -1;
- security_ops = ops;
+ if (lsm_count >= COMPOSER_MAX) {
+ pr_warn("Too many security modules. %s not loaded.\n",
+ ops->name);
+ return 0;
+ }
- return 0;
+ if (specified_lsms[0][0] != '\0') {
+ for (i = 0; specified_lsms[i][0] != '\0'; i++) {
+ if (strcmp(ops->name, specified_lsms[i]) == 0) {
+ ops->order = i;
+ break;
+ }
+ }
+ if (ops->order == -1) {
+ pr_notice("LSM %s declined by boot options.\n",
+ ops->name);
+ return 0;
+ }
+ }
+ /*
+ * Check for conflicting LSMs.
+ */
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+ if (ops->xfrm_policy_alloc_security &&
+ !list_empty(&lsm_hooks[lsm_xfrm_policy_alloc_security])) {
+ pr_warn("LSM conflict on %s. %s not loaded.\n",
+ "xfrm_policy_alloc_security", ops->name);
+ return 0;
+ }
+#endif
+ if (ops->secid_to_secctx &&
+ !list_empty(&lsm_hooks[lsm_secid_to_secctx])) {
+ pr_warn("LSM conflict on %s. %s not loaded.\n",
+ "secid_to_secctx", ops->name);
+ return 0;
+ }
+
+ /*
+ * The order will already be set if the command line
+ * includes "security=".
+ *
+ * Do this before the enlisting. If there is an error
+ * (Very unlikely!) that prevents the enlisting from
+ * completing it is still necessary to have a blob slot
+ * for it.
+ */
+ if (ops->order == -1)
+ ops->order = lsm_count;
+ lsm_count++;
+
+ /*
+ * Use the LSM specified by CONFIG_SECURITY_PRESENT for
+ * [gs]etprocattr. If the LSM specified is PRESENT_FIRST
+ * use the first LSM to register that has the hooks.
+ * If the specified LSM lacks the hooks treat it as if
+ * there is no LSM registered that supplied them.
+ */
+ if (ops->getprocattr && ops->setprocattr &&
+ (!strcmp(ops->name, present_lsm) ||
+ (!lsm_present && !strcmp(PRESENT_FIRST, present_lsm)))) {
+ lsm_present = ops;
+ present_getprocattr = ops->getprocattr;
+ present_setprocattr = ops->setprocattr;
+ pr_info("Security Module %s is presented in /proc.\n",
+ ops->name);
+ }
+ /*
+ * Return success after registering the LSM.
+ */
+ lsm_enlist_ops(ops);
+
+ return 1;
}
/* Security operations */
+/*
+ * Because so many of the cases are treated the same it
+ * cleans things up to use these macros instead of having
+ * duplicate text all over the place.
+ *
+ * call_void_hook:
+ * This is a hook that does not return a value.
+ *
+ * call_int_hook:
+ * This is hook that returns a value. Return the last
+ * non-zero return.
+ *
+ * call_int_must:
+ * Returns 1 if any LSMs actually had hooks and one
+ * or more got called. The return value goes into RC.
+ *
+ * call_int_cap_first:
+ * Like cap_int_hook, but call the cap_hook first and
+ * bail on fail.
+ *
+ * call_int_cap_last:
+ * Like cap_int_cap_first, but call the cap_hook last.
+ *
+ * call_alloc_hook:
+ * Allocate not only the LSM security blobs, but a blob
+ * to hold pointers to all of them as well.
+ *
+ */
+#define call_void_hook(FUNC, ...) \
+ do { \
+ struct security_operations *sop; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) \
+ sop->FUNC(__VA_ARGS__); \
+ } while (0) \
+
+#define call_int_hook(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ rc = thisrc; \
+ } \
+ } while (0); \
+ rc; \
+})
+
+#define call_int_must(RC, FUNC, ...) ({ \
+ int called = 0; \
+ RC = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ RC = thisrc; \
+ called = 1; \
+ } \
+ } while (0); \
+ called; \
+})
+
+#define call_int_cap_first(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ thisrc = cap_##FUNC(__VA_ARGS__); \
+ if (thisrc) { \
+ rc = thisrc; \
+ break; \
+ } \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ rc = thisrc; \
+ } \
+ } while (0); \
+ rc; \
+})
+
+#define call_int_cap_last(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ rc = thisrc; \
+ } \
+ \
+ if (!rc) \
+ rc = cap_##FUNC(__VA_ARGS__); \
+ } while (0); \
+ rc; \
+})
+
+
+#define call_alloc_hook(ALLOC, FREE, FIELD, GFP, ARG) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ struct security_operations *note[COMPOSER_MAX]; \
+ struct lsm_blob tblob; \
+ struct lsm_blob *bp = NULL; \
+ int successes = 0; \
+ \
+ memset(&tblob, 0, sizeof(tblob)); \
+ FIELD = &tblob; \
+ for_each_hook(sop, ALLOC) { \
+ rc = sop->ALLOC(ARG); \
+ if (rc) \
+ break; \
+ note[successes++] = sop; \
+ } \
+ if (tblob.lsm_setcount != 0) { \
+ if (rc == 0) \
+ bp = kmemdup(&tblob, sizeof(tblob), GFP); \
+ if (bp == NULL) { \
+ if (rc == 0) \
+ rc = -ENOMEM; \
+ while (successes > 0) \
+ note[--successes]->FREE(ARG); \
+ } \
+ } \
+ FIELD = bp; \
+ } while (0); \
+ rc; \
+})
+
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- int rc;
- rc = yama_ptrace_access_check(child, mode);
- if (rc)
- return rc;
-#endif
- return security_ops->ptrace_access_check(child, mode);
+ return call_int_cap_first(ptrace_access_check, child, mode);
}
int security_ptrace_traceme(struct task_struct *parent)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- int rc;
- rc = yama_ptrace_traceme(parent);
- if (rc)
- return rc;
-#endif
- return security_ops->ptrace_traceme(parent);
+ return call_int_cap_first(ptrace_traceme, parent);
}
+/*
+ * Odd duck hook handling.
+ * This hook returns the set of capabilities available to
+ * the "target" task. Apparmor restricts the capabilities
+ * based on profile and SELinux may deny the ability to
+ * look and see what they are. cap_capget never fails.
+ */
int security_capget(struct task_struct *target,
kernel_cap_t *effective,
kernel_cap_t *inheritable,
kernel_cap_t *permitted)
{
- return security_ops->capget(target, effective, inheritable, permitted);
+ struct security_operations *sop;
+ kernel_cap_t cap[3];
+ kernel_cap_t this[3];
+ int rc;
+ int i;
+
+ rc = cap_capget(target, &cap[0], &cap[1], &cap[2]);
+ if (rc != 0)
+ return rc;
+
+ for_each_hook(sop, capget) {
+ rc = sop->capget(target, &this[0], &this[1], &this[2]);
+ if (rc != 0)
+ return rc;
+ for (i = 0; i < 3; i++)
+ cap[i] = cap_intersect(cap[i], this[i]);
+ }
+
+ *effective = cap[0];
+ *inheritable = cap[1];
+ *permitted = cap[2];
+
+ return 0;
}
int security_capset(struct cred *new, const struct cred *old,
@@ -169,195 +702,214 @@ int security_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *inheritable,
const kernel_cap_t *permitted)
{
- return security_ops->capset(new, old,
- effective, inheritable, permitted);
+ return call_int_cap_first(capset, new, old, effective,
+ inheritable, permitted);
}
int security_capable(const struct cred *cred, struct user_namespace *ns,
int cap)
{
- return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT);
+ return call_int_cap_first(capable, cred, ns, cap, SECURITY_CAP_AUDIT);
}
int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
int cap)
{
- return security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT);
+ return call_int_cap_first(capable, cred, ns, cap, SECURITY_CAP_NOAUDIT);
}
int security_quotactl(int cmds, int type, int id, struct super_block *sb)
{
- return security_ops->quotactl(cmds, type, id, sb);
+ return call_int_hook(quotactl, cmds, type, id, sb);
}
int security_quota_on(struct dentry *dentry)
{
- return security_ops->quota_on(dentry);
+ return call_int_hook(quota_on, dentry);
}
int security_syslog(int type)
{
- return security_ops->syslog(type);
+ return call_int_hook(syslog, type);
}
int security_settime(const struct timespec *ts, const struct timezone *tz)
{
- return security_ops->settime(ts, tz);
+ return call_int_cap_first(settime, ts, tz);
}
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
{
- return security_ops->vm_enough_memory(mm, pages);
+ return call_int_cap_first(vm_enough_memory, mm, pages);
}
int security_bprm_set_creds(struct linux_binprm *bprm)
{
- return security_ops->bprm_set_creds(bprm);
+ return call_int_cap_first(bprm_set_creds, bprm);
}
int security_bprm_check(struct linux_binprm *bprm)
{
- int ret;
+ int rc = call_int_hook(bprm_check_security, bprm);
+
+ if (rc)
+ return rc;
- ret = security_ops->bprm_check_security(bprm);
- if (ret)
- return ret;
return ima_bprm_check(bprm);
}
+
void security_bprm_committing_creds(struct linux_binprm *bprm)
{
- security_ops->bprm_committing_creds(bprm);
+ call_void_hook(bprm_committing_creds, bprm);
}
void security_bprm_committed_creds(struct linux_binprm *bprm)
{
- security_ops->bprm_committed_creds(bprm);
+ call_void_hook(bprm_committed_creds, bprm);
}
int security_bprm_secureexec(struct linux_binprm *bprm)
{
- return security_ops->bprm_secureexec(bprm);
+ return call_int_cap_last(bprm_secureexec, bprm);
}
int security_sb_alloc(struct super_block *sb)
{
- return security_ops->sb_alloc_security(sb);
+ return call_alloc_hook(sb_alloc_security, sb_free_security,
+ sb->s_security, GFP_KERNEL, sb);
}
void security_sb_free(struct super_block *sb)
{
- security_ops->sb_free_security(sb);
+ call_void_hook(sb_free_security, sb);
+
+ kfree(sb->s_security);
+ sb->s_security = NULL;
}
int security_sb_copy_data(char *orig, char *copy)
{
- return security_ops->sb_copy_data(orig, copy);
+ return call_int_hook(sb_copy_data, orig, copy);
}
EXPORT_SYMBOL(security_sb_copy_data);
int security_sb_remount(struct super_block *sb, void *data)
{
- return security_ops->sb_remount(sb, data);
+ return call_int_hook(sb_remount, sb, data);
}
int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
{
- return security_ops->sb_kern_mount(sb, flags, data);
+ return call_int_hook(sb_kern_mount, sb, flags, data);
}
int security_sb_show_options(struct seq_file *m, struct super_block *sb)
{
- return security_ops->sb_show_options(m, sb);
+ return call_int_hook(sb_show_options, m, sb);
}
int security_sb_statfs(struct dentry *dentry)
{
- return security_ops->sb_statfs(dentry);
+ return call_int_hook(sb_statfs, dentry);
}
int security_sb_mount(const char *dev_name, struct path *path,
const char *type, unsigned long flags, void *data)
{
- return security_ops->sb_mount(dev_name, path, type, flags, data);
+ return call_int_hook(sb_mount, dev_name, path, type, flags, data);
}
int security_sb_umount(struct vfsmount *mnt, int flags)
{
- return security_ops->sb_umount(mnt, flags);
+ return call_int_hook(sb_umount, mnt, flags);
}
int security_sb_pivotroot(struct path *old_path, struct path *new_path)
{
- return security_ops->sb_pivotroot(old_path, new_path);
+ return call_int_hook(sb_pivotroot, old_path, new_path);
}
int security_sb_set_mnt_opts(struct super_block *sb,
struct security_mnt_opts *opts)
{
- return security_ops->sb_set_mnt_opts(sb, opts);
+ int rc;
+
+ if (call_int_must(rc, sb_set_mnt_opts, sb, opts))
+ return rc;
+
+ if (unlikely(opts->num_mnt_opts))
+ return -EOPNOTSUPP;
+ return 0;
}
EXPORT_SYMBOL(security_sb_set_mnt_opts);
void security_sb_clone_mnt_opts(const struct super_block *oldsb,
struct super_block *newsb)
{
- security_ops->sb_clone_mnt_opts(oldsb, newsb);
+ call_void_hook(sb_clone_mnt_opts, oldsb, newsb);
}
EXPORT_SYMBOL(security_sb_clone_mnt_opts);
int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
{
- return security_ops->sb_parse_opts_str(options, opts);
+ return call_int_hook(sb_parse_opts_str, options, opts);
}
EXPORT_SYMBOL(security_sb_parse_opts_str);
int security_inode_alloc(struct inode *inode)
{
- inode->i_security = NULL;
- return security_ops->inode_alloc_security(inode);
+ return call_alloc_hook(inode_alloc_security, inode_free_security,
+ inode->i_security, GFP_KERNEL, inode);
}
void security_inode_free(struct inode *inode)
{
integrity_inode_free(inode);
- security_ops->inode_free_security(inode);
+
+ call_void_hook(inode_free_security, inode);
+
+ kfree(inode->i_security);
+ inode->i_security = NULL;
}
int security_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr,
const initxattrs initxattrs, void *fs_data)
{
+ int rc;
struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1];
struct xattr *lsm_xattr, *evm_xattr, *xattr;
- int ret;
if (unlikely(IS_PRIVATE(inode)))
return 0;
memset(new_xattrs, 0, sizeof new_xattrs);
if (!initxattrs)
- return security_ops->inode_init_security(inode, dir, qstr,
- NULL, NULL, NULL);
+ return call_int_hook(inode_init_security, inode, dir, qstr,
+ NULL, NULL, NULL);
+
lsm_xattr = new_xattrs;
- ret = security_ops->inode_init_security(inode, dir, qstr,
- &lsm_xattr->name,
- &lsm_xattr->value,
- &lsm_xattr->value_len);
- if (ret)
+
+ if (!call_int_must(rc, inode_init_security, inode, dir, qstr,
+ &lsm_xattr->name, &lsm_xattr->value,
+ &lsm_xattr->value_len))
+ rc = -EOPNOTSUPP;
+
+ if (rc)
goto out;
evm_xattr = lsm_xattr + 1;
- ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
- if (ret)
+ rc = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
+ if (rc)
goto out;
- ret = initxattrs(inode, new_xattrs, fs_data);
+ rc = initxattrs(inode, new_xattrs, fs_data);
out:
for (xattr = new_xattrs; xattr->name != NULL; xattr++) {
kfree(xattr->name);
kfree(xattr->value);
}
- return (ret == -EOPNOTSUPP) ? 0 : ret;
+ return (rc == -EOPNOTSUPP) ? 0 : rc;
}
EXPORT_SYMBOL(security_inode_init_security);
@@ -367,8 +919,9 @@ int security_old_inode_init_security(struct inode *inode, struct inode *dir,
{
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
- return security_ops->inode_init_security(inode, dir, qstr, name, value,
- len);
+
+ return call_int_hook(inode_init_security, inode, dir, qstr, name,
+ value, len);
}
EXPORT_SYMBOL(security_old_inode_init_security);
@@ -378,7 +931,8 @@ int security_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode,
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_mknod(dir, dentry, mode, dev);
+
+ return call_int_hook(path_mknod, dir, dentry, mode, dev);
}
EXPORT_SYMBOL(security_path_mknod);
@@ -386,7 +940,8 @@ int security_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode)
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_mkdir(dir, dentry, mode);
+
+ return call_int_hook(path_mkdir, dir, dentry, mode);
}
EXPORT_SYMBOL(security_path_mkdir);
@@ -394,14 +949,16 @@ int security_path_rmdir(struct path *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_rmdir(dir, dentry);
+
+ return call_int_hook(path_rmdir, dir, dentry);
}
int security_path_unlink(struct path *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_unlink(dir, dentry);
+
+ return call_int_hook(path_unlink, dir, dentry);
}
EXPORT_SYMBOL(security_path_unlink);
@@ -410,7 +967,8 @@ int security_path_symlink(struct path *dir, struct dentry *dentry,
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_symlink(dir, dentry, old_name);
+
+ return call_int_hook(path_symlink, dir, dentry, old_name);
}
int security_path_link(struct dentry *old_dentry, struct path *new_dir,
@@ -418,7 +976,8 @@ int security_path_link(struct dentry *old_dentry, struct path *new_dir,
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
return 0;
- return security_ops->path_link(old_dentry, new_dir, new_dentry);
+
+ return call_int_hook(path_link, old_dentry, new_dir, new_dentry);
}
int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
@@ -427,8 +986,9 @@ int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
- return security_ops->path_rename(old_dir, old_dentry, new_dir,
- new_dentry);
+
+ return call_int_hook(path_rename, old_dir, old_dentry, new_dir,
+ new_dentry);
}
EXPORT_SYMBOL(security_path_rename);
@@ -436,26 +996,29 @@ int security_path_truncate(struct path *path)
{
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
return 0;
- return security_ops->path_truncate(path);
+
+ return call_int_hook(path_truncate, path);
}
int security_path_chmod(struct path *path, umode_t mode)
{
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
return 0;
- return security_ops->path_chmod(path, mode);
+
+ return call_int_hook(path_chmod, path, mode);
}
int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
{
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
return 0;
- return security_ops->path_chown(path, uid, gid);
+
+ return call_int_hook(path_chown, path, uid, gid);
}
int security_path_chroot(struct path *path)
{
- return security_ops->path_chroot(path);
+ return call_int_hook(path_chroot, path);
}
#endif
@@ -463,7 +1026,8 @@ int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_create(dir, dentry, mode);
+
+ return call_int_hook(inode_create, dir, dentry, mode);
}
EXPORT_SYMBOL_GPL(security_inode_create);
@@ -472,14 +1036,16 @@ int security_inode_link(struct dentry *old_dentry, struct inode *dir,
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
return 0;
- return security_ops->inode_link(old_dentry, dir, new_dentry);
+
+ return call_int_hook(inode_link, old_dentry, dir, new_dentry);
}
int security_inode_unlink(struct inode *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_unlink(dir, dentry);
+
+ return call_int_hook(inode_unlink, dir, dentry);
}
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
@@ -487,14 +1053,16 @@ int security_inode_symlink(struct inode *dir, struct dentry *dentry,
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_symlink(dir, dentry, old_name);
+
+ return call_int_hook(inode_symlink, dir, dentry, old_name);
}
int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_mkdir(dir, dentry, mode);
+
+ return call_int_hook(inode_mkdir, dir, dentry, mode);
}
EXPORT_SYMBOL_GPL(security_inode_mkdir);
@@ -502,14 +1070,16 @@ int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_rmdir(dir, dentry);
+
+ return call_int_hook(inode_rmdir, dir, dentry);
}
int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_mknod(dir, dentry, mode, dev);
+
+ return call_int_hook(inode_mknod, dir, dentry, mode, dev);
}
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
@@ -518,40 +1088,45 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
- return security_ops->inode_rename(old_dir, old_dentry,
- new_dir, new_dentry);
+
+ return call_int_hook(inode_rename, old_dir, old_dentry, new_dir,
+ new_dentry);
}
int security_inode_readlink(struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_readlink(dentry);
+
+ return call_int_hook(inode_readlink, dentry);
}
int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_follow_link(dentry, nd);
+
+ return call_int_hook(inode_follow_link, dentry, nd);
}
int security_inode_permission(struct inode *inode, int mask)
{
if (unlikely(IS_PRIVATE(inode)))
return 0;
- return security_ops->inode_permission(inode, mask);
+
+ return call_int_hook(inode_permission, inode, mask);
}
int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
{
- int ret;
+ int rc;
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- ret = security_ops->inode_setattr(dentry, attr);
- if (ret)
- return ret;
+
+ rc = call_int_hook(inode_setattr, dentry, attr);
+ if (rc)
+ return rc;
return evm_inode_setattr(dentry, attr);
}
EXPORT_SYMBOL_GPL(security_inode_setattr);
@@ -560,22 +1135,25 @@ int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_getattr(mnt, dentry);
+
+ return call_int_hook(inode_getattr, mnt, dentry);
}
int security_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
- int ret;
+ int rc;
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- ret = security_ops->inode_setxattr(dentry, name, value, size, flags);
- if (ret)
- return ret;
- ret = ima_inode_setxattr(dentry, name, value, size);
- if (ret)
- return ret;
+
+ rc = call_int_hook(inode_setxattr, dentry, name, value, size, flags);
+
+ if (rc)
+ return rc;
+ rc = ima_inode_setxattr(dentry, name, value, size);
+ if (rc)
+ return rc;
return evm_inode_setxattr(dentry, name, value, size);
}
@@ -584,7 +1162,9 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name,
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return;
- security_ops->inode_post_setxattr(dentry, name, value, size, flags);
+
+ call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
+
evm_inode_post_setxattr(dentry, name, value, size);
}
@@ -592,91 +1172,145 @@ int security_inode_getxattr(struct dentry *dentry, const char *name)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_getxattr(dentry, name);
+
+ return call_int_hook(inode_getxattr, dentry, name);
}
int security_inode_listxattr(struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_listxattr(dentry);
+
+ return call_int_hook(inode_listxattr, dentry);
}
int security_inode_removexattr(struct dentry *dentry, const char *name)
{
- int ret;
+ int rc;
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- ret = security_ops->inode_removexattr(dentry, name);
- if (ret)
- return ret;
- ret = ima_inode_removexattr(dentry, name);
- if (ret)
- return ret;
+
+ if (!call_int_must(rc, inode_removexattr, dentry, name))
+ rc = cap_inode_removexattr(dentry, name);
+
+ if (rc)
+ return rc;
+
+ rc = ima_inode_removexattr(dentry, name);
+ if (rc)
+ return rc;
return evm_inode_removexattr(dentry, name);
}
int security_inode_need_killpriv(struct dentry *dentry)
{
- return security_ops->inode_need_killpriv(dentry);
+ return call_int_cap_first(inode_need_killpriv, dentry);
}
int security_inode_killpriv(struct dentry *dentry)
{
- return security_ops->inode_killpriv(dentry);
+ return call_int_cap_first(inode_killpriv, dentry);
}
int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
{
+ struct security_operations *sop;
+ int rc;
+
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
- return security_ops->inode_getsecurity(inode, name, buffer, alloc);
+
+ /*
+ * Only one LSM will supply a given "name".
+ * -EOPNOTSUPP is an indication that the LSM does not
+ * provide a value for the provided name.
+ */
+ for_each_hook(sop, inode_getsecurity) {
+ rc = sop->inode_getsecurity(inode, name, buffer, alloc);
+ if (rc != -EOPNOTSUPP)
+ return rc;
+ }
+ return -EOPNOTSUPP;
}
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
{
+ struct security_operations *sop;
+ int rc;
+
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
- return security_ops->inode_setsecurity(inode, name, value, size, flags);
+
+ /*
+ * Only one LSM will set a given "name".
+ * -EOPNOTSUPP is an indication that the LSM does not
+ * set a value for the provided name.
+ */
+ for_each_hook(sop, inode_setsecurity) {
+ rc = sop->inode_setsecurity(inode, name, value, size, flags);
+ if (rc != -EOPNOTSUPP)
+ return rc;
+ }
+ return -EOPNOTSUPP;
}
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
{
+ struct security_operations *sop;
+ int rc = 0;
+ int thisrc;
+
if (unlikely(IS_PRIVATE(inode)))
return 0;
- return security_ops->inode_listsecurity(inode, buffer, buffer_size);
+
+ /*
+ * inode_listsecurity hooks never return negative values.
+ */
+ for_each_hook(sop, inode_listsecurity) {
+ thisrc = sop->inode_listsecurity(inode, buffer, buffer_size);
+ buffer += thisrc;
+ buffer_size -= thisrc;
+ rc += thisrc;
+ }
+ return rc;
}
void security_inode_getsecid(const struct inode *inode, u32 *secid)
{
- security_ops->inode_getsecid(inode, secid);
+ *secid = 0;
+ call_void_hook(inode_getsecid, inode, secid);
}
int security_file_permission(struct file *file, int mask)
{
- int ret;
+ int rc;
- ret = security_ops->file_permission(file, mask);
- if (ret)
- return ret;
+ rc = call_int_hook(file_permission, file, mask);
+
+ if (rc)
+ return rc;
return fsnotify_perm(file, mask);
}
int security_file_alloc(struct file *file)
{
- return security_ops->file_alloc_security(file);
+ return call_alloc_hook(file_alloc_security, file_free_security,
+ file->f_security, GFP_KERNEL, file);
}
void security_file_free(struct file *file)
{
- security_ops->file_free_security(file);
+ call_void_hook(file_free_security, file);
+
+ kfree(file->f_security);
+ file->f_security = NULL;
}
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
- return security_ops->file_ioctl(file, cmd, arg);
+ return call_int_hook(file_ioctl, file, cmd, arg);
}
static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
@@ -716,370 +1350,528 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags)
{
- int ret;
- ret = security_ops->mmap_file(file, prot,
- mmap_prot(file, prot), flags);
- if (ret)
- return ret;
+ int rc;
+
+ rc = call_int_hook(mmap_file, file, prot, mmap_prot(file, prot),
+ flags);
+
+ if (rc)
+ return rc;
return ima_file_mmap(file, prot);
}
int security_mmap_addr(unsigned long addr)
{
- return security_ops->mmap_addr(addr);
+ return call_int_cap_last(mmap_addr, addr);
}
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot)
{
- return security_ops->file_mprotect(vma, reqprot, prot);
+ return call_int_hook(file_mprotect, vma, reqprot, prot);
}
int security_file_lock(struct file *file, unsigned int cmd)
{
- return security_ops->file_lock(file, cmd);
+ return call_int_hook(file_lock, file, cmd);
}
int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
{
- return security_ops->file_fcntl(file, cmd, arg);
+ return call_int_hook(file_fcntl, file, cmd, arg);
}
int security_file_set_fowner(struct file *file)
{
- return security_ops->file_set_fowner(file);
+ return call_int_hook(file_set_fowner, file);
}
int security_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int sig)
{
- return security_ops->file_send_sigiotask(tsk, fown, sig);
+ return call_int_hook(file_send_sigiotask, tsk, fown, sig);
}
int security_file_receive(struct file *file)
{
- return security_ops->file_receive(file);
+ return call_int_hook(file_receive, file);
}
int security_file_open(struct file *file, const struct cred *cred)
{
- int ret;
+ int rc;
- ret = security_ops->file_open(file, cred);
- if (ret)
- return ret;
+ rc = call_int_hook(file_open, file, cred);
+
+ if (rc)
+ return rc;
return fsnotify_perm(file, MAY_OPEN);
}
int security_task_create(unsigned long clone_flags)
{
- return security_ops->task_create(clone_flags);
+ return call_int_hook(task_create, clone_flags);
}
void security_task_free(struct task_struct *task)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- yama_task_free(task);
-#endif
- security_ops->task_free(task);
+ call_void_hook(task_free, task);
}
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
- return security_ops->cred_alloc_blank(cred, gfp);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+ cred->security = &tblob;
+
+ for_each_hook(sop, cred_alloc_blank) {
+ rc = sop->cred_alloc_blank(cred, gfp);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), gfp);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->cred_free(cred);
+ }
+ }
+ cred->security = bp;
+ return rc;
}
void security_cred_free(struct cred *cred)
{
- security_ops->cred_free(cred);
+ call_void_hook(cred_free, cred);
+
+ if (cred->security == NULL)
+ return;
+
+ kfree(cred->security);
+ cred->security = NULL;
}
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
{
- return security_ops->cred_prepare(new, old, gfp);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ /*
+ * new->security will be NULL on entry.
+ */
+ memset(&tblob, 0, sizeof(tblob));
+ new->security = &tblob;
+
+ for_each_hook(sop, cred_prepare) {
+ rc = sop->cred_prepare(new, old, gfp);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), gfp);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->cred_free(new);
+ }
+ }
+ new->security = bp;
+ return rc;
}
void security_transfer_creds(struct cred *new, const struct cred *old)
{
- security_ops->cred_transfer(new, old);
+ call_void_hook(cred_transfer, new, old);
}
int security_kernel_act_as(struct cred *new, u32 secid)
{
- return security_ops->kernel_act_as(new, secid);
+ return call_int_hook(kernel_act_as, new, secid);
}
int security_kernel_create_files_as(struct cred *new, struct inode *inode)
{
- return security_ops->kernel_create_files_as(new, inode);
+ return call_int_hook(kernel_create_files_as, new, inode);
}
int security_kernel_module_request(char *kmod_name)
{
- return security_ops->kernel_module_request(kmod_name);
+ return call_int_hook(kernel_module_request, kmod_name);
}
int security_kernel_module_from_file(struct file *file)
{
- int ret;
+ int rc;
- ret = security_ops->kernel_module_from_file(file);
- if (ret)
- return ret;
+ rc = call_int_hook(kernel_module_from_file, file);
+ if (rc)
+ return rc;
return ima_module_check(file);
}
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags)
{
- return security_ops->task_fix_setuid(new, old, flags);
+ return call_int_cap_first(task_fix_setuid, new, old, flags);
}
int security_task_setpgid(struct task_struct *p, pid_t pgid)
{
- return security_ops->task_setpgid(p, pgid);
+ return call_int_hook(task_setpgid, p, pgid);
}
int security_task_getpgid(struct task_struct *p)
{
- return security_ops->task_getpgid(p);
+ return call_int_hook(task_getpgid, p);
}
int security_task_getsid(struct task_struct *p)
{
- return security_ops->task_getsid(p);
+ return call_int_hook(task_getsid, p);
}
void security_task_getsecid(struct task_struct *p, u32 *secid)
{
- security_ops->task_getsecid(p, secid);
+ *secid = 0;
+ call_void_hook(task_getsecid, p, secid);
}
EXPORT_SYMBOL(security_task_getsecid);
int security_task_setnice(struct task_struct *p, int nice)
{
- return security_ops->task_setnice(p, nice);
+ return call_int_cap_first(task_setnice, p, nice);
}
int security_task_setioprio(struct task_struct *p, int ioprio)
{
- return security_ops->task_setioprio(p, ioprio);
+ return call_int_cap_first(task_setioprio, p, ioprio);
}
int security_task_getioprio(struct task_struct *p)
{
- return security_ops->task_getioprio(p);
+ return call_int_hook(task_getioprio, p);
}
int security_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{
- return security_ops->task_setrlimit(p, resource, new_rlim);
+ return call_int_hook(task_setrlimit, p, resource, new_rlim);
}
int security_task_setscheduler(struct task_struct *p)
{
- return security_ops->task_setscheduler(p);
+ return call_int_cap_first(task_setscheduler, p);
}
int security_task_getscheduler(struct task_struct *p)
{
- return security_ops->task_getscheduler(p);
+ return call_int_hook(task_getscheduler, p);
}
int security_task_movememory(struct task_struct *p)
{
- return security_ops->task_movememory(p);
+ return call_int_hook(task_movememory, p);
}
int security_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid)
{
- return security_ops->task_kill(p, info, sig, secid);
+ return call_int_hook(task_kill, p, info, sig, secid);
}
int security_task_wait(struct task_struct *p)
{
- return security_ops->task_wait(p);
+ return call_int_hook(task_wait, p);
}
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
+ struct security_operations *sop;
int rc;
- rc = yama_task_prctl(option, arg2, arg3, arg4, arg5);
+
+ rc = cap_task_prctl(option, arg2, arg3, arg4, arg5);
if (rc != -ENOSYS)
return rc;
-#endif
- return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
+
+ for_each_hook(sop, task_prctl) {
+ rc = sop->task_prctl(option, arg2, arg3, arg4, arg5);
+ /*
+ * -ENOSYS returned if the lsm doesn't handle that control.
+ * If the LSM does handle the control return the result.
+ * The assumption for the time being is that no two LSMs
+ * will handle a control.
+ */
+ if (rc != -ENOSYS)
+ return rc;
+ }
+ return -ENOSYS;
}
void security_task_to_inode(struct task_struct *p, struct inode *inode)
{
- security_ops->task_to_inode(p, inode);
+ call_void_hook(task_to_inode, p, inode);
}
int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
{
- return security_ops->ipc_permission(ipcp, flag);
+ return call_int_hook(ipc_permission, ipcp, flag);
}
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- security_ops->ipc_getsecid(ipcp, secid);
+ *secid = 0;
+ call_void_hook(ipc_getsecid, ipcp, secid);
}
int security_msg_msg_alloc(struct msg_msg *msg)
{
- return security_ops->msg_msg_alloc_security(msg);
+ return call_alloc_hook(msg_msg_alloc_security, msg_msg_free_security,
+ msg->security, GFP_KERNEL, msg);
}
void security_msg_msg_free(struct msg_msg *msg)
{
- security_ops->msg_msg_free_security(msg);
+ call_void_hook(msg_msg_free_security, msg);
+
+ kfree(msg->security);
+ msg->security = NULL;
}
int security_msg_queue_alloc(struct msg_queue *msq)
{
- return security_ops->msg_queue_alloc_security(msq);
+ struct kern_ipc_perm *kp = &msq->q_perm;
+
+ return call_alloc_hook(msg_queue_alloc_security,
+ msg_queue_free_security, kp->security, GFP_KERNEL,
+ msq);
}
void security_msg_queue_free(struct msg_queue *msq)
{
- security_ops->msg_queue_free_security(msq);
+ call_void_hook(msg_queue_free_security, msq);
+
+ kfree(msq->q_perm.security);
+ msq->q_perm.security = NULL;
}
int security_msg_queue_associate(struct msg_queue *msq, int msqflg)
{
- return security_ops->msg_queue_associate(msq, msqflg);
+ return call_int_hook(msg_queue_associate, msq, msqflg);
}
int security_msg_queue_msgctl(struct msg_queue *msq, int cmd)
{
- return security_ops->msg_queue_msgctl(msq, cmd);
+ return call_int_hook(msg_queue_msgctl, msq, cmd);
}
int security_msg_queue_msgsnd(struct msg_queue *msq,
struct msg_msg *msg, int msqflg)
{
- return security_ops->msg_queue_msgsnd(msq, msg, msqflg);
+ return call_int_hook(msg_queue_msgsnd, msq, msg, msqflg);
}
int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
struct task_struct *target, long type, int mode)
{
- return security_ops->msg_queue_msgrcv(msq, msg, target, type, mode);
+ return call_int_hook(msg_queue_msgrcv, msq, msg, target, type, mode);
}
int security_shm_alloc(struct shmid_kernel *shp)
{
- return security_ops->shm_alloc_security(shp);
+ struct kern_ipc_perm *kp = &shp->shm_perm;
+
+ return call_alloc_hook(shm_alloc_security, shm_free_security,
+ kp->security, GFP_KERNEL, shp);
}
void security_shm_free(struct shmid_kernel *shp)
{
- security_ops->shm_free_security(shp);
+ call_void_hook(shm_free_security, shp);
+
+ kfree(shp->shm_perm.security);
+ shp->shm_perm.security = NULL;
}
int security_shm_associate(struct shmid_kernel *shp, int shmflg)
{
- return security_ops->shm_associate(shp, shmflg);
+ return call_int_hook(shm_associate, shp, shmflg);
}
int security_shm_shmctl(struct shmid_kernel *shp, int cmd)
{
- return security_ops->shm_shmctl(shp, cmd);
+ return call_int_hook(shm_shmctl, shp, cmd);
}
int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg)
{
- return security_ops->shm_shmat(shp, shmaddr, shmflg);
+ return call_int_hook(shm_shmat, shp, shmaddr, shmflg);
}
int security_sem_alloc(struct sem_array *sma)
{
- return security_ops->sem_alloc_security(sma);
+ struct kern_ipc_perm *kp = &sma->sem_perm;
+
+ return call_alloc_hook(sem_alloc_security, sem_free_security,
+ kp->security, GFP_KERNEL, sma);
}
void security_sem_free(struct sem_array *sma)
{
- security_ops->sem_free_security(sma);
+ call_void_hook(sem_free_security, sma);
+
+ kfree(sma->sem_perm.security);
+ sma->sem_perm.security = NULL;
}
int security_sem_associate(struct sem_array *sma, int semflg)
{
- return security_ops->sem_associate(sma, semflg);
+ return call_int_hook(sem_associate, sma, semflg);
}
int security_sem_semctl(struct sem_array *sma, int cmd)
{
- return security_ops->sem_semctl(sma, cmd);
+ return call_int_hook(sem_semctl, sma, cmd);
}
int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
unsigned nsops, int alter)
{
- return security_ops->sem_semop(sma, sops, nsops, alter);
+ return call_int_hook(sem_semop, sma, sops, nsops, alter);
}
void security_d_instantiate(struct dentry *dentry, struct inode *inode)
{
if (unlikely(inode && IS_PRIVATE(inode)))
return;
- security_ops->d_instantiate(dentry, inode);
+
+ call_void_hook(d_instantiate, dentry, inode);
}
EXPORT_SYMBOL(security_d_instantiate);
int security_getprocattr(struct task_struct *p, char *name, char **value)
{
- return security_ops->getprocattr(p, name, value);
+ struct security_operations *sop;
+ char *lsm;
+ int lsmlen;
+
+ /*
+ * Names will either be in the legacy form containing
+ * no periods (".") or they will be the LSM name followed
+ * by the legacy suffix.
+ * "current" or "selinux.current"
+ *
+ * Legacy names are handled by the presenting LSM.
+ * Suffixed names are handled by the named LSM.
+ */
+ if (lsm_present && !strchr(name, '.'))
+ return present_getprocattr(p, name, value);
+
+ for_each_hook(sop, getprocattr) {
+ lsm = sop->name;
+ lsmlen = strlen(lsm);
+ if (!strncmp(name, lsm, lsmlen) && name[lsmlen] == '.')
+ return sop->getprocattr(p, name + lsmlen + 1, value);
+ }
+ return -EINVAL;
}
-int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size)
+int security_setprocattr(struct task_struct *p, char *name, void *value,
+ size_t size)
{
- return security_ops->setprocattr(p, name, value, size);
+ struct security_operations *sop;
+ char *lsm;
+ int lsmlen;
+
+ /*
+ * Names will either be in the legacy form containing
+ * no periods (".") or they will be the LSM name followed
+ * by the legacy suffix.
+ * "current" or "selinux.current"
+ *
+ * Legacy names are handled by the presenting LSM.
+ * Suffixed names are handled by the named LSM.
+ */
+ if (lsm_present && !strchr(name, '.'))
+ return present_setprocattr(p, name, value, size);
+
+ for_each_hook(sop, setprocattr) {
+ lsm = sop->name;
+ lsmlen = strlen(lsm);
+ if (!strncmp(name, lsm, lsmlen) && name[lsmlen] == '.')
+ return sop->setprocattr(p, name + lsmlen + 1, value,
+ size);
+ }
+ return -EINVAL;
}
int security_netlink_send(struct sock *sk, struct sk_buff *skb)
{
- return security_ops->netlink_send(sk, skb);
+ return call_int_cap_first(netlink_send, sk, skb);
}
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
- return security_ops->secid_to_secctx(secid, secdata, seclen);
+ int rc;
+
+ if (call_int_must(rc, secid_to_secctx, secid, secdata, seclen))
+ return rc;
+ return -EOPNOTSUPP;
}
EXPORT_SYMBOL(security_secid_to_secctx);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
- return security_ops->secctx_to_secid(secdata, seclen, secid);
+ int rc;
+
+ if (call_int_must(rc, secctx_to_secid, secdata, seclen, secid))
+ return rc;
+ *secid = 0;
+ return 0;
}
EXPORT_SYMBOL(security_secctx_to_secid);
void security_release_secctx(char *secdata, u32 seclen)
{
- security_ops->release_secctx(secdata, seclen);
+ call_void_hook(release_secctx, secdata, seclen);
}
EXPORT_SYMBOL(security_release_secctx);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
{
- return security_ops->inode_notifysecctx(inode, ctx, ctxlen);
+ return call_int_hook(inode_notifysecctx, inode, ctx, ctxlen);
}
EXPORT_SYMBOL(security_inode_notifysecctx);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
{
- return security_ops->inode_setsecctx(dentry, ctx, ctxlen);
+ return call_int_hook(inode_setsecctx, dentry, ctx, ctxlen);
}
EXPORT_SYMBOL(security_inode_setsecctx);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
{
- return security_ops->inode_getsecctx(inode, ctx, ctxlen);
+ return call_int_hook(inode_getsecctx, inode, ctx, ctxlen);
}
EXPORT_SYMBOL(security_inode_getsecctx);
@@ -1087,188 +1879,228 @@ EXPORT_SYMBOL(security_inode_getsecctx);
int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)
{
- return security_ops->unix_stream_connect(sock, other, newsk);
+ return call_int_hook(unix_stream_connect, sock, other, newsk);
}
EXPORT_SYMBOL(security_unix_stream_connect);
int security_unix_may_send(struct socket *sock, struct socket *other)
{
- return security_ops->unix_may_send(sock, other);
+ return call_int_hook(unix_may_send, sock, other);
}
EXPORT_SYMBOL(security_unix_may_send);
int security_socket_create(int family, int type, int protocol, int kern)
{
- return security_ops->socket_create(family, type, protocol, kern);
+ return call_int_hook(socket_create, family, type, protocol, kern);
}
int security_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- return security_ops->socket_post_create(sock, family, type,
- protocol, kern);
+ return call_int_hook(socket_post_create, sock, family, type,
+ protocol, kern);
}
int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
{
- return security_ops->socket_bind(sock, address, addrlen);
+ return call_int_hook(socket_bind, sock, address, addrlen);
}
int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
- return security_ops->socket_connect(sock, address, addrlen);
+ return call_int_hook(socket_connect, sock, address, addrlen);
}
int security_socket_listen(struct socket *sock, int backlog)
{
- return security_ops->socket_listen(sock, backlog);
+ return call_int_hook(socket_listen, sock, backlog);
}
int security_socket_accept(struct socket *sock, struct socket *newsock)
{
- return security_ops->socket_accept(sock, newsock);
+ return call_int_hook(socket_accept, sock, newsock);
}
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
- return security_ops->socket_sendmsg(sock, msg, size);
+ return call_int_hook(socket_sendmsg, sock, msg, size);
}
int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
int size, int flags)
{
- return security_ops->socket_recvmsg(sock, msg, size, flags);
+ return call_int_hook(socket_recvmsg, sock, msg, size, flags);
}
int security_socket_getsockname(struct socket *sock)
{
- return security_ops->socket_getsockname(sock);
+ return call_int_hook(socket_getsockname, sock);
}
int security_socket_getpeername(struct socket *sock)
{
- return security_ops->socket_getpeername(sock);
+ return call_int_hook(socket_getpeername, sock);
}
int security_socket_getsockopt(struct socket *sock, int level, int optname)
{
- return security_ops->socket_getsockopt(sock, level, optname);
+ return call_int_hook(socket_getsockopt, sock, level, optname);
}
int security_socket_setsockopt(struct socket *sock, int level, int optname)
{
- return security_ops->socket_setsockopt(sock, level, optname);
+ return call_int_hook(socket_setsockopt, sock, level, optname);
}
int security_socket_shutdown(struct socket *sock, int how)
{
- return security_ops->socket_shutdown(sock, how);
+ return call_int_hook(socket_shutdown, sock, how);
}
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
- return security_ops->socket_sock_rcv_skb(sk, skb);
+ return call_int_hook(socket_sock_rcv_skb, sk, skb);
}
EXPORT_SYMBOL(security_sock_rcv_skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len)
{
- return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
+ int rc;
+
+ if (call_int_must(rc, socket_getpeersec_stream, sock, optval,
+ optlen, len))
+ return rc;
+ return -ENOPROTOOPT;
}
int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
{
- return security_ops->socket_getpeersec_dgram(sock, skb, secid);
+ int rc;
+
+ if (call_int_must(rc, socket_getpeersec_dgram, sock, skb, secid))
+ return rc;
+ return -ENOPROTOOPT;
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
{
- return security_ops->sk_alloc_security(sk, family, priority);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+ sk->sk_security = &tblob;
+
+ for_each_hook(sop, sk_alloc_security) {
+ rc = sop->sk_alloc_security(sk, family, priority);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), priority);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->sk_free_security(sk);
+ }
+ }
+ sk->sk_security = bp;
+ return rc;
}
void security_sk_free(struct sock *sk)
{
- security_ops->sk_free_security(sk);
+ call_void_hook(sk_free_security, sk);
+
+ kfree(sk->sk_security);
+ sk->sk_security = NULL;
}
void security_sk_clone(const struct sock *sk, struct sock *newsk)
{
- security_ops->sk_clone_security(sk, newsk);
+ call_void_hook(sk_clone_security, sk, newsk);
}
EXPORT_SYMBOL(security_sk_clone);
void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
{
- security_ops->sk_getsecid(sk, &fl->flowi_secid);
+ call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
}
EXPORT_SYMBOL(security_sk_classify_flow);
void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
{
- security_ops->req_classify_flow(req, fl);
+ call_void_hook(req_classify_flow, req, fl);
}
EXPORT_SYMBOL(security_req_classify_flow);
void security_sock_graft(struct sock *sk, struct socket *parent)
{
- security_ops->sock_graft(sk, parent);
+ call_void_hook(sock_graft, sk, parent);
}
EXPORT_SYMBOL(security_sock_graft);
int security_inet_conn_request(struct sock *sk,
struct sk_buff *skb, struct request_sock *req)
{
- return security_ops->inet_conn_request(sk, skb, req);
+ return call_int_hook(inet_conn_request, sk, skb, req);
}
EXPORT_SYMBOL(security_inet_conn_request);
void security_inet_csk_clone(struct sock *newsk,
const struct request_sock *req)
{
- security_ops->inet_csk_clone(newsk, req);
+ call_void_hook(inet_csk_clone, newsk, req);
}
void security_inet_conn_established(struct sock *sk,
struct sk_buff *skb)
{
- security_ops->inet_conn_established(sk, skb);
+ call_void_hook(inet_conn_established, sk, skb);
}
int security_secmark_relabel_packet(u32 secid)
{
- return security_ops->secmark_relabel_packet(secid);
+ return call_int_hook(secmark_relabel_packet, secid);
}
EXPORT_SYMBOL(security_secmark_relabel_packet);
void security_secmark_refcount_inc(void)
{
- security_ops->secmark_refcount_inc();
+ call_void_hook(secmark_refcount_inc);
}
EXPORT_SYMBOL(security_secmark_refcount_inc);
void security_secmark_refcount_dec(void)
{
- security_ops->secmark_refcount_dec();
+ call_void_hook(secmark_refcount_dec);
}
EXPORT_SYMBOL(security_secmark_refcount_dec);
int security_tun_dev_create(void)
{
- return security_ops->tun_dev_create();
+ return call_int_hook(tun_dev_create);
}
EXPORT_SYMBOL(security_tun_dev_create);
void security_tun_dev_post_create(struct sock *sk)
{
- return security_ops->tun_dev_post_create(sk);
+ call_void_hook(tun_dev_post_create, sk);
}
EXPORT_SYMBOL(security_tun_dev_post_create);
int security_tun_dev_attach(struct sock *sk)
{
- return security_ops->tun_dev_attach(sk);
+ return call_int_hook(tun_dev_attach, sk);
}
EXPORT_SYMBOL(security_tun_dev_attach);
@@ -1276,78 +2108,94 @@ EXPORT_SYMBOL(security_tun_dev_attach);
#ifdef CONFIG_SECURITY_NETWORK_XFRM
+/*
+ * The xfrm hooks present special issues for composition
+ * as they don't use the usual scheme for passing in blobs.
+ * LSM registration checks ensure that only one xfrm using
+ * security module is loaded at a time.
+ * This shouldn't be much of an issue since SELinux is the
+ * only security module ever expected to use xfrm.
+ */
int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx)
{
- return security_ops->xfrm_policy_alloc_security(ctxp, sec_ctx);
+ return call_int_hook(xfrm_policy_alloc_security, ctxp, sec_ctx);
}
EXPORT_SYMBOL(security_xfrm_policy_alloc);
int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
struct xfrm_sec_ctx **new_ctxp)
{
- return security_ops->xfrm_policy_clone_security(old_ctx, new_ctxp);
+ return call_int_hook(xfrm_policy_clone_security, old_ctx, new_ctxp);
}
void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
- security_ops->xfrm_policy_free_security(ctx);
+ call_void_hook(xfrm_policy_free_security, ctx);
}
EXPORT_SYMBOL(security_xfrm_policy_free);
int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
- return security_ops->xfrm_policy_delete_security(ctx);
+ return call_int_hook(xfrm_policy_delete_security, ctx);
}
int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
{
- return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0);
+ return call_int_hook(xfrm_state_alloc_security, x, sec_ctx, 0);
}
EXPORT_SYMBOL(security_xfrm_state_alloc);
int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec, u32 secid)
{
- if (!polsec)
- return 0;
/*
* We want the context to be taken from secid which is usually
* from the sock.
*/
- return security_ops->xfrm_state_alloc_security(x, NULL, secid);
+
+ if (!polsec)
+ return 0;
+
+ return call_int_hook(xfrm_state_alloc_security, x, NULL, secid);
}
int security_xfrm_state_delete(struct xfrm_state *x)
{
- return security_ops->xfrm_state_delete_security(x);
+ return call_int_hook(xfrm_state_delete_security, x);
}
EXPORT_SYMBOL(security_xfrm_state_delete);
void security_xfrm_state_free(struct xfrm_state *x)
{
- security_ops->xfrm_state_free_security(x);
+ call_void_hook(xfrm_state_free_security, x);
}
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
- return security_ops->xfrm_policy_lookup(ctx, fl_secid, dir);
+ return call_int_hook(xfrm_policy_lookup, ctx, fl_secid, dir);
}
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp,
const struct flowi *fl)
{
- return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
+ int rc;
+
+ if (call_int_must(rc, xfrm_state_pol_flow_match, x, xp, fl))
+ return rc;
+ return 1;
}
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
{
- return security_ops->xfrm_decode_session(skb, secid, 1);
+ return call_int_hook(xfrm_decode_session, skb, secid, 1);
}
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
{
- int rc = security_ops->xfrm_decode_session(skb, &fl->flowi_secid, 0);
+ int rc;
+
+ rc = call_int_hook(xfrm_decode_session, skb, &fl->flowi_secid, 0);
BUG_ON(rc);
}
@@ -1360,23 +2208,60 @@ EXPORT_SYMBOL(security_skb_classify_flow);
int security_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- return security_ops->key_alloc(key, cred, flags);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+ key->security = &tblob;
+
+ for_each_hook(sop, key_alloc) {
+ rc = sop->key_alloc(key, cred, flags);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), GFP_KERNEL);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->key_free(key);
+ }
+ }
+
+ key->security = bp;
+ return rc;
}
void security_key_free(struct key *key)
{
- security_ops->key_free(key);
+ call_void_hook(key_free, key);
+
+ kfree(key->security);
+ key->security = NULL;
}
int security_key_permission(key_ref_t key_ref,
const struct cred *cred, key_perm_t perm)
{
- return security_ops->key_permission(key_ref, cred, perm);
+ return call_int_hook(key_permission, key_ref, cred, perm);
}
int security_key_getsecurity(struct key *key, char **_buffer)
{
- return security_ops->key_getsecurity(key, _buffer);
+ int rc;
+
+ if (call_int_must(rc, key_getsecurity, key, _buffer))
+ return rc;
+ *_buffer = NULL;
+ return 0;
}
#endif /* CONFIG_KEYS */
@@ -1385,23 +2270,24 @@ int security_key_getsecurity(struct key *key, char **_buffer)
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
- return security_ops->audit_rule_init(field, op, rulestr, lsmrule);
+ return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule);
}
int security_audit_rule_known(struct audit_krule *krule)
{
- return security_ops->audit_rule_known(krule);
+ return call_int_hook(audit_rule_known, krule);
}
void security_audit_rule_free(void *lsmrule)
{
- security_ops->audit_rule_free(lsmrule);
+ call_void_hook(audit_rule_free, lsmrule);
}
int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx)
{
- return security_ops->audit_rule_match(secid, field, op, lsmrule, actx);
+ return call_int_hook(audit_rule_match, secid, field, op, lsmrule,
+ actx);
}
#endif /* CONFIG_AUDIT */
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 3/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 2:09 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 3/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Handle any preconditions in the hooks directly.
Treat allocation and procattr hooks specially.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/security.c | 1496 ++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 1191 insertions(+), 305 deletions(-)
diff --git a/security/security.c b/security/security.c
index daa97f4..72bf9dc 100644
--- a/security/security.c
+++ b/security/security.c
@@ -25,30 +25,287 @@
#include <linux/personality.h>
#include <linux/backing-dev.h>
#include <net/flow.h>
+#include <linux/lsm.h>
+#include <linux/shm.h>
+#include <linux/string.h>
#define MAX_LSM_EVM_XATTR 2
+#define PRESENT_FIRST "FIRSTLSM"
/* Boot-time LSM user choice */
-static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
- CONFIG_DEFAULT_SECURITY;
-static struct security_operations *security_ops;
-static struct security_operations default_security_ops = {
- .name = "default",
-};
+static __initdata char specified_lsms[COMPOSER_MAX][SECURITY_NAME_MAX + 1];
+static __initdata char allowed_lsms[COMPOSER_NAMES_MAX];
+static __initdata char present_lsm[SECURITY_NAME_MAX + 1] =
+ CONFIG_PRESENT_SECURITY;
-static inline int __init verify(struct security_operations *ops)
+struct list_head lsm_hooks[LSM_MAX_HOOKS];
+struct security_operations *lsm_present;
+
+static int (*present_getprocattr)
+ (struct task_struct *p, char *name, char **value);
+static int (*present_setprocattr)
+ (struct task_struct *p, char *name, void *value, size_t size);
+
+static int lsm_count;
+
+#define for_each_hook(SOP, HOOK) \
+ list_for_each_entry(SOP, &lsm_hooks[lsm_##HOOK], list[lsm_##HOOK])
+
+/*
+ * Add an entry to a list of security operation vectors.
+ * The "interesting" logic is included here rather than in the
+ * caller to reduce the volume of the calling code.
+ */
+static void __init lsm_enlist(struct security_operations *ops,
+ const enum lsm_hooks_index index,
+ void *interesting)
{
- /* verify the security_operations structure exists */
- if (!ops)
- return -EINVAL;
- security_fixup_ops(ops);
- return 0;
+ struct security_operations *sop;
+
+ if (!interesting) {
+ INIT_LIST_HEAD(&ops->list[index]);
+ return;
+ }
+
+ if (list_empty(&lsm_hooks[index])) {
+ list_add_rcu(&ops->list[index], &lsm_hooks[index]);
+ return;
+ }
+
+ list_for_each_entry(sop, &lsm_hooks[index], list[index]) {
+ if (ops->order < sop->order) {
+ list_add_tail_rcu(&ops->list[index], &sop->list[index]);
+ return;
+ }
+ if (list_is_last(&sop->list[index], &lsm_hooks[index])) {
+ list_add_rcu(&ops->list[index], &sop->list[index]);
+ return;
+ }
+ }
+}
+
+static void __init lsm_enlist_ops(struct security_operations *sop)
+{
+ lsm_enlist(sop, lsm_ptrace_access_check, sop->ptrace_access_check);
+ lsm_enlist(sop, lsm_ptrace_traceme, sop->ptrace_traceme);
+ lsm_enlist(sop, lsm_capget, sop->capget);
+ lsm_enlist(sop, lsm_capset, sop->capset);
+ lsm_enlist(sop, lsm_capable, sop->capable);
+ lsm_enlist(sop, lsm_quotactl, sop->quotactl);
+ lsm_enlist(sop, lsm_quota_on, sop->quota_on);
+ lsm_enlist(sop, lsm_syslog, sop->syslog);
+ lsm_enlist(sop, lsm_settime, sop->settime);
+ lsm_enlist(sop, lsm_vm_enough_memory, sop->vm_enough_memory);
+ lsm_enlist(sop, lsm_bprm_set_creds, sop->bprm_set_creds);
+ lsm_enlist(sop, lsm_bprm_check_security, sop->bprm_check_security);
+ lsm_enlist(sop, lsm_bprm_committing_creds, sop->bprm_committing_creds);
+ lsm_enlist(sop, lsm_bprm_committed_creds, sop->bprm_committed_creds);
+ lsm_enlist(sop, lsm_bprm_secureexec, sop->bprm_secureexec);
+ lsm_enlist(sop, lsm_sb_alloc_security, sop->sb_alloc_security);
+ lsm_enlist(sop, lsm_sb_free_security, sop->sb_free_security);
+ lsm_enlist(sop, lsm_sb_copy_data, sop->sb_copy_data);
+ lsm_enlist(sop, lsm_sb_remount, sop->sb_remount);
+ lsm_enlist(sop, lsm_sb_kern_mount, sop->sb_kern_mount);
+ lsm_enlist(sop, lsm_sb_show_options, sop->sb_show_options);
+ lsm_enlist(sop, lsm_sb_statfs, sop->sb_statfs);
+ lsm_enlist(sop, lsm_sb_mount, sop->sb_mount);
+ lsm_enlist(sop, lsm_sb_umount, sop->sb_umount);
+ lsm_enlist(sop, lsm_sb_pivotroot, sop->sb_pivotroot);
+ lsm_enlist(sop, lsm_sb_set_mnt_opts, sop->sb_set_mnt_opts);
+ lsm_enlist(sop, lsm_sb_clone_mnt_opts, sop->sb_clone_mnt_opts);
+ lsm_enlist(sop, lsm_sb_parse_opts_str, sop->sb_parse_opts_str);
+ lsm_enlist(sop, lsm_inode_alloc_security, sop->inode_alloc_security);
+ lsm_enlist(sop, lsm_inode_free_security, sop->inode_free_security);
+ lsm_enlist(sop, lsm_inode_init_security, sop->inode_init_security);
+#ifdef CONFIG_SECURITY_PATH
+ lsm_enlist(sop, lsm_path_mknod, sop->path_mknod);
+ lsm_enlist(sop, lsm_path_mkdir, sop->path_mkdir);
+ lsm_enlist(sop, lsm_path_rmdir, sop->path_rmdir);
+ lsm_enlist(sop, lsm_path_unlink, sop->path_unlink);
+ lsm_enlist(sop, lsm_path_symlink, sop->path_symlink);
+ lsm_enlist(sop, lsm_path_link, sop->path_link);
+ lsm_enlist(sop, lsm_path_rename, sop->path_rename);
+ lsm_enlist(sop, lsm_path_truncate, sop->path_truncate);
+ lsm_enlist(sop, lsm_path_chmod, sop->path_chmod);
+ lsm_enlist(sop, lsm_path_chown, sop->path_chown);
+ lsm_enlist(sop, lsm_path_chroot, sop->path_chroot);
+#endif
+ lsm_enlist(sop, lsm_inode_create, sop->inode_create);
+ lsm_enlist(sop, lsm_inode_link, sop->inode_link);
+ lsm_enlist(sop, lsm_inode_unlink, sop->inode_unlink);
+ lsm_enlist(sop, lsm_inode_symlink, sop->inode_symlink);
+ lsm_enlist(sop, lsm_inode_mkdir, sop->inode_mkdir);
+ lsm_enlist(sop, lsm_inode_rmdir, sop->inode_rmdir);
+ lsm_enlist(sop, lsm_inode_mknod, sop->inode_mknod);
+ lsm_enlist(sop, lsm_inode_rename, sop->inode_rename);
+ lsm_enlist(sop, lsm_inode_readlink, sop->inode_readlink);
+ lsm_enlist(sop, lsm_inode_follow_link, sop->inode_follow_link);
+ lsm_enlist(sop, lsm_inode_permission, sop->inode_permission);
+ lsm_enlist(sop, lsm_inode_setattr, sop->inode_setattr);
+ lsm_enlist(sop, lsm_inode_getattr, sop->inode_getattr);
+ lsm_enlist(sop, lsm_inode_setxattr, sop->inode_setxattr);
+ lsm_enlist(sop, lsm_inode_post_setxattr, sop->inode_post_setxattr);
+ lsm_enlist(sop, lsm_inode_getxattr, sop->inode_getxattr);
+ lsm_enlist(sop, lsm_inode_listxattr, sop->inode_listxattr);
+ lsm_enlist(sop, lsm_inode_removexattr, sop->inode_removexattr);
+ lsm_enlist(sop, lsm_inode_need_killpriv, sop->inode_need_killpriv);
+ lsm_enlist(sop, lsm_inode_killpriv, sop->inode_killpriv);
+ lsm_enlist(sop, lsm_inode_getsecurity, sop->inode_getsecurity);
+ lsm_enlist(sop, lsm_inode_setsecurity, sop->inode_setsecurity);
+ lsm_enlist(sop, lsm_inode_listsecurity, sop->inode_listsecurity);
+ lsm_enlist(sop, lsm_inode_getsecid, sop->inode_getsecid);
+ lsm_enlist(sop, lsm_file_permission, sop->file_permission);
+ lsm_enlist(sop, lsm_file_alloc_security, sop->file_alloc_security);
+ lsm_enlist(sop, lsm_file_free_security, sop->file_free_security);
+ lsm_enlist(sop, lsm_file_ioctl, sop->file_ioctl);
+ lsm_enlist(sop, lsm_mmap_file, sop->mmap_file);
+ lsm_enlist(sop, lsm_mmap_addr, sop->mmap_addr);
+ lsm_enlist(sop, lsm_file_mprotect, sop->file_mprotect);
+ lsm_enlist(sop, lsm_file_lock, sop->file_lock);
+ lsm_enlist(sop, lsm_file_fcntl, sop->file_fcntl);
+ lsm_enlist(sop, lsm_file_set_fowner, sop->file_set_fowner);
+ lsm_enlist(sop, lsm_file_send_sigiotask, sop->file_send_sigiotask);
+ lsm_enlist(sop, lsm_file_receive, sop->file_receive);
+ lsm_enlist(sop, lsm_file_open, sop->file_open);
+ lsm_enlist(sop, lsm_task_create, sop->task_create);
+ lsm_enlist(sop, lsm_task_free, sop->task_free);
+ lsm_enlist(sop, lsm_cred_alloc_blank, sop->cred_alloc_blank);
+ lsm_enlist(sop, lsm_cred_free, sop->cred_free);
+ lsm_enlist(sop, lsm_cred_prepare, sop->cred_prepare);
+ lsm_enlist(sop, lsm_cred_transfer, sop->cred_transfer);
+ lsm_enlist(sop, lsm_kernel_act_as, sop->kernel_act_as);
+ lsm_enlist(sop, lsm_kernel_create_files_as,
+ sop->kernel_create_files_as);
+ lsm_enlist(sop, lsm_kernel_module_request, sop->kernel_module_request);
+ lsm_enlist(sop, lsm_kernel_module_from_file,
+ sop->kernel_module_from_file);
+ lsm_enlist(sop, lsm_task_fix_setuid, sop->task_fix_setuid);
+ lsm_enlist(sop, lsm_task_setpgid, sop->task_setpgid);
+ lsm_enlist(sop, lsm_task_getpgid, sop->task_getpgid);
+ lsm_enlist(sop, lsm_task_getsid, sop->task_getsid);
+ lsm_enlist(sop, lsm_task_getsecid, sop->task_getsecid);
+ lsm_enlist(sop, lsm_task_setnice, sop->task_setnice);
+ lsm_enlist(sop, lsm_task_setioprio, sop->task_setioprio);
+ lsm_enlist(sop, lsm_task_getioprio, sop->task_getioprio);
+ lsm_enlist(sop, lsm_task_setrlimit, sop->task_setrlimit);
+ lsm_enlist(sop, lsm_task_setscheduler, sop->task_setscheduler);
+ lsm_enlist(sop, lsm_task_getscheduler, sop->task_getscheduler);
+ lsm_enlist(sop, lsm_task_movememory, sop->task_movememory);
+ lsm_enlist(sop, lsm_task_kill, sop->task_kill);
+ lsm_enlist(sop, lsm_task_wait, sop->task_wait);
+ lsm_enlist(sop, lsm_task_prctl, sop->task_prctl);
+ lsm_enlist(sop, lsm_task_to_inode, sop->task_to_inode);
+ lsm_enlist(sop, lsm_ipc_permission, sop->ipc_permission);
+ lsm_enlist(sop, lsm_ipc_getsecid, sop->ipc_getsecid);
+ lsm_enlist(sop, lsm_msg_msg_alloc_security,
+ sop->msg_msg_alloc_security);
+ lsm_enlist(sop, lsm_msg_msg_free_security, sop->msg_msg_free_security);
+ lsm_enlist(sop, lsm_msg_queue_alloc_security,
+ sop->msg_queue_alloc_security);
+ lsm_enlist(sop, lsm_msg_queue_free_security,
+ sop->msg_queue_free_security);
+ lsm_enlist(sop, lsm_msg_queue_associate, sop->msg_queue_associate);
+ lsm_enlist(sop, lsm_msg_queue_msgctl, sop->msg_queue_msgctl);
+ lsm_enlist(sop, lsm_msg_queue_msgsnd, sop->msg_queue_msgsnd);
+ lsm_enlist(sop, lsm_msg_queue_msgrcv, sop->msg_queue_msgrcv);
+ lsm_enlist(sop, lsm_shm_alloc_security, sop->shm_alloc_security);
+ lsm_enlist(sop, lsm_shm_free_security, sop->shm_free_security);
+ lsm_enlist(sop, lsm_shm_associate, sop->shm_associate);
+ lsm_enlist(sop, lsm_shm_shmctl, sop->shm_shmctl);
+ lsm_enlist(sop, lsm_shm_shmat, sop->shm_shmat);
+ lsm_enlist(sop, lsm_sem_alloc_security, sop->sem_alloc_security);
+ lsm_enlist(sop, lsm_sem_free_security, sop->sem_free_security);
+ lsm_enlist(sop, lsm_sem_associate, sop->sem_associate);
+ lsm_enlist(sop, lsm_sem_semctl, sop->sem_semctl);
+ lsm_enlist(sop, lsm_sem_semop, sop->sem_semop);
+ lsm_enlist(sop, lsm_d_instantiate, sop->d_instantiate);
+ lsm_enlist(sop, lsm_getprocattr, sop->getprocattr);
+ lsm_enlist(sop, lsm_setprocattr, sop->setprocattr);
+ lsm_enlist(sop, lsm_netlink_send, sop->netlink_send);
+ lsm_enlist(sop, lsm_secid_to_secctx, sop->secid_to_secctx);
+ lsm_enlist(sop, lsm_secctx_to_secid, sop->secctx_to_secid);
+ lsm_enlist(sop, lsm_release_secctx, sop->release_secctx);
+ lsm_enlist(sop, lsm_inode_notifysecctx, sop->inode_notifysecctx);
+ lsm_enlist(sop, lsm_inode_setsecctx, sop->inode_setsecctx);
+ lsm_enlist(sop, lsm_inode_getsecctx, sop->inode_getsecctx);
+#ifdef CONFIG_SECURITY_NETWORK
+ lsm_enlist(sop, lsm_unix_stream_connect, sop->unix_stream_connect);
+ lsm_enlist(sop, lsm_unix_may_send, sop->unix_may_send);
+ lsm_enlist(sop, lsm_socket_create, sop->socket_create);
+ lsm_enlist(sop, lsm_socket_post_create, sop->socket_post_create);
+ lsm_enlist(sop, lsm_socket_bind, sop->socket_bind);
+ lsm_enlist(sop, lsm_socket_connect, sop->socket_connect);
+ lsm_enlist(sop, lsm_socket_listen, sop->socket_listen);
+ lsm_enlist(sop, lsm_socket_accept, sop->socket_accept);
+ lsm_enlist(sop, lsm_socket_sendmsg, sop->socket_sendmsg);
+ lsm_enlist(sop, lsm_socket_recvmsg, sop->socket_recvmsg);
+ lsm_enlist(sop, lsm_socket_getsockname, sop->socket_getsockname);
+ lsm_enlist(sop, lsm_socket_getpeername, sop->socket_getpeername);
+ lsm_enlist(sop, lsm_socket_getsockopt, sop->socket_getsockopt);
+ lsm_enlist(sop, lsm_socket_setsockopt, sop->socket_setsockopt);
+ lsm_enlist(sop, lsm_socket_shutdown, sop->socket_shutdown);
+ lsm_enlist(sop, lsm_socket_sock_rcv_skb, sop->socket_sock_rcv_skb);
+ lsm_enlist(sop, lsm_socket_getpeersec_stream,
+ sop->socket_getpeersec_stream);
+ lsm_enlist(sop, lsm_socket_getpeersec_dgram,
+ sop->socket_getpeersec_dgram);
+ lsm_enlist(sop, lsm_sk_alloc_security, sop->sk_alloc_security);
+ lsm_enlist(sop, lsm_sk_free_security, sop->sk_free_security);
+ lsm_enlist(sop, lsm_sk_clone_security, sop->sk_clone_security);
+ lsm_enlist(sop, lsm_req_classify_flow, sop->req_classify_flow);
+ lsm_enlist(sop, lsm_sock_graft, sop->sock_graft);
+ lsm_enlist(sop, lsm_inet_conn_request, sop->inet_conn_request);
+ lsm_enlist(sop, lsm_inet_csk_clone, sop->inet_csk_clone);
+ lsm_enlist(sop, lsm_inet_conn_established, sop->inet_conn_established);
+ lsm_enlist(sop, lsm_secmark_relabel_packet,
+ sop->secmark_relabel_packet);
+ lsm_enlist(sop, lsm_secmark_refcount_inc, sop->secmark_refcount_inc);
+ lsm_enlist(sop, lsm_secmark_refcount_dec, sop->secmark_refcount_dec);
+ lsm_enlist(sop, lsm_tun_dev_create, sop->tun_dev_create);
+ lsm_enlist(sop, lsm_tun_dev_post_create, sop->tun_dev_post_create);
+ lsm_enlist(sop, lsm_tun_dev_attach, sop->tun_dev_attach);
+#endif
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+ lsm_enlist(sop, lsm_xfrm_policy_alloc_security,
+ sop->xfrm_policy_alloc_security);
+ lsm_enlist(sop, lsm_xfrm_policy_clone_security,
+ sop->xfrm_policy_clone_security);
+ lsm_enlist(sop, lsm_xfrm_policy_free_security,
+ sop->xfrm_policy_free_security);
+ lsm_enlist(sop, lsm_xfrm_policy_delete_security,
+ sop->xfrm_policy_delete_security);
+ lsm_enlist(sop, lsm_xfrm_state_alloc_security,
+ sop->xfrm_state_alloc_security);
+ lsm_enlist(sop, lsm_xfrm_state_delete_security,
+ sop->xfrm_state_delete_security);
+ lsm_enlist(sop, lsm_xfrm_state_free_security,
+ sop->xfrm_state_free_security);
+ lsm_enlist(sop, lsm_xfrm_policy_lookup, sop->xfrm_policy_lookup);
+ lsm_enlist(sop, lsm_xfrm_state_pol_flow_match,
+ sop->xfrm_state_pol_flow_match);
+ lsm_enlist(sop, lsm_xfrm_decode_session, sop->xfrm_decode_session);
+#endif
+#ifdef CONFIG_KEYS
+ lsm_enlist(sop, lsm_key_alloc, sop->key_alloc);
+ lsm_enlist(sop, lsm_key_free, sop->key_free);
+ lsm_enlist(sop, lsm_key_permission, sop->key_permission);
+ lsm_enlist(sop, lsm_key_getsecurity, sop->key_getsecurity);
+#endif
+#ifdef CONFIG_AUDIT
+ lsm_enlist(sop, lsm_audit_rule_init, sop->audit_rule_init);
+ lsm_enlist(sop, lsm_audit_rule_known, sop->audit_rule_known);
+ lsm_enlist(sop, lsm_audit_rule_free, sop->audit_rule_free);
+ lsm_enlist(sop, lsm_audit_rule_match, sop->audit_rule_match);
+#endif
+
+ lsm_enlist(sop, lsm_name, sop->name);
}
static void __init do_security_initcalls(void)
{
initcall_t *call;
+
call = __security_initcall_start;
while (call < __security_initcall_end) {
(*call) ();
@@ -63,24 +320,71 @@ static void __init do_security_initcalls(void)
*/
int __init security_init(void)
{
- printk(KERN_INFO "Security Framework initialized\n");
+ enum lsm_hooks_index i;
+
+ for (i = 0; i < LSM_MAX_HOOKS; i++)
+ INIT_LIST_HEAD(&lsm_hooks[i]);
+
+ pr_info("Security Framework initialized\n");
- security_fixup_ops(&default_security_ops);
- security_ops = &default_security_ops;
do_security_initcalls();
return 0;
}
-void reset_security_ops(void)
+/*
+ * Only SELinux calls reset_security_ops.
+ */
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+
+static void lsm_delist_ops(struct security_operations *sop)
{
- security_ops = &default_security_ops;
+ enum lsm_hooks_index i;
+
+ for (i = 0; i < LSM_MAX_HOOKS; i++)
+ if (sop->list[i].next && !list_empty(&sop->list[i]))
+ list_del_rcu(&sop->list[i]);
+ return;
}
-/* Save user chosen LSM */
+int reset_security_ops(struct security_operations *ops)
+{
+ /*
+ * This LSM is configured to own /proc/.../attr.
+ */
+ if (lsm_present == ops)
+ lsm_present = NULL;
+
+ lsm_delist_ops(ops);
+
+ return 0;
+}
+
+#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
+
+/* Save user chosen LSM(s) */
static int __init choose_lsm(char *str)
{
- strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
+ char *cp;
+ char *ep;
+ int i;
+
+ strncpy(allowed_lsms, str, COMPOSER_NAMES_MAX);
+ cp = allowed_lsms;
+
+ for (i = 0; i < COMPOSER_MAX; i++) {
+ ep = strchr(cp, ',');
+ if (ep != NULL)
+ *ep = '\0';
+ if (strlen(cp) > SECURITY_NAME_MAX)
+ pr_warn("LSM \"%s\" is invalid and ignored.\n", cp);
+ else
+ strncpy(specified_lsms[i], cp, SECURITY_NAME_MAX);
+ if (ep == NULL)
+ break;
+ cp = ep + 1;
+ }
+
return 1;
}
__setup("security=", choose_lsm);
@@ -94,74 +398,303 @@ __setup("security=", choose_lsm);
* to check if your LSM is currently loaded during kernel initialization.
*
* Return true if:
- * -The passed LSM is the one chosen by user at boot time,
- * -or the passed LSM is configured as the default and the user did not
- * choose an alternate LSM at boot time.
+ * -The passed LSM is on the list of LSMs specified at boot time,
+ * -or no boot list was specified.
* Otherwise, return false.
*/
int __init security_module_enable(struct security_operations *ops)
{
- return !strcmp(ops->name, chosen_lsm);
-}
+ struct security_operations *sop;
+ int i;
-/**
- * register_security - registers a security framework with the kernel
- * @ops: a pointer to the struct security_options that is to be registered
- *
- * This function allows a security module to register itself with the
- * kernel security subsystem. Some rudimentary checking is done on the @ops
- * value passed to this function. You'll need to check first if your LSM
- * is allowed to register its @ops by calling security_module_enable(@ops).
- *
- * If there is already a security module registered with the kernel,
- * an error will be returned. Otherwise %0 is returned on success.
- */
-int __init register_security(struct security_operations *ops)
-{
- if (verify(ops)) {
- printk(KERN_DEBUG "%s could not verify "
- "security_operations structure.\n", __func__);
- return -EINVAL;
+ /*
+ * Set up the operation vector early, but only once.
+ * This allows LSM specific file systems to check to see if they
+ * should come on line.
+ */
+ if (ops == NULL) {
+ pr_debug("%s could not verify security_operations.\n",
+ __func__);
+ return 0;
}
+ /*
+ * Return success if the LSM is already resistered
+ */
+ for_each_hook(sop, name)
+ if (sop == ops)
+ return 1;
- if (security_ops != &default_security_ops)
- return -EAGAIN;
+ /*
+ * This LSM has not yet been ordered.
+ */
+ ops->order = -1;
- security_ops = ops;
+ if (lsm_count >= COMPOSER_MAX) {
+ pr_warn("Too many security modules. %s not loaded.\n",
+ ops->name);
+ return 0;
+ }
- return 0;
+ if (specified_lsms[0][0] != '\0') {
+ for (i = 0; specified_lsms[i][0] != '\0'; i++) {
+ if (strcmp(ops->name, specified_lsms[i]) == 0) {
+ ops->order = i;
+ break;
+ }
+ }
+ if (ops->order == -1) {
+ pr_notice("LSM %s declined by boot options.\n",
+ ops->name);
+ return 0;
+ }
+ }
+ /*
+ * Check for conflicting LSMs.
+ */
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+ if (ops->xfrm_policy_alloc_security &&
+ !list_empty(&lsm_hooks[lsm_xfrm_policy_alloc_security])) {
+ pr_warn("LSM conflict on %s. %s not loaded.\n",
+ "xfrm_policy_alloc_security", ops->name);
+ return 0;
+ }
+#endif
+ if (ops->secid_to_secctx &&
+ !list_empty(&lsm_hooks[lsm_secid_to_secctx])) {
+ pr_warn("LSM conflict on %s. %s not loaded.\n",
+ "secid_to_secctx", ops->name);
+ return 0;
+ }
+
+ /*
+ * The order will already be set if the command line
+ * includes "security=".
+ *
+ * Do this before the enlisting. If there is an error
+ * (Very unlikely!) that prevents the enlisting from
+ * completing it is still necessary to have a blob slot
+ * for it.
+ */
+ if (ops->order == -1)
+ ops->order = lsm_count;
+ lsm_count++;
+
+ /*
+ * Use the LSM specified by CONFIG_SECURITY_PRESENT for
+ * [gs]etprocattr. If the LSM specified is PRESENT_FIRST
+ * use the first LSM to register that has the hooks.
+ * If the specified LSM lacks the hooks treat it as if
+ * there is no LSM registered that supplied them.
+ */
+ if (ops->getprocattr && ops->setprocattr &&
+ (!strcmp(ops->name, present_lsm) ||
+ (!lsm_present && !strcmp(PRESENT_FIRST, present_lsm)))) {
+ lsm_present = ops;
+ present_getprocattr = ops->getprocattr;
+ present_setprocattr = ops->setprocattr;
+ pr_info("Security Module %s is presented in /proc.\n",
+ ops->name);
+ }
+ /*
+ * Return success after registering the LSM.
+ */
+ lsm_enlist_ops(ops);
+
+ return 1;
}
/* Security operations */
+/*
+ * Because so many of the cases are treated the same it
+ * cleans things up to use these macros instead of having
+ * duplicate text all over the place.
+ *
+ * call_void_hook:
+ * This is a hook that does not return a value.
+ *
+ * call_int_hook:
+ * This is hook that returns a value. Return the last
+ * non-zero return.
+ *
+ * call_int_must:
+ * Returns 1 if any LSMs actually had hooks and one
+ * or more got called. The return value goes into RC.
+ *
+ * call_int_cap_first:
+ * Like cap_int_hook, but call the cap_hook first and
+ * bail on fail.
+ *
+ * call_int_cap_last:
+ * Like cap_int_cap_first, but call the cap_hook last.
+ *
+ * call_alloc_hook:
+ * Allocate not only the LSM security blobs, but a blob
+ * to hold pointers to all of them as well.
+ *
+ */
+#define call_void_hook(FUNC, ...) \
+ do { \
+ struct security_operations *sop; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) \
+ sop->FUNC(__VA_ARGS__); \
+ } while (0) \
+
+#define call_int_hook(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ rc = thisrc; \
+ } \
+ } while (0); \
+ rc; \
+})
+
+#define call_int_must(RC, FUNC, ...) ({ \
+ int called = 0; \
+ RC = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ RC = thisrc; \
+ called = 1; \
+ } \
+ } while (0); \
+ called; \
+})
+
+#define call_int_cap_first(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ thisrc = cap_##FUNC(__VA_ARGS__); \
+ if (thisrc) { \
+ rc = thisrc; \
+ break; \
+ } \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ rc = thisrc; \
+ } \
+ } while (0); \
+ rc; \
+})
+
+#define call_int_cap_last(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ rc = thisrc; \
+ } \
+ \
+ if (!rc) \
+ rc = cap_##FUNC(__VA_ARGS__); \
+ } while (0); \
+ rc; \
+})
+
+
+#define call_alloc_hook(ALLOC, FREE, FIELD, GFP, ARG) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ struct security_operations *note[COMPOSER_MAX]; \
+ struct lsm_blob tblob; \
+ struct lsm_blob *bp = NULL; \
+ int successes = 0; \
+ \
+ memset(&tblob, 0, sizeof(tblob)); \
+ FIELD = &tblob; \
+ for_each_hook(sop, ALLOC) { \
+ rc = sop->ALLOC(ARG); \
+ if (rc) \
+ break; \
+ note[successes++] = sop; \
+ } \
+ if (tblob.lsm_setcount != 0) { \
+ if (rc == 0) \
+ bp = kmemdup(&tblob, sizeof(tblob), GFP); \
+ if (bp == NULL) { \
+ if (rc == 0) \
+ rc = -ENOMEM; \
+ while (successes > 0) \
+ note[--successes]->FREE(ARG); \
+ } \
+ } \
+ FIELD = bp; \
+ } while (0); \
+ rc; \
+})
+
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- int rc;
- rc = yama_ptrace_access_check(child, mode);
- if (rc)
- return rc;
-#endif
- return security_ops->ptrace_access_check(child, mode);
+ return call_int_cap_first(ptrace_access_check, child, mode);
}
int security_ptrace_traceme(struct task_struct *parent)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- int rc;
- rc = yama_ptrace_traceme(parent);
- if (rc)
- return rc;
-#endif
- return security_ops->ptrace_traceme(parent);
+ return call_int_cap_first(ptrace_traceme, parent);
}
+/*
+ * Odd duck hook handling.
+ * This hook returns the set of capabilities available to
+ * the "target" task. Apparmor restricts the capabilities
+ * based on profile and SELinux may deny the ability to
+ * look and see what they are. cap_capget never fails.
+ */
int security_capget(struct task_struct *target,
kernel_cap_t *effective,
kernel_cap_t *inheritable,
kernel_cap_t *permitted)
{
- return security_ops->capget(target, effective, inheritable, permitted);
+ struct security_operations *sop;
+ kernel_cap_t cap[3];
+ kernel_cap_t this[3];
+ int rc;
+ int i;
+
+ rc = cap_capget(target, &cap[0], &cap[1], &cap[2]);
+ if (rc != 0)
+ return rc;
+
+ for_each_hook(sop, capget) {
+ rc = sop->capget(target, &this[0], &this[1], &this[2]);
+ if (rc != 0)
+ return rc;
+ for (i = 0; i < 3; i++)
+ cap[i] = cap_intersect(cap[i], this[i]);
+ }
+
+ *effective = cap[0];
+ *inheritable = cap[1];
+ *permitted = cap[2];
+
+ return 0;
}
int security_capset(struct cred *new, const struct cred *old,
@@ -169,195 +702,214 @@ int security_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *inheritable,
const kernel_cap_t *permitted)
{
- return security_ops->capset(new, old,
- effective, inheritable, permitted);
+ return call_int_cap_first(capset, new, old, effective,
+ inheritable, permitted);
}
int security_capable(const struct cred *cred, struct user_namespace *ns,
int cap)
{
- return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT);
+ return call_int_cap_first(capable, cred, ns, cap, SECURITY_CAP_AUDIT);
}
int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
int cap)
{
- return security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT);
+ return call_int_cap_first(capable, cred, ns, cap, SECURITY_CAP_NOAUDIT);
}
int security_quotactl(int cmds, int type, int id, struct super_block *sb)
{
- return security_ops->quotactl(cmds, type, id, sb);
+ return call_int_hook(quotactl, cmds, type, id, sb);
}
int security_quota_on(struct dentry *dentry)
{
- return security_ops->quota_on(dentry);
+ return call_int_hook(quota_on, dentry);
}
int security_syslog(int type)
{
- return security_ops->syslog(type);
+ return call_int_hook(syslog, type);
}
int security_settime(const struct timespec *ts, const struct timezone *tz)
{
- return security_ops->settime(ts, tz);
+ return call_int_cap_first(settime, ts, tz);
}
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
{
- return security_ops->vm_enough_memory(mm, pages);
+ return call_int_cap_first(vm_enough_memory, mm, pages);
}
int security_bprm_set_creds(struct linux_binprm *bprm)
{
- return security_ops->bprm_set_creds(bprm);
+ return call_int_cap_first(bprm_set_creds, bprm);
}
int security_bprm_check(struct linux_binprm *bprm)
{
- int ret;
+ int rc = call_int_hook(bprm_check_security, bprm);
+
+ if (rc)
+ return rc;
- ret = security_ops->bprm_check_security(bprm);
- if (ret)
- return ret;
return ima_bprm_check(bprm);
}
+
void security_bprm_committing_creds(struct linux_binprm *bprm)
{
- security_ops->bprm_committing_creds(bprm);
+ call_void_hook(bprm_committing_creds, bprm);
}
void security_bprm_committed_creds(struct linux_binprm *bprm)
{
- security_ops->bprm_committed_creds(bprm);
+ call_void_hook(bprm_committed_creds, bprm);
}
int security_bprm_secureexec(struct linux_binprm *bprm)
{
- return security_ops->bprm_secureexec(bprm);
+ return call_int_cap_last(bprm_secureexec, bprm);
}
int security_sb_alloc(struct super_block *sb)
{
- return security_ops->sb_alloc_security(sb);
+ return call_alloc_hook(sb_alloc_security, sb_free_security,
+ sb->s_security, GFP_KERNEL, sb);
}
void security_sb_free(struct super_block *sb)
{
- security_ops->sb_free_security(sb);
+ call_void_hook(sb_free_security, sb);
+
+ kfree(sb->s_security);
+ sb->s_security = NULL;
}
int security_sb_copy_data(char *orig, char *copy)
{
- return security_ops->sb_copy_data(orig, copy);
+ return call_int_hook(sb_copy_data, orig, copy);
}
EXPORT_SYMBOL(security_sb_copy_data);
int security_sb_remount(struct super_block *sb, void *data)
{
- return security_ops->sb_remount(sb, data);
+ return call_int_hook(sb_remount, sb, data);
}
int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
{
- return security_ops->sb_kern_mount(sb, flags, data);
+ return call_int_hook(sb_kern_mount, sb, flags, data);
}
int security_sb_show_options(struct seq_file *m, struct super_block *sb)
{
- return security_ops->sb_show_options(m, sb);
+ return call_int_hook(sb_show_options, m, sb);
}
int security_sb_statfs(struct dentry *dentry)
{
- return security_ops->sb_statfs(dentry);
+ return call_int_hook(sb_statfs, dentry);
}
int security_sb_mount(const char *dev_name, struct path *path,
const char *type, unsigned long flags, void *data)
{
- return security_ops->sb_mount(dev_name, path, type, flags, data);
+ return call_int_hook(sb_mount, dev_name, path, type, flags, data);
}
int security_sb_umount(struct vfsmount *mnt, int flags)
{
- return security_ops->sb_umount(mnt, flags);
+ return call_int_hook(sb_umount, mnt, flags);
}
int security_sb_pivotroot(struct path *old_path, struct path *new_path)
{
- return security_ops->sb_pivotroot(old_path, new_path);
+ return call_int_hook(sb_pivotroot, old_path, new_path);
}
int security_sb_set_mnt_opts(struct super_block *sb,
struct security_mnt_opts *opts)
{
- return security_ops->sb_set_mnt_opts(sb, opts);
+ int rc;
+
+ if (call_int_must(rc, sb_set_mnt_opts, sb, opts))
+ return rc;
+
+ if (unlikely(opts->num_mnt_opts))
+ return -EOPNOTSUPP;
+ return 0;
}
EXPORT_SYMBOL(security_sb_set_mnt_opts);
void security_sb_clone_mnt_opts(const struct super_block *oldsb,
struct super_block *newsb)
{
- security_ops->sb_clone_mnt_opts(oldsb, newsb);
+ call_void_hook(sb_clone_mnt_opts, oldsb, newsb);
}
EXPORT_SYMBOL(security_sb_clone_mnt_opts);
int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
{
- return security_ops->sb_parse_opts_str(options, opts);
+ return call_int_hook(sb_parse_opts_str, options, opts);
}
EXPORT_SYMBOL(security_sb_parse_opts_str);
int security_inode_alloc(struct inode *inode)
{
- inode->i_security = NULL;
- return security_ops->inode_alloc_security(inode);
+ return call_alloc_hook(inode_alloc_security, inode_free_security,
+ inode->i_security, GFP_KERNEL, inode);
}
void security_inode_free(struct inode *inode)
{
integrity_inode_free(inode);
- security_ops->inode_free_security(inode);
+
+ call_void_hook(inode_free_security, inode);
+
+ kfree(inode->i_security);
+ inode->i_security = NULL;
}
int security_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr,
const initxattrs initxattrs, void *fs_data)
{
+ int rc;
struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1];
struct xattr *lsm_xattr, *evm_xattr, *xattr;
- int ret;
if (unlikely(IS_PRIVATE(inode)))
return 0;
memset(new_xattrs, 0, sizeof new_xattrs);
if (!initxattrs)
- return security_ops->inode_init_security(inode, dir, qstr,
- NULL, NULL, NULL);
+ return call_int_hook(inode_init_security, inode, dir, qstr,
+ NULL, NULL, NULL);
+
lsm_xattr = new_xattrs;
- ret = security_ops->inode_init_security(inode, dir, qstr,
- &lsm_xattr->name,
- &lsm_xattr->value,
- &lsm_xattr->value_len);
- if (ret)
+
+ if (!call_int_must(rc, inode_init_security, inode, dir, qstr,
+ &lsm_xattr->name, &lsm_xattr->value,
+ &lsm_xattr->value_len))
+ rc = -EOPNOTSUPP;
+
+ if (rc)
goto out;
evm_xattr = lsm_xattr + 1;
- ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
- if (ret)
+ rc = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
+ if (rc)
goto out;
- ret = initxattrs(inode, new_xattrs, fs_data);
+ rc = initxattrs(inode, new_xattrs, fs_data);
out:
for (xattr = new_xattrs; xattr->name != NULL; xattr++) {
kfree(xattr->name);
kfree(xattr->value);
}
- return (ret == -EOPNOTSUPP) ? 0 : ret;
+ return (rc == -EOPNOTSUPP) ? 0 : rc;
}
EXPORT_SYMBOL(security_inode_init_security);
@@ -367,8 +919,9 @@ int security_old_inode_init_security(struct inode *inode, struct inode *dir,
{
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
- return security_ops->inode_init_security(inode, dir, qstr, name, value,
- len);
+
+ return call_int_hook(inode_init_security, inode, dir, qstr, name,
+ value, len);
}
EXPORT_SYMBOL(security_old_inode_init_security);
@@ -378,7 +931,8 @@ int security_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode,
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_mknod(dir, dentry, mode, dev);
+
+ return call_int_hook(path_mknod, dir, dentry, mode, dev);
}
EXPORT_SYMBOL(security_path_mknod);
@@ -386,7 +940,8 @@ int security_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode)
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_mkdir(dir, dentry, mode);
+
+ return call_int_hook(path_mkdir, dir, dentry, mode);
}
EXPORT_SYMBOL(security_path_mkdir);
@@ -394,14 +949,16 @@ int security_path_rmdir(struct path *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_rmdir(dir, dentry);
+
+ return call_int_hook(path_rmdir, dir, dentry);
}
int security_path_unlink(struct path *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_unlink(dir, dentry);
+
+ return call_int_hook(path_unlink, dir, dentry);
}
EXPORT_SYMBOL(security_path_unlink);
@@ -410,7 +967,8 @@ int security_path_symlink(struct path *dir, struct dentry *dentry,
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_symlink(dir, dentry, old_name);
+
+ return call_int_hook(path_symlink, dir, dentry, old_name);
}
int security_path_link(struct dentry *old_dentry, struct path *new_dir,
@@ -418,7 +976,8 @@ int security_path_link(struct dentry *old_dentry, struct path *new_dir,
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
return 0;
- return security_ops->path_link(old_dentry, new_dir, new_dentry);
+
+ return call_int_hook(path_link, old_dentry, new_dir, new_dentry);
}
int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
@@ -427,8 +986,9 @@ int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
- return security_ops->path_rename(old_dir, old_dentry, new_dir,
- new_dentry);
+
+ return call_int_hook(path_rename, old_dir, old_dentry, new_dir,
+ new_dentry);
}
EXPORT_SYMBOL(security_path_rename);
@@ -436,26 +996,29 @@ int security_path_truncate(struct path *path)
{
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
return 0;
- return security_ops->path_truncate(path);
+
+ return call_int_hook(path_truncate, path);
}
int security_path_chmod(struct path *path, umode_t mode)
{
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
return 0;
- return security_ops->path_chmod(path, mode);
+
+ return call_int_hook(path_chmod, path, mode);
}
int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
{
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
return 0;
- return security_ops->path_chown(path, uid, gid);
+
+ return call_int_hook(path_chown, path, uid, gid);
}
int security_path_chroot(struct path *path)
{
- return security_ops->path_chroot(path);
+ return call_int_hook(path_chroot, path);
}
#endif
@@ -463,7 +1026,8 @@ int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_create(dir, dentry, mode);
+
+ return call_int_hook(inode_create, dir, dentry, mode);
}
EXPORT_SYMBOL_GPL(security_inode_create);
@@ -472,14 +1036,16 @@ int security_inode_link(struct dentry *old_dentry, struct inode *dir,
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
return 0;
- return security_ops->inode_link(old_dentry, dir, new_dentry);
+
+ return call_int_hook(inode_link, old_dentry, dir, new_dentry);
}
int security_inode_unlink(struct inode *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_unlink(dir, dentry);
+
+ return call_int_hook(inode_unlink, dir, dentry);
}
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
@@ -487,14 +1053,16 @@ int security_inode_symlink(struct inode *dir, struct dentry *dentry,
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_symlink(dir, dentry, old_name);
+
+ return call_int_hook(inode_symlink, dir, dentry, old_name);
}
int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_mkdir(dir, dentry, mode);
+
+ return call_int_hook(inode_mkdir, dir, dentry, mode);
}
EXPORT_SYMBOL_GPL(security_inode_mkdir);
@@ -502,14 +1070,16 @@ int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_rmdir(dir, dentry);
+
+ return call_int_hook(inode_rmdir, dir, dentry);
}
int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_mknod(dir, dentry, mode, dev);
+
+ return call_int_hook(inode_mknod, dir, dentry, mode, dev);
}
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
@@ -518,40 +1088,45 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
- return security_ops->inode_rename(old_dir, old_dentry,
- new_dir, new_dentry);
+
+ return call_int_hook(inode_rename, old_dir, old_dentry, new_dir,
+ new_dentry);
}
int security_inode_readlink(struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_readlink(dentry);
+
+ return call_int_hook(inode_readlink, dentry);
}
int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_follow_link(dentry, nd);
+
+ return call_int_hook(inode_follow_link, dentry, nd);
}
int security_inode_permission(struct inode *inode, int mask)
{
if (unlikely(IS_PRIVATE(inode)))
return 0;
- return security_ops->inode_permission(inode, mask);
+
+ return call_int_hook(inode_permission, inode, mask);
}
int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
{
- int ret;
+ int rc;
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- ret = security_ops->inode_setattr(dentry, attr);
- if (ret)
- return ret;
+
+ rc = call_int_hook(inode_setattr, dentry, attr);
+ if (rc)
+ return rc;
return evm_inode_setattr(dentry, attr);
}
EXPORT_SYMBOL_GPL(security_inode_setattr);
@@ -560,22 +1135,25 @@ int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_getattr(mnt, dentry);
+
+ return call_int_hook(inode_getattr, mnt, dentry);
}
int security_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
- int ret;
+ int rc;
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- ret = security_ops->inode_setxattr(dentry, name, value, size, flags);
- if (ret)
- return ret;
- ret = ima_inode_setxattr(dentry, name, value, size);
- if (ret)
- return ret;
+
+ rc = call_int_hook(inode_setxattr, dentry, name, value, size, flags);
+
+ if (rc)
+ return rc;
+ rc = ima_inode_setxattr(dentry, name, value, size);
+ if (rc)
+ return rc;
return evm_inode_setxattr(dentry, name, value, size);
}
@@ -584,7 +1162,9 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name,
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return;
- security_ops->inode_post_setxattr(dentry, name, value, size, flags);
+
+ call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
+
evm_inode_post_setxattr(dentry, name, value, size);
}
@@ -592,91 +1172,145 @@ int security_inode_getxattr(struct dentry *dentry, const char *name)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_getxattr(dentry, name);
+
+ return call_int_hook(inode_getxattr, dentry, name);
}
int security_inode_listxattr(struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_listxattr(dentry);
+
+ return call_int_hook(inode_listxattr, dentry);
}
int security_inode_removexattr(struct dentry *dentry, const char *name)
{
- int ret;
+ int rc;
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- ret = security_ops->inode_removexattr(dentry, name);
- if (ret)
- return ret;
- ret = ima_inode_removexattr(dentry, name);
- if (ret)
- return ret;
+
+ if (!call_int_must(rc, inode_removexattr, dentry, name))
+ rc = cap_inode_removexattr(dentry, name);
+
+ if (rc)
+ return rc;
+
+ rc = ima_inode_removexattr(dentry, name);
+ if (rc)
+ return rc;
return evm_inode_removexattr(dentry, name);
}
int security_inode_need_killpriv(struct dentry *dentry)
{
- return security_ops->inode_need_killpriv(dentry);
+ return call_int_cap_first(inode_need_killpriv, dentry);
}
int security_inode_killpriv(struct dentry *dentry)
{
- return security_ops->inode_killpriv(dentry);
+ return call_int_cap_first(inode_killpriv, dentry);
}
int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
{
+ struct security_operations *sop;
+ int rc;
+
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
- return security_ops->inode_getsecurity(inode, name, buffer, alloc);
+
+ /*
+ * Only one LSM will supply a given "name".
+ * -EOPNOTSUPP is an indication that the LSM does not
+ * provide a value for the provided name.
+ */
+ for_each_hook(sop, inode_getsecurity) {
+ rc = sop->inode_getsecurity(inode, name, buffer, alloc);
+ if (rc != -EOPNOTSUPP)
+ return rc;
+ }
+ return -EOPNOTSUPP;
}
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
{
+ struct security_operations *sop;
+ int rc;
+
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
- return security_ops->inode_setsecurity(inode, name, value, size, flags);
+
+ /*
+ * Only one LSM will set a given "name".
+ * -EOPNOTSUPP is an indication that the LSM does not
+ * set a value for the provided name.
+ */
+ for_each_hook(sop, inode_setsecurity) {
+ rc = sop->inode_setsecurity(inode, name, value, size, flags);
+ if (rc != -EOPNOTSUPP)
+ return rc;
+ }
+ return -EOPNOTSUPP;
}
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
{
+ struct security_operations *sop;
+ int rc = 0;
+ int thisrc;
+
if (unlikely(IS_PRIVATE(inode)))
return 0;
- return security_ops->inode_listsecurity(inode, buffer, buffer_size);
+
+ /*
+ * inode_listsecurity hooks never return negative values.
+ */
+ for_each_hook(sop, inode_listsecurity) {
+ thisrc = sop->inode_listsecurity(inode, buffer, buffer_size);
+ buffer += thisrc;
+ buffer_size -= thisrc;
+ rc += thisrc;
+ }
+ return rc;
}
void security_inode_getsecid(const struct inode *inode, u32 *secid)
{
- security_ops->inode_getsecid(inode, secid);
+ *secid = 0;
+ call_void_hook(inode_getsecid, inode, secid);
}
int security_file_permission(struct file *file, int mask)
{
- int ret;
+ int rc;
- ret = security_ops->file_permission(file, mask);
- if (ret)
- return ret;
+ rc = call_int_hook(file_permission, file, mask);
+
+ if (rc)
+ return rc;
return fsnotify_perm(file, mask);
}
int security_file_alloc(struct file *file)
{
- return security_ops->file_alloc_security(file);
+ return call_alloc_hook(file_alloc_security, file_free_security,
+ file->f_security, GFP_KERNEL, file);
}
void security_file_free(struct file *file)
{
- security_ops->file_free_security(file);
+ call_void_hook(file_free_security, file);
+
+ kfree(file->f_security);
+ file->f_security = NULL;
}
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
- return security_ops->file_ioctl(file, cmd, arg);
+ return call_int_hook(file_ioctl, file, cmd, arg);
}
static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
@@ -716,370 +1350,528 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags)
{
- int ret;
- ret = security_ops->mmap_file(file, prot,
- mmap_prot(file, prot), flags);
- if (ret)
- return ret;
+ int rc;
+
+ rc = call_int_hook(mmap_file, file, prot, mmap_prot(file, prot),
+ flags);
+
+ if (rc)
+ return rc;
return ima_file_mmap(file, prot);
}
int security_mmap_addr(unsigned long addr)
{
- return security_ops->mmap_addr(addr);
+ return call_int_cap_last(mmap_addr, addr);
}
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot)
{
- return security_ops->file_mprotect(vma, reqprot, prot);
+ return call_int_hook(file_mprotect, vma, reqprot, prot);
}
int security_file_lock(struct file *file, unsigned int cmd)
{
- return security_ops->file_lock(file, cmd);
+ return call_int_hook(file_lock, file, cmd);
}
int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
{
- return security_ops->file_fcntl(file, cmd, arg);
+ return call_int_hook(file_fcntl, file, cmd, arg);
}
int security_file_set_fowner(struct file *file)
{
- return security_ops->file_set_fowner(file);
+ return call_int_hook(file_set_fowner, file);
}
int security_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int sig)
{
- return security_ops->file_send_sigiotask(tsk, fown, sig);
+ return call_int_hook(file_send_sigiotask, tsk, fown, sig);
}
int security_file_receive(struct file *file)
{
- return security_ops->file_receive(file);
+ return call_int_hook(file_receive, file);
}
int security_file_open(struct file *file, const struct cred *cred)
{
- int ret;
+ int rc;
- ret = security_ops->file_open(file, cred);
- if (ret)
- return ret;
+ rc = call_int_hook(file_open, file, cred);
+
+ if (rc)
+ return rc;
return fsnotify_perm(file, MAY_OPEN);
}
int security_task_create(unsigned long clone_flags)
{
- return security_ops->task_create(clone_flags);
+ return call_int_hook(task_create, clone_flags);
}
void security_task_free(struct task_struct *task)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- yama_task_free(task);
-#endif
- security_ops->task_free(task);
+ call_void_hook(task_free, task);
}
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
- return security_ops->cred_alloc_blank(cred, gfp);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+ cred->security = &tblob;
+
+ for_each_hook(sop, cred_alloc_blank) {
+ rc = sop->cred_alloc_blank(cred, gfp);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), gfp);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->cred_free(cred);
+ }
+ }
+ cred->security = bp;
+ return rc;
}
void security_cred_free(struct cred *cred)
{
- security_ops->cred_free(cred);
+ call_void_hook(cred_free, cred);
+
+ if (cred->security == NULL)
+ return;
+
+ kfree(cred->security);
+ cred->security = NULL;
}
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
{
- return security_ops->cred_prepare(new, old, gfp);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ /*
+ * new->security will be NULL on entry.
+ */
+ memset(&tblob, 0, sizeof(tblob));
+ new->security = &tblob;
+
+ for_each_hook(sop, cred_prepare) {
+ rc = sop->cred_prepare(new, old, gfp);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), gfp);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->cred_free(new);
+ }
+ }
+ new->security = bp;
+ return rc;
}
void security_transfer_creds(struct cred *new, const struct cred *old)
{
- security_ops->cred_transfer(new, old);
+ call_void_hook(cred_transfer, new, old);
}
int security_kernel_act_as(struct cred *new, u32 secid)
{
- return security_ops->kernel_act_as(new, secid);
+ return call_int_hook(kernel_act_as, new, secid);
}
int security_kernel_create_files_as(struct cred *new, struct inode *inode)
{
- return security_ops->kernel_create_files_as(new, inode);
+ return call_int_hook(kernel_create_files_as, new, inode);
}
int security_kernel_module_request(char *kmod_name)
{
- return security_ops->kernel_module_request(kmod_name);
+ return call_int_hook(kernel_module_request, kmod_name);
}
int security_kernel_module_from_file(struct file *file)
{
- int ret;
+ int rc;
- ret = security_ops->kernel_module_from_file(file);
- if (ret)
- return ret;
+ rc = call_int_hook(kernel_module_from_file, file);
+ if (rc)
+ return rc;
return ima_module_check(file);
}
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags)
{
- return security_ops->task_fix_setuid(new, old, flags);
+ return call_int_cap_first(task_fix_setuid, new, old, flags);
}
int security_task_setpgid(struct task_struct *p, pid_t pgid)
{
- return security_ops->task_setpgid(p, pgid);
+ return call_int_hook(task_setpgid, p, pgid);
}
int security_task_getpgid(struct task_struct *p)
{
- return security_ops->task_getpgid(p);
+ return call_int_hook(task_getpgid, p);
}
int security_task_getsid(struct task_struct *p)
{
- return security_ops->task_getsid(p);
+ return call_int_hook(task_getsid, p);
}
void security_task_getsecid(struct task_struct *p, u32 *secid)
{
- security_ops->task_getsecid(p, secid);
+ *secid = 0;
+ call_void_hook(task_getsecid, p, secid);
}
EXPORT_SYMBOL(security_task_getsecid);
int security_task_setnice(struct task_struct *p, int nice)
{
- return security_ops->task_setnice(p, nice);
+ return call_int_cap_first(task_setnice, p, nice);
}
int security_task_setioprio(struct task_struct *p, int ioprio)
{
- return security_ops->task_setioprio(p, ioprio);
+ return call_int_cap_first(task_setioprio, p, ioprio);
}
int security_task_getioprio(struct task_struct *p)
{
- return security_ops->task_getioprio(p);
+ return call_int_hook(task_getioprio, p);
}
int security_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{
- return security_ops->task_setrlimit(p, resource, new_rlim);
+ return call_int_hook(task_setrlimit, p, resource, new_rlim);
}
int security_task_setscheduler(struct task_struct *p)
{
- return security_ops->task_setscheduler(p);
+ return call_int_cap_first(task_setscheduler, p);
}
int security_task_getscheduler(struct task_struct *p)
{
- return security_ops->task_getscheduler(p);
+ return call_int_hook(task_getscheduler, p);
}
int security_task_movememory(struct task_struct *p)
{
- return security_ops->task_movememory(p);
+ return call_int_hook(task_movememory, p);
}
int security_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid)
{
- return security_ops->task_kill(p, info, sig, secid);
+ return call_int_hook(task_kill, p, info, sig, secid);
}
int security_task_wait(struct task_struct *p)
{
- return security_ops->task_wait(p);
+ return call_int_hook(task_wait, p);
}
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
+ struct security_operations *sop;
int rc;
- rc = yama_task_prctl(option, arg2, arg3, arg4, arg5);
+
+ rc = cap_task_prctl(option, arg2, arg3, arg4, arg5);
if (rc != -ENOSYS)
return rc;
-#endif
- return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
+
+ for_each_hook(sop, task_prctl) {
+ rc = sop->task_prctl(option, arg2, arg3, arg4, arg5);
+ /*
+ * -ENOSYS returned if the lsm doesn't handle that control.
+ * If the LSM does handle the control return the result.
+ * The assumption for the time being is that no two LSMs
+ * will handle a control.
+ */
+ if (rc != -ENOSYS)
+ return rc;
+ }
+ return -ENOSYS;
}
void security_task_to_inode(struct task_struct *p, struct inode *inode)
{
- security_ops->task_to_inode(p, inode);
+ call_void_hook(task_to_inode, p, inode);
}
int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
{
- return security_ops->ipc_permission(ipcp, flag);
+ return call_int_hook(ipc_permission, ipcp, flag);
}
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- security_ops->ipc_getsecid(ipcp, secid);
+ *secid = 0;
+ call_void_hook(ipc_getsecid, ipcp, secid);
}
int security_msg_msg_alloc(struct msg_msg *msg)
{
- return security_ops->msg_msg_alloc_security(msg);
+ return call_alloc_hook(msg_msg_alloc_security, msg_msg_free_security,
+ msg->security, GFP_KERNEL, msg);
}
void security_msg_msg_free(struct msg_msg *msg)
{
- security_ops->msg_msg_free_security(msg);
+ call_void_hook(msg_msg_free_security, msg);
+
+ kfree(msg->security);
+ msg->security = NULL;
}
int security_msg_queue_alloc(struct msg_queue *msq)
{
- return security_ops->msg_queue_alloc_security(msq);
+ struct kern_ipc_perm *kp = &msq->q_perm;
+
+ return call_alloc_hook(msg_queue_alloc_security,
+ msg_queue_free_security, kp->security, GFP_KERNEL,
+ msq);
}
void security_msg_queue_free(struct msg_queue *msq)
{
- security_ops->msg_queue_free_security(msq);
+ call_void_hook(msg_queue_free_security, msq);
+
+ kfree(msq->q_perm.security);
+ msq->q_perm.security = NULL;
}
int security_msg_queue_associate(struct msg_queue *msq, int msqflg)
{
- return security_ops->msg_queue_associate(msq, msqflg);
+ return call_int_hook(msg_queue_associate, msq, msqflg);
}
int security_msg_queue_msgctl(struct msg_queue *msq, int cmd)
{
- return security_ops->msg_queue_msgctl(msq, cmd);
+ return call_int_hook(msg_queue_msgctl, msq, cmd);
}
int security_msg_queue_msgsnd(struct msg_queue *msq,
struct msg_msg *msg, int msqflg)
{
- return security_ops->msg_queue_msgsnd(msq, msg, msqflg);
+ return call_int_hook(msg_queue_msgsnd, msq, msg, msqflg);
}
int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
struct task_struct *target, long type, int mode)
{
- return security_ops->msg_queue_msgrcv(msq, msg, target, type, mode);
+ return call_int_hook(msg_queue_msgrcv, msq, msg, target, type, mode);
}
int security_shm_alloc(struct shmid_kernel *shp)
{
- return security_ops->shm_alloc_security(shp);
+ struct kern_ipc_perm *kp = &shp->shm_perm;
+
+ return call_alloc_hook(shm_alloc_security, shm_free_security,
+ kp->security, GFP_KERNEL, shp);
}
void security_shm_free(struct shmid_kernel *shp)
{
- security_ops->shm_free_security(shp);
+ call_void_hook(shm_free_security, shp);
+
+ kfree(shp->shm_perm.security);
+ shp->shm_perm.security = NULL;
}
int security_shm_associate(struct shmid_kernel *shp, int shmflg)
{
- return security_ops->shm_associate(shp, shmflg);
+ return call_int_hook(shm_associate, shp, shmflg);
}
int security_shm_shmctl(struct shmid_kernel *shp, int cmd)
{
- return security_ops->shm_shmctl(shp, cmd);
+ return call_int_hook(shm_shmctl, shp, cmd);
}
int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg)
{
- return security_ops->shm_shmat(shp, shmaddr, shmflg);
+ return call_int_hook(shm_shmat, shp, shmaddr, shmflg);
}
int security_sem_alloc(struct sem_array *sma)
{
- return security_ops->sem_alloc_security(sma);
+ struct kern_ipc_perm *kp = &sma->sem_perm;
+
+ return call_alloc_hook(sem_alloc_security, sem_free_security,
+ kp->security, GFP_KERNEL, sma);
}
void security_sem_free(struct sem_array *sma)
{
- security_ops->sem_free_security(sma);
+ call_void_hook(sem_free_security, sma);
+
+ kfree(sma->sem_perm.security);
+ sma->sem_perm.security = NULL;
}
int security_sem_associate(struct sem_array *sma, int semflg)
{
- return security_ops->sem_associate(sma, semflg);
+ return call_int_hook(sem_associate, sma, semflg);
}
int security_sem_semctl(struct sem_array *sma, int cmd)
{
- return security_ops->sem_semctl(sma, cmd);
+ return call_int_hook(sem_semctl, sma, cmd);
}
int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
unsigned nsops, int alter)
{
- return security_ops->sem_semop(sma, sops, nsops, alter);
+ return call_int_hook(sem_semop, sma, sops, nsops, alter);
}
void security_d_instantiate(struct dentry *dentry, struct inode *inode)
{
if (unlikely(inode && IS_PRIVATE(inode)))
return;
- security_ops->d_instantiate(dentry, inode);
+
+ call_void_hook(d_instantiate, dentry, inode);
}
EXPORT_SYMBOL(security_d_instantiate);
int security_getprocattr(struct task_struct *p, char *name, char **value)
{
- return security_ops->getprocattr(p, name, value);
+ struct security_operations *sop;
+ char *lsm;
+ int lsmlen;
+
+ /*
+ * Names will either be in the legacy form containing
+ * no periods (".") or they will be the LSM name followed
+ * by the legacy suffix.
+ * "current" or "selinux.current"
+ *
+ * Legacy names are handled by the presenting LSM.
+ * Suffixed names are handled by the named LSM.
+ */
+ if (lsm_present && !strchr(name, '.'))
+ return present_getprocattr(p, name, value);
+
+ for_each_hook(sop, getprocattr) {
+ lsm = sop->name;
+ lsmlen = strlen(lsm);
+ if (!strncmp(name, lsm, lsmlen) && name[lsmlen] == '.')
+ return sop->getprocattr(p, name + lsmlen + 1, value);
+ }
+ return -EINVAL;
}
-int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size)
+int security_setprocattr(struct task_struct *p, char *name, void *value,
+ size_t size)
{
- return security_ops->setprocattr(p, name, value, size);
+ struct security_operations *sop;
+ char *lsm;
+ int lsmlen;
+
+ /*
+ * Names will either be in the legacy form containing
+ * no periods (".") or they will be the LSM name followed
+ * by the legacy suffix.
+ * "current" or "selinux.current"
+ *
+ * Legacy names are handled by the presenting LSM.
+ * Suffixed names are handled by the named LSM.
+ */
+ if (lsm_present && !strchr(name, '.'))
+ return present_setprocattr(p, name, value, size);
+
+ for_each_hook(sop, setprocattr) {
+ lsm = sop->name;
+ lsmlen = strlen(lsm);
+ if (!strncmp(name, lsm, lsmlen) && name[lsmlen] == '.')
+ return sop->setprocattr(p, name + lsmlen + 1, value,
+ size);
+ }
+ return -EINVAL;
}
int security_netlink_send(struct sock *sk, struct sk_buff *skb)
{
- return security_ops->netlink_send(sk, skb);
+ return call_int_cap_first(netlink_send, sk, skb);
}
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
- return security_ops->secid_to_secctx(secid, secdata, seclen);
+ int rc;
+
+ if (call_int_must(rc, secid_to_secctx, secid, secdata, seclen))
+ return rc;
+ return -EOPNOTSUPP;
}
EXPORT_SYMBOL(security_secid_to_secctx);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
- return security_ops->secctx_to_secid(secdata, seclen, secid);
+ int rc;
+
+ if (call_int_must(rc, secctx_to_secid, secdata, seclen, secid))
+ return rc;
+ *secid = 0;
+ return 0;
}
EXPORT_SYMBOL(security_secctx_to_secid);
void security_release_secctx(char *secdata, u32 seclen)
{
- security_ops->release_secctx(secdata, seclen);
+ call_void_hook(release_secctx, secdata, seclen);
}
EXPORT_SYMBOL(security_release_secctx);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
{
- return security_ops->inode_notifysecctx(inode, ctx, ctxlen);
+ return call_int_hook(inode_notifysecctx, inode, ctx, ctxlen);
}
EXPORT_SYMBOL(security_inode_notifysecctx);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
{
- return security_ops->inode_setsecctx(dentry, ctx, ctxlen);
+ return call_int_hook(inode_setsecctx, dentry, ctx, ctxlen);
}
EXPORT_SYMBOL(security_inode_setsecctx);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
{
- return security_ops->inode_getsecctx(inode, ctx, ctxlen);
+ return call_int_hook(inode_getsecctx, inode, ctx, ctxlen);
}
EXPORT_SYMBOL(security_inode_getsecctx);
@@ -1087,188 +1879,228 @@ EXPORT_SYMBOL(security_inode_getsecctx);
int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)
{
- return security_ops->unix_stream_connect(sock, other, newsk);
+ return call_int_hook(unix_stream_connect, sock, other, newsk);
}
EXPORT_SYMBOL(security_unix_stream_connect);
int security_unix_may_send(struct socket *sock, struct socket *other)
{
- return security_ops->unix_may_send(sock, other);
+ return call_int_hook(unix_may_send, sock, other);
}
EXPORT_SYMBOL(security_unix_may_send);
int security_socket_create(int family, int type, int protocol, int kern)
{
- return security_ops->socket_create(family, type, protocol, kern);
+ return call_int_hook(socket_create, family, type, protocol, kern);
}
int security_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- return security_ops->socket_post_create(sock, family, type,
- protocol, kern);
+ return call_int_hook(socket_post_create, sock, family, type,
+ protocol, kern);
}
int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
{
- return security_ops->socket_bind(sock, address, addrlen);
+ return call_int_hook(socket_bind, sock, address, addrlen);
}
int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
- return security_ops->socket_connect(sock, address, addrlen);
+ return call_int_hook(socket_connect, sock, address, addrlen);
}
int security_socket_listen(struct socket *sock, int backlog)
{
- return security_ops->socket_listen(sock, backlog);
+ return call_int_hook(socket_listen, sock, backlog);
}
int security_socket_accept(struct socket *sock, struct socket *newsock)
{
- return security_ops->socket_accept(sock, newsock);
+ return call_int_hook(socket_accept, sock, newsock);
}
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
- return security_ops->socket_sendmsg(sock, msg, size);
+ return call_int_hook(socket_sendmsg, sock, msg, size);
}
int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
int size, int flags)
{
- return security_ops->socket_recvmsg(sock, msg, size, flags);
+ return call_int_hook(socket_recvmsg, sock, msg, size, flags);
}
int security_socket_getsockname(struct socket *sock)
{
- return security_ops->socket_getsockname(sock);
+ return call_int_hook(socket_getsockname, sock);
}
int security_socket_getpeername(struct socket *sock)
{
- return security_ops->socket_getpeername(sock);
+ return call_int_hook(socket_getpeername, sock);
}
int security_socket_getsockopt(struct socket *sock, int level, int optname)
{
- return security_ops->socket_getsockopt(sock, level, optname);
+ return call_int_hook(socket_getsockopt, sock, level, optname);
}
int security_socket_setsockopt(struct socket *sock, int level, int optname)
{
- return security_ops->socket_setsockopt(sock, level, optname);
+ return call_int_hook(socket_setsockopt, sock, level, optname);
}
int security_socket_shutdown(struct socket *sock, int how)
{
- return security_ops->socket_shutdown(sock, how);
+ return call_int_hook(socket_shutdown, sock, how);
}
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
- return security_ops->socket_sock_rcv_skb(sk, skb);
+ return call_int_hook(socket_sock_rcv_skb, sk, skb);
}
EXPORT_SYMBOL(security_sock_rcv_skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len)
{
- return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
+ int rc;
+
+ if (call_int_must(rc, socket_getpeersec_stream, sock, optval,
+ optlen, len))
+ return rc;
+ return -ENOPROTOOPT;
}
int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
{
- return security_ops->socket_getpeersec_dgram(sock, skb, secid);
+ int rc;
+
+ if (call_int_must(rc, socket_getpeersec_dgram, sock, skb, secid))
+ return rc;
+ return -ENOPROTOOPT;
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
{
- return security_ops->sk_alloc_security(sk, family, priority);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+ sk->sk_security = &tblob;
+
+ for_each_hook(sop, sk_alloc_security) {
+ rc = sop->sk_alloc_security(sk, family, priority);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), priority);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->sk_free_security(sk);
+ }
+ }
+ sk->sk_security = bp;
+ return rc;
}
void security_sk_free(struct sock *sk)
{
- security_ops->sk_free_security(sk);
+ call_void_hook(sk_free_security, sk);
+
+ kfree(sk->sk_security);
+ sk->sk_security = NULL;
}
void security_sk_clone(const struct sock *sk, struct sock *newsk)
{
- security_ops->sk_clone_security(sk, newsk);
+ call_void_hook(sk_clone_security, sk, newsk);
}
EXPORT_SYMBOL(security_sk_clone);
void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
{
- security_ops->sk_getsecid(sk, &fl->flowi_secid);
+ call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
}
EXPORT_SYMBOL(security_sk_classify_flow);
void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
{
- security_ops->req_classify_flow(req, fl);
+ call_void_hook(req_classify_flow, req, fl);
}
EXPORT_SYMBOL(security_req_classify_flow);
void security_sock_graft(struct sock *sk, struct socket *parent)
{
- security_ops->sock_graft(sk, parent);
+ call_void_hook(sock_graft, sk, parent);
}
EXPORT_SYMBOL(security_sock_graft);
int security_inet_conn_request(struct sock *sk,
struct sk_buff *skb, struct request_sock *req)
{
- return security_ops->inet_conn_request(sk, skb, req);
+ return call_int_hook(inet_conn_request, sk, skb, req);
}
EXPORT_SYMBOL(security_inet_conn_request);
void security_inet_csk_clone(struct sock *newsk,
const struct request_sock *req)
{
- security_ops->inet_csk_clone(newsk, req);
+ call_void_hook(inet_csk_clone, newsk, req);
}
void security_inet_conn_established(struct sock *sk,
struct sk_buff *skb)
{
- security_ops->inet_conn_established(sk, skb);
+ call_void_hook(inet_conn_established, sk, skb);
}
int security_secmark_relabel_packet(u32 secid)
{
- return security_ops->secmark_relabel_packet(secid);
+ return call_int_hook(secmark_relabel_packet, secid);
}
EXPORT_SYMBOL(security_secmark_relabel_packet);
void security_secmark_refcount_inc(void)
{
- security_ops->secmark_refcount_inc();
+ call_void_hook(secmark_refcount_inc);
}
EXPORT_SYMBOL(security_secmark_refcount_inc);
void security_secmark_refcount_dec(void)
{
- security_ops->secmark_refcount_dec();
+ call_void_hook(secmark_refcount_dec);
}
EXPORT_SYMBOL(security_secmark_refcount_dec);
int security_tun_dev_create(void)
{
- return security_ops->tun_dev_create();
+ return call_int_hook(tun_dev_create);
}
EXPORT_SYMBOL(security_tun_dev_create);
void security_tun_dev_post_create(struct sock *sk)
{
- return security_ops->tun_dev_post_create(sk);
+ call_void_hook(tun_dev_post_create, sk);
}
EXPORT_SYMBOL(security_tun_dev_post_create);
int security_tun_dev_attach(struct sock *sk)
{
- return security_ops->tun_dev_attach(sk);
+ return call_int_hook(tun_dev_attach, sk);
}
EXPORT_SYMBOL(security_tun_dev_attach);
@@ -1276,78 +2108,94 @@ EXPORT_SYMBOL(security_tun_dev_attach);
#ifdef CONFIG_SECURITY_NETWORK_XFRM
+/*
+ * The xfrm hooks present special issues for composition
+ * as they don't use the usual scheme for passing in blobs.
+ * LSM registration checks ensure that only one xfrm using
+ * security module is loaded at a time.
+ * This shouldn't be much of an issue since SELinux is the
+ * only security module ever expected to use xfrm.
+ */
int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx)
{
- return security_ops->xfrm_policy_alloc_security(ctxp, sec_ctx);
+ return call_int_hook(xfrm_policy_alloc_security, ctxp, sec_ctx);
}
EXPORT_SYMBOL(security_xfrm_policy_alloc);
int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
struct xfrm_sec_ctx **new_ctxp)
{
- return security_ops->xfrm_policy_clone_security(old_ctx, new_ctxp);
+ return call_int_hook(xfrm_policy_clone_security, old_ctx, new_ctxp);
}
void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
- security_ops->xfrm_policy_free_security(ctx);
+ call_void_hook(xfrm_policy_free_security, ctx);
}
EXPORT_SYMBOL(security_xfrm_policy_free);
int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
- return security_ops->xfrm_policy_delete_security(ctx);
+ return call_int_hook(xfrm_policy_delete_security, ctx);
}
int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
{
- return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0);
+ return call_int_hook(xfrm_state_alloc_security, x, sec_ctx, 0);
}
EXPORT_SYMBOL(security_xfrm_state_alloc);
int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec, u32 secid)
{
- if (!polsec)
- return 0;
/*
* We want the context to be taken from secid which is usually
* from the sock.
*/
- return security_ops->xfrm_state_alloc_security(x, NULL, secid);
+
+ if (!polsec)
+ return 0;
+
+ return call_int_hook(xfrm_state_alloc_security, x, NULL, secid);
}
int security_xfrm_state_delete(struct xfrm_state *x)
{
- return security_ops->xfrm_state_delete_security(x);
+ return call_int_hook(xfrm_state_delete_security, x);
}
EXPORT_SYMBOL(security_xfrm_state_delete);
void security_xfrm_state_free(struct xfrm_state *x)
{
- security_ops->xfrm_state_free_security(x);
+ call_void_hook(xfrm_state_free_security, x);
}
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
- return security_ops->xfrm_policy_lookup(ctx, fl_secid, dir);
+ return call_int_hook(xfrm_policy_lookup, ctx, fl_secid, dir);
}
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp,
const struct flowi *fl)
{
- return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
+ int rc;
+
+ if (call_int_must(rc, xfrm_state_pol_flow_match, x, xp, fl))
+ return rc;
+ return 1;
}
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
{
- return security_ops->xfrm_decode_session(skb, secid, 1);
+ return call_int_hook(xfrm_decode_session, skb, secid, 1);
}
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
{
- int rc = security_ops->xfrm_decode_session(skb, &fl->flowi_secid, 0);
+ int rc;
+
+ rc = call_int_hook(xfrm_decode_session, skb, &fl->flowi_secid, 0);
BUG_ON(rc);
}
@@ -1360,23 +2208,60 @@ EXPORT_SYMBOL(security_skb_classify_flow);
int security_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- return security_ops->key_alloc(key, cred, flags);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+ key->security = &tblob;
+
+ for_each_hook(sop, key_alloc) {
+ rc = sop->key_alloc(key, cred, flags);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), GFP_KERNEL);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->key_free(key);
+ }
+ }
+
+ key->security = bp;
+ return rc;
}
void security_key_free(struct key *key)
{
- security_ops->key_free(key);
+ call_void_hook(key_free, key);
+
+ kfree(key->security);
+ key->security = NULL;
}
int security_key_permission(key_ref_t key_ref,
const struct cred *cred, key_perm_t perm)
{
- return security_ops->key_permission(key_ref, cred, perm);
+ return call_int_hook(key_permission, key_ref, cred, perm);
}
int security_key_getsecurity(struct key *key, char **_buffer)
{
- return security_ops->key_getsecurity(key, _buffer);
+ int rc;
+
+ if (call_int_must(rc, key_getsecurity, key, _buffer))
+ return rc;
+ *_buffer = NULL;
+ return 0;
}
#endif /* CONFIG_KEYS */
@@ -1385,23 +2270,24 @@ int security_key_getsecurity(struct key *key, char **_buffer)
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
- return security_ops->audit_rule_init(field, op, rulestr, lsmrule);
+ return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule);
}
int security_audit_rule_known(struct audit_krule *krule)
{
- return security_ops->audit_rule_known(krule);
+ return call_int_hook(audit_rule_known, krule);
}
void security_audit_rule_free(void *lsmrule)
{
- security_ops->audit_rule_free(lsmrule);
+ call_void_hook(audit_rule_free, lsmrule);
}
int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx)
{
- return security_ops->audit_rule_match(secid, field, op, lsmrule, actx);
+ return call_int_hook(audit_rule_match, secid, field, op, lsmrule,
+ actx);
}
#endif /* CONFIG_AUDIT */
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 4/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 2:09 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 4/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Configuration changes.
Headers files. Add securityfs files to report the
registered and present LSMs.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm.h | 174 +++++++++++++++++++++++++++++++
include/linux/security.h | 255 +++++++++++++++++++++++++++++++++++++++-------
security/Kconfig | 79 +++++++++-----
security/inode.c | 79 +++++++++++++-
4 files changed, 521 insertions(+), 66 deletions(-)
diff --git a/include/linux/lsm.h b/include/linux/lsm.h
new file mode 100644
index 0000000..5f36b6b
--- /dev/null
+++ b/include/linux/lsm.h
@@ -0,0 +1,174 @@
+/*
+ *
+ * Copyright (C) 2012 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) 2012 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ *
+ * Author:
+ * Casey Schaufler <casey@schaufler-ca.com>
+ *
+ */
+#ifndef _LINUX_LSM_H
+#define _LINUX_LSM_H
+
+#include <linux/cred.h>
+#include <linux/fs.h>
+#include <linux/msg.h>
+#include <linux/key.h>
+#include <net/sock.h>
+
+/*
+ * Maximum number of LSMs that can be used at a time.
+ */
+#define COMPOSER_MAX CONFIG_SECURITY_COMPOSER_MAX
+#define COMPOSER_NAMES_MAX ((SECURITY_NAME_MAX + 1) * COMPOSER_MAX)
+
+#include <linux/security.h>
+
+/*
+ * Just a set of slots for each LSM to keep its blob in.
+ */
+struct lsm_blob {
+ int lsm_setcount; /* Number of blobs set */
+ void *lsm_blobs[COMPOSER_MAX]; /* LSM specific blobs */
+};
+
+static inline struct lsm_blob *lsm_alloc_blob(gfp_t gfp)
+{
+ return kzalloc(sizeof(struct lsm_blob), gfp);
+}
+
+static inline void *lsm_get_blob(const struct lsm_blob *bp, const int lsm)
+{
+ if (bp == NULL)
+ return NULL;
+ return bp->lsm_blobs[lsm];
+}
+
+static inline void lsm_set_blob(void **vpp, void *value, const int lsm)
+{
+ struct lsm_blob *bp = *vpp;
+
+ if (value == NULL && bp->lsm_blobs[lsm] != NULL)
+ bp->lsm_setcount--;
+ if (value != NULL && bp->lsm_blobs[lsm] == NULL)
+ bp->lsm_setcount++;
+
+ bp->lsm_blobs[lsm] = value;
+}
+
+static inline void *lsm_get_cred(const struct cred *cred,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(cred->security, sop->order);
+}
+
+static inline void lsm_set_cred(struct cred *cred, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&cred->security, value, sop->order);
+}
+
+static inline int lsm_set_init_cred(struct cred *cred, void *value,
+ const struct security_operations *sop)
+{
+ if (cred->security == NULL) {
+ cred->security = lsm_alloc_blob(GFP_KERNEL);
+ if (cred->security == NULL)
+ return -ENOMEM;
+ }
+
+ lsm_set_blob(&cred->security, value, sop->order);
+ return 0;
+}
+
+static inline void *lsm_get_file(const struct file *file,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(file->f_security, sop->order);
+}
+
+static inline void lsm_set_file(struct file *file, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&file->f_security, value, sop->order);
+}
+
+static inline void *lsm_get_inode(const struct inode *inode,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(inode->i_security, sop->order);
+}
+
+static inline void lsm_set_inode(struct inode *inode, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&inode->i_security, value, sop->order);
+}
+
+static inline void *lsm_get_super(const struct super_block *super,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(super->s_security, sop->order);
+}
+
+static inline void lsm_set_super(struct super_block *super, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&super->s_security, value, sop->order);
+}
+
+static inline void *lsm_get_ipc(const struct kern_ipc_perm *ipc,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(ipc->security, sop->order);
+}
+
+static inline void lsm_set_ipc(struct kern_ipc_perm *ipc, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&ipc->security, value, sop->order);
+}
+
+static inline void *lsm_get_msg(const struct msg_msg *msg,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(msg->security, sop->order);
+}
+
+static inline void lsm_set_msg(struct msg_msg *msg, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&msg->security, value, sop->order);
+}
+
+#ifdef CONFIG_KEYS
+static inline void *lsm_get_key(const struct key *key,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(key->security, sop->order);
+}
+
+static inline void lsm_set_key(struct key *key, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&key->security, value, sop->order);
+}
+#endif
+
+static inline void *lsm_get_sock(const struct sock *sock,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(sock->sk_security, sop->order);
+}
+
+static inline void lsm_set_sock(struct sock *sock, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&sock->sk_security, value, sop->order);
+}
+
+#endif /* ! _LINUX_LSM_H */
diff --git a/include/linux/security.h b/include/linux/security.h
index 0f6afc6..535a967 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -87,8 +87,6 @@ extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
extern int cap_inode_need_killpriv(struct dentry *dentry);
extern int cap_inode_killpriv(struct dentry *dentry);
extern int cap_mmap_addr(unsigned long addr);
-extern int cap_mmap_file(struct file *file, unsigned long reqprot,
- unsigned long prot, unsigned long flags);
extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5);
@@ -112,8 +110,6 @@ struct seq_file;
extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
-void reset_security_ops(void);
-
#ifdef CONFIG_MMU
extern unsigned long mmap_min_addr;
extern unsigned long dac_mmap_min_addr;
@@ -184,15 +180,223 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
opts->num_mnt_opts = 0;
}
+/*
+ * Index for LSM operations.
+ */
+enum lsm_hooks_index {
+ lsm_ptrace_access_check,
+ lsm_ptrace_traceme,
+ lsm_capget,
+ lsm_capset,
+ lsm_capable,
+ lsm_quotactl,
+ lsm_quota_on,
+ lsm_syslog,
+ lsm_settime,
+ lsm_vm_enough_memory,
+ lsm_bprm_set_creds,
+ lsm_bprm_check_security,
+ lsm_bprm_secureexec,
+ lsm_bprm_committing_creds,
+ lsm_bprm_committed_creds,
+ lsm_sb_alloc_security,
+ lsm_sb_free_security,
+ lsm_sb_copy_data,
+ lsm_sb_remount,
+ lsm_sb_kern_mount,
+ lsm_sb_show_options,
+ lsm_sb_statfs,
+ lsm_sb_mount,
+ lsm_sb_umount,
+ lsm_sb_pivotroot,
+ lsm_sb_set_mnt_opts,
+ lsm_sb_clone_mnt_opts,
+ lsm_sb_parse_opts_str,
+ lsm_path_unlink,
+ lsm_path_mkdir,
+ lsm_path_rmdir,
+ lsm_path_mknod,
+ lsm_path_truncate,
+ lsm_path_symlink,
+ lsm_path_link,
+ lsm_path_rename,
+ lsm_path_chmod,
+ lsm_path_chown,
+ lsm_path_chroot,
+ lsm_inode_alloc_security,
+ lsm_inode_free_security,
+ lsm_inode_init_security,
+ lsm_inode_create,
+ lsm_inode_link,
+ lsm_inode_unlink,
+ lsm_inode_symlink,
+ lsm_inode_mkdir,
+ lsm_inode_rmdir,
+ lsm_inode_mknod,
+ lsm_inode_rename,
+ lsm_inode_readlink,
+ lsm_inode_follow_link,
+ lsm_inode_permission,
+ lsm_inode_setattr,
+ lsm_inode_getattr,
+ lsm_inode_setxattr,
+ lsm_inode_post_setxattr,
+ lsm_inode_getxattr,
+ lsm_inode_listxattr,
+ lsm_inode_removexattr,
+ lsm_inode_need_killpriv,
+ lsm_inode_killpriv,
+ lsm_inode_getsecurity,
+ lsm_inode_setsecurity,
+ lsm_inode_listsecurity,
+ lsm_inode_getsecid,
+ lsm_file_permission,
+ lsm_file_alloc_security,
+ lsm_file_free_security,
+ lsm_file_ioctl,
+ lsm_mmap_addr,
+ lsm_mmap_file,
+ lsm_file_mprotect,
+ lsm_file_lock,
+ lsm_file_fcntl,
+ lsm_file_set_fowner,
+ lsm_file_send_sigiotask,
+ lsm_file_receive,
+ lsm_file_open,
+ lsm_task_create,
+ lsm_task_free,
+ lsm_cred_alloc_blank,
+ lsm_cred_free,
+ lsm_cred_prepare,
+ lsm_cred_transfer,
+ lsm_kernel_act_as,
+ lsm_kernel_create_files_as,
+ lsm_kernel_module_request,
+ lsm_kernel_module_from_file,
+ lsm_task_fix_setuid,
+ lsm_task_setpgid,
+ lsm_task_getpgid,
+ lsm_task_getsid,
+ lsm_task_getsecid,
+ lsm_task_setnice,
+ lsm_task_setioprio,
+ lsm_task_getioprio,
+ lsm_task_setrlimit,
+ lsm_task_setscheduler,
+ lsm_task_getscheduler,
+ lsm_task_movememory,
+ lsm_task_kill,
+ lsm_task_wait,
+ lsm_task_prctl,
+ lsm_task_to_inode,
+ lsm_ipc_permission,
+ lsm_ipc_getsecid,
+ lsm_msg_msg_alloc_security,
+ lsm_msg_msg_free_security,
+ lsm_msg_queue_alloc_security,
+ lsm_msg_queue_free_security,
+ lsm_msg_queue_associate,
+ lsm_msg_queue_msgctl,
+ lsm_msg_queue_msgsnd,
+ lsm_msg_queue_msgrcv,
+ lsm_shm_alloc_security,
+ lsm_shm_free_security,
+ lsm_shm_associate,
+ lsm_shm_shmctl,
+ lsm_shm_shmat,
+ lsm_sem_alloc_security,
+ lsm_sem_free_security,
+ lsm_sem_associate,
+ lsm_sem_semctl,
+ lsm_sem_semop,
+ lsm_netlink_send,
+ lsm_d_instantiate,
+ lsm_getprocattr,
+ lsm_setprocattr,
+ lsm_secid_to_secctx,
+ lsm_secctx_to_secid,
+ lsm_release_secctx,
+ lsm_inode_notifysecctx,
+ lsm_inode_setsecctx,
+ lsm_inode_getsecctx,
+ lsm_unix_stream_connect,
+ lsm_unix_may_send,
+ lsm_socket_create,
+ lsm_socket_post_create,
+ lsm_socket_bind,
+ lsm_socket_connect,
+ lsm_socket_listen,
+ lsm_socket_accept,
+ lsm_socket_sendmsg,
+ lsm_socket_recvmsg,
+ lsm_socket_getsockname,
+ lsm_socket_getpeername,
+ lsm_socket_getsockopt,
+ lsm_socket_setsockopt,
+ lsm_socket_shutdown,
+ lsm_socket_sock_rcv_skb,
+ lsm_socket_getpeersec_stream,
+ lsm_socket_getpeersec_dgram,
+ lsm_sk_alloc_security,
+ lsm_sk_free_security,
+ lsm_sk_clone_security,
+ lsm_sk_getsecid,
+ lsm_sock_graft,
+ lsm_inet_conn_request,
+ lsm_inet_csk_clone,
+ lsm_inet_conn_established,
+ lsm_secmark_relabel_packet,
+ lsm_secmark_refcount_inc,
+ lsm_secmark_refcount_dec,
+ lsm_req_classify_flow,
+ lsm_tun_dev_create,
+ lsm_tun_dev_post_create,
+ lsm_tun_dev_attach,
+ lsm_xfrm_policy_alloc_security,
+ lsm_xfrm_policy_clone_security,
+ lsm_xfrm_policy_free_security,
+ lsm_xfrm_policy_delete_security,
+ lsm_xfrm_state_alloc_security,
+ lsm_xfrm_state_free_security,
+ lsm_xfrm_state_delete_security,
+ lsm_xfrm_policy_lookup,
+ lsm_xfrm_state_pol_flow_match,
+ lsm_xfrm_decode_session,
+ lsm_key_alloc,
+ lsm_key_free,
+ lsm_key_permission,
+ lsm_key_getsecurity,
+ lsm_audit_rule_init,
+ lsm_audit_rule_known,
+ lsm_audit_rule_match,
+ lsm_audit_rule_free,
+ lsm_name, /* Used by security/inode.c */
+ LSM_MAX_HOOKS
+};
+
+/*
+ * There is a list for each hook.
+ */
+extern struct list_head lsm_hooks[LSM_MAX_HOOKS];
+
/**
* struct security_operations - main security structure
*
* Security module identifier.
*
+ * @list:
+ * An array of lists of hooks. These are traversed on
+ * hook execution.
+ *
* @name:
* A string that acts as a unique identifier for the LSM with max number
* of characters = SECURITY_NAME_MAX.
*
+ * @order:
+ * The numeric order in which this LSM will be invoked.
+ * Set during LSM initialization. Used to identify
+ * which security blob to use when there is more than one LSM.
+ *
* Security hooks for program execution operations.
*
* @bprm_set_creds:
@@ -1384,7 +1588,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* This is the main security structure.
*/
struct security_operations {
+ struct list_head list[LSM_MAX_HOOKS];
char name[SECURITY_NAME_MAX + 1];
+ int order;
int (*ptrace_access_check) (struct task_struct *child, unsigned int mode);
int (*ptrace_traceme) (struct task_struct *parent);
@@ -1662,12 +1868,18 @@ struct security_operations {
#endif /* CONFIG_AUDIT */
};
+/*
+ * The security operations vector for /proc interfaces.
+ */
+extern struct security_operations *lsm_present;
+
/* prototypes */
extern int security_init(void);
extern int security_module_enable(struct security_operations *ops);
-extern int register_security(struct security_operations *ops);
-extern void __init security_fixup_ops(struct security_operations *ops);
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+extern int reset_security_ops(struct security_operations *ops);
+#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
/* Security operations */
int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
@@ -3035,36 +3247,5 @@ static inline void free_secdata(void *secdata)
{ }
#endif /* CONFIG_SECURITY */
-#ifdef CONFIG_SECURITY_YAMA
-extern int yama_ptrace_access_check(struct task_struct *child,
- unsigned int mode);
-extern int yama_ptrace_traceme(struct task_struct *parent);
-extern void yama_task_free(struct task_struct *task);
-extern int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
- unsigned long arg4, unsigned long arg5);
-#else
-static inline int yama_ptrace_access_check(struct task_struct *child,
- unsigned int mode)
-{
- return 0;
-}
-
-static inline int yama_ptrace_traceme(struct task_struct *parent)
-{
- return 0;
-}
-
-static inline void yama_task_free(struct task_struct *task)
-{
-}
-
-static inline int yama_task_prctl(int option, unsigned long arg2,
- unsigned long arg3, unsigned long arg4,
- unsigned long arg5)
-{
- return -ENOSYS;
-}
-#endif /* CONFIG_SECURITY_YAMA */
-
#endif /* ! __LINUX_SECURITY_H */
diff --git a/security/Kconfig b/security/Kconfig
index e9c6ac7..83415b6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -123,49 +123,74 @@ source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/yama/Kconfig
+config SECURITY_COMPOSER_MAX
+ int "Maximum allowed security modules (1 to 12)"
+ depends on SECURITY
+ default 6
+ range 1 12
+ help
+ The number of security modules that can be loaded.
+ The default value allows for all of the upstream modules.
+ The maximum allowed value is 12.
+
source security/integrity/Kconfig
choice
- prompt "Default security module"
- default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
- default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
- default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
- default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
- default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
- default DEFAULT_SECURITY_DAC
+ depends on SECURITY
+ prompt "Presented security module"
+ default PRESENT_SECURITY_SELINUX \
+ if SECURITY_SELINUX && !(SECURITY_APPARMOR || SECURITY_SMACK)
+ default PRESENT_SECURITY_SMACK \
+ if SECURITY_SMACK && !(SECURITY_APPARMOR || SECURITY_SELINUX)
+ default PRESENT_SECURITY_APPARMOR \
+ if SECURITY_APPARMOR && !(SECURITY_SMACK || SECURITY_SELINUX)
+ default PRESENT_SECURITY_FIRST \
+ if SECURITY_APPARMOR || SECURITY_SMACK || SECURITY_SELINUX
+ default PRESENT_SECURITY_NONE
help
- Select the security module that will be used by default if the
- kernel parameter security= is not specified.
+ Select the security module that will be presented
+ with the /proc/*/attr interface.
+ If not specified the first registered LSM that uses
+ the /proc/*/attr interface will be chosen.
- config DEFAULT_SECURITY_SELINUX
+ config PRESENT_SECURITY_SELINUX
bool "SELinux" if SECURITY_SELINUX=y
+ help
+ Present SELinux context information in the
+ files in /proc/*/attr
- config DEFAULT_SECURITY_SMACK
+ config PRESENT_SECURITY_SMACK
bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+ help
+ Present Smack process label information
+ in /proc/*/attr/current
- config DEFAULT_SECURITY_TOMOYO
- bool "TOMOYO" if SECURITY_TOMOYO=y
-
- config DEFAULT_SECURITY_APPARMOR
+ config PRESENT_SECURITY_APPARMOR
bool "AppArmor" if SECURITY_APPARMOR=y
+ help
+ Present AppArmor context information in the
+ files in /proc/*/attr
- config DEFAULT_SECURITY_YAMA
- bool "Yama" if SECURITY_YAMA=y
+ config PRESENT_SECURITY_FIRST
+ bool "Use first registered LSM"
+ help
+ Present information from the first LSM that uses
+ /proc/*/attr in the files in /proc/*/attr
- config DEFAULT_SECURITY_DAC
- bool "Unix Discretionary Access Controls"
+ config PRESENT_SECURITY_NONE
+ bool "Present Nothing"
+ help
+ Do not present LSM information in /proc/*/attr
endchoice
-config DEFAULT_SECURITY
+config PRESENT_SECURITY
string
- default "selinux" if DEFAULT_SECURITY_SELINUX
- default "smack" if DEFAULT_SECURITY_SMACK
- default "tomoyo" if DEFAULT_SECURITY_TOMOYO
- default "apparmor" if DEFAULT_SECURITY_APPARMOR
- default "yama" if DEFAULT_SECURITY_YAMA
- default "" if DEFAULT_SECURITY_DAC
+ default "selinux" if PRESENT_SECURITY_SELINUX
+ default "smack" if PRESENT_SECURITY_SMACK
+ default "apparmor" if PRESENT_SECURITY_APPARMOR
+ default "FIRSTLSM" if PRESENT_SECURITY_FIRST
+ default "NOTHING"
endmenu
-
diff --git a/security/inode.c b/security/inode.c
index 43ce6e1..1ca6aaf 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -21,6 +21,9 @@
#include <linux/namei.h>
#include <linux/security.h>
#include <linux/magic.h>
+#ifdef CONFIG_SECURITY
+#include <linux/lsm.h>
+#endif
static struct vfsmount *mount;
static int mount_count;
@@ -215,6 +218,70 @@ void securityfs_remove(struct dentry *dentry)
}
EXPORT_SYMBOL_GPL(securityfs_remove);
+#ifdef CONFIG_SECURITY
+static struct dentry *lsm_dentry;
+static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count,
+ loff_t *ppos)
+{
+ struct security_operations *sop;
+ char *data;
+ int len;
+
+ data = kzalloc(COMPOSER_NAMES_MAX + 1, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+
+ list_for_each_entry(sop, &lsm_hooks[lsm_name], list[lsm_name]) {
+ strcat(data, sop->name);
+ strcat(data, ",");
+ }
+ len = strlen(data);
+ if (len > 1)
+ data[len-1] = '\n';
+
+ len = simple_read_from_buffer(buf, count, ppos, data, len);
+ kfree(data);
+
+ return len;
+}
+
+static const struct file_operations lsm_ops = {
+ .read = lsm_read,
+ .llseek = generic_file_llseek,
+};
+
+static struct dentry *present_dentry;
+static ssize_t present_read(struct file *filp, char __user *buf, size_t count,
+ loff_t *ppos)
+{
+ struct security_operations *sop = lsm_present;
+ char *raw;
+ char *data;
+ int len;
+
+ if (sop)
+ raw = sop->name;
+ else
+ raw = "(none)";
+ len = strlen(raw);
+
+ data = kstrdup(raw, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+
+ data[len] = '\n';
+ len = simple_read_from_buffer(buf, count, ppos, data, len + 1);
+ kfree(data);
+
+ return len;
+}
+
+static const struct file_operations present_ops = {
+ .read = present_read,
+ .llseek = generic_file_llseek,
+};
+#endif /* CONFIG_SECURITY */
+
static struct kobject *security_kobj;
static int __init securityfs_init(void)
@@ -226,9 +293,17 @@ static int __init securityfs_init(void)
return -EINVAL;
retval = register_filesystem(&fs_type);
- if (retval)
+ if (retval) {
kobject_put(security_kobj);
- return retval;
+ return retval;
+ }
+#ifdef CONFIG_SECURITY
+ lsm_dentry = securityfs_create_file("lsm", S_IRUGO, NULL, NULL,
+ &lsm_ops);
+ present_dentry = securityfs_create_file("present", S_IRUGO, NULL, NULL,
+ &present_ops);
+#endif /* CONFIG_SECURITY */
+ return 0;
}
core_initcall(securityfs_init);
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 4/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 2:09 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 4/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Configuration changes.
Headers files. Add securityfs files to report the
registered and present LSMs.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm.h | 174 +++++++++++++++++++++++++++++++
include/linux/security.h | 255 +++++++++++++++++++++++++++++++++++++++-------
security/Kconfig | 79 +++++++++-----
security/inode.c | 79 +++++++++++++-
4 files changed, 521 insertions(+), 66 deletions(-)
diff --git a/include/linux/lsm.h b/include/linux/lsm.h
new file mode 100644
index 0000000..5f36b6b
--- /dev/null
+++ b/include/linux/lsm.h
@@ -0,0 +1,174 @@
+/*
+ *
+ * Copyright (C) 2012 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) 2012 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ *
+ * Author:
+ * Casey Schaufler <casey@schaufler-ca.com>
+ *
+ */
+#ifndef _LINUX_LSM_H
+#define _LINUX_LSM_H
+
+#include <linux/cred.h>
+#include <linux/fs.h>
+#include <linux/msg.h>
+#include <linux/key.h>
+#include <net/sock.h>
+
+/*
+ * Maximum number of LSMs that can be used at a time.
+ */
+#define COMPOSER_MAX CONFIG_SECURITY_COMPOSER_MAX
+#define COMPOSER_NAMES_MAX ((SECURITY_NAME_MAX + 1) * COMPOSER_MAX)
+
+#include <linux/security.h>
+
+/*
+ * Just a set of slots for each LSM to keep its blob in.
+ */
+struct lsm_blob {
+ int lsm_setcount; /* Number of blobs set */
+ void *lsm_blobs[COMPOSER_MAX]; /* LSM specific blobs */
+};
+
+static inline struct lsm_blob *lsm_alloc_blob(gfp_t gfp)
+{
+ return kzalloc(sizeof(struct lsm_blob), gfp);
+}
+
+static inline void *lsm_get_blob(const struct lsm_blob *bp, const int lsm)
+{
+ if (bp == NULL)
+ return NULL;
+ return bp->lsm_blobs[lsm];
+}
+
+static inline void lsm_set_blob(void **vpp, void *value, const int lsm)
+{
+ struct lsm_blob *bp = *vpp;
+
+ if (value == NULL && bp->lsm_blobs[lsm] != NULL)
+ bp->lsm_setcount--;
+ if (value != NULL && bp->lsm_blobs[lsm] == NULL)
+ bp->lsm_setcount++;
+
+ bp->lsm_blobs[lsm] = value;
+}
+
+static inline void *lsm_get_cred(const struct cred *cred,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(cred->security, sop->order);
+}
+
+static inline void lsm_set_cred(struct cred *cred, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&cred->security, value, sop->order);
+}
+
+static inline int lsm_set_init_cred(struct cred *cred, void *value,
+ const struct security_operations *sop)
+{
+ if (cred->security == NULL) {
+ cred->security = lsm_alloc_blob(GFP_KERNEL);
+ if (cred->security == NULL)
+ return -ENOMEM;
+ }
+
+ lsm_set_blob(&cred->security, value, sop->order);
+ return 0;
+}
+
+static inline void *lsm_get_file(const struct file *file,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(file->f_security, sop->order);
+}
+
+static inline void lsm_set_file(struct file *file, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&file->f_security, value, sop->order);
+}
+
+static inline void *lsm_get_inode(const struct inode *inode,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(inode->i_security, sop->order);
+}
+
+static inline void lsm_set_inode(struct inode *inode, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&inode->i_security, value, sop->order);
+}
+
+static inline void *lsm_get_super(const struct super_block *super,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(super->s_security, sop->order);
+}
+
+static inline void lsm_set_super(struct super_block *super, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&super->s_security, value, sop->order);
+}
+
+static inline void *lsm_get_ipc(const struct kern_ipc_perm *ipc,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(ipc->security, sop->order);
+}
+
+static inline void lsm_set_ipc(struct kern_ipc_perm *ipc, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&ipc->security, value, sop->order);
+}
+
+static inline void *lsm_get_msg(const struct msg_msg *msg,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(msg->security, sop->order);
+}
+
+static inline void lsm_set_msg(struct msg_msg *msg, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&msg->security, value, sop->order);
+}
+
+#ifdef CONFIG_KEYS
+static inline void *lsm_get_key(const struct key *key,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(key->security, sop->order);
+}
+
+static inline void lsm_set_key(struct key *key, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&key->security, value, sop->order);
+}
+#endif
+
+static inline void *lsm_get_sock(const struct sock *sock,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(sock->sk_security, sop->order);
+}
+
+static inline void lsm_set_sock(struct sock *sock, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&sock->sk_security, value, sop->order);
+}
+
+#endif /* ! _LINUX_LSM_H */
diff --git a/include/linux/security.h b/include/linux/security.h
index 0f6afc6..535a967 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -87,8 +87,6 @@ extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
extern int cap_inode_need_killpriv(struct dentry *dentry);
extern int cap_inode_killpriv(struct dentry *dentry);
extern int cap_mmap_addr(unsigned long addr);
-extern int cap_mmap_file(struct file *file, unsigned long reqprot,
- unsigned long prot, unsigned long flags);
extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5);
@@ -112,8 +110,6 @@ struct seq_file;
extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
-void reset_security_ops(void);
-
#ifdef CONFIG_MMU
extern unsigned long mmap_min_addr;
extern unsigned long dac_mmap_min_addr;
@@ -184,15 +180,223 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
opts->num_mnt_opts = 0;
}
+/*
+ * Index for LSM operations.
+ */
+enum lsm_hooks_index {
+ lsm_ptrace_access_check,
+ lsm_ptrace_traceme,
+ lsm_capget,
+ lsm_capset,
+ lsm_capable,
+ lsm_quotactl,
+ lsm_quota_on,
+ lsm_syslog,
+ lsm_settime,
+ lsm_vm_enough_memory,
+ lsm_bprm_set_creds,
+ lsm_bprm_check_security,
+ lsm_bprm_secureexec,
+ lsm_bprm_committing_creds,
+ lsm_bprm_committed_creds,
+ lsm_sb_alloc_security,
+ lsm_sb_free_security,
+ lsm_sb_copy_data,
+ lsm_sb_remount,
+ lsm_sb_kern_mount,
+ lsm_sb_show_options,
+ lsm_sb_statfs,
+ lsm_sb_mount,
+ lsm_sb_umount,
+ lsm_sb_pivotroot,
+ lsm_sb_set_mnt_opts,
+ lsm_sb_clone_mnt_opts,
+ lsm_sb_parse_opts_str,
+ lsm_path_unlink,
+ lsm_path_mkdir,
+ lsm_path_rmdir,
+ lsm_path_mknod,
+ lsm_path_truncate,
+ lsm_path_symlink,
+ lsm_path_link,
+ lsm_path_rename,
+ lsm_path_chmod,
+ lsm_path_chown,
+ lsm_path_chroot,
+ lsm_inode_alloc_security,
+ lsm_inode_free_security,
+ lsm_inode_init_security,
+ lsm_inode_create,
+ lsm_inode_link,
+ lsm_inode_unlink,
+ lsm_inode_symlink,
+ lsm_inode_mkdir,
+ lsm_inode_rmdir,
+ lsm_inode_mknod,
+ lsm_inode_rename,
+ lsm_inode_readlink,
+ lsm_inode_follow_link,
+ lsm_inode_permission,
+ lsm_inode_setattr,
+ lsm_inode_getattr,
+ lsm_inode_setxattr,
+ lsm_inode_post_setxattr,
+ lsm_inode_getxattr,
+ lsm_inode_listxattr,
+ lsm_inode_removexattr,
+ lsm_inode_need_killpriv,
+ lsm_inode_killpriv,
+ lsm_inode_getsecurity,
+ lsm_inode_setsecurity,
+ lsm_inode_listsecurity,
+ lsm_inode_getsecid,
+ lsm_file_permission,
+ lsm_file_alloc_security,
+ lsm_file_free_security,
+ lsm_file_ioctl,
+ lsm_mmap_addr,
+ lsm_mmap_file,
+ lsm_file_mprotect,
+ lsm_file_lock,
+ lsm_file_fcntl,
+ lsm_file_set_fowner,
+ lsm_file_send_sigiotask,
+ lsm_file_receive,
+ lsm_file_open,
+ lsm_task_create,
+ lsm_task_free,
+ lsm_cred_alloc_blank,
+ lsm_cred_free,
+ lsm_cred_prepare,
+ lsm_cred_transfer,
+ lsm_kernel_act_as,
+ lsm_kernel_create_files_as,
+ lsm_kernel_module_request,
+ lsm_kernel_module_from_file,
+ lsm_task_fix_setuid,
+ lsm_task_setpgid,
+ lsm_task_getpgid,
+ lsm_task_getsid,
+ lsm_task_getsecid,
+ lsm_task_setnice,
+ lsm_task_setioprio,
+ lsm_task_getioprio,
+ lsm_task_setrlimit,
+ lsm_task_setscheduler,
+ lsm_task_getscheduler,
+ lsm_task_movememory,
+ lsm_task_kill,
+ lsm_task_wait,
+ lsm_task_prctl,
+ lsm_task_to_inode,
+ lsm_ipc_permission,
+ lsm_ipc_getsecid,
+ lsm_msg_msg_alloc_security,
+ lsm_msg_msg_free_security,
+ lsm_msg_queue_alloc_security,
+ lsm_msg_queue_free_security,
+ lsm_msg_queue_associate,
+ lsm_msg_queue_msgctl,
+ lsm_msg_queue_msgsnd,
+ lsm_msg_queue_msgrcv,
+ lsm_shm_alloc_security,
+ lsm_shm_free_security,
+ lsm_shm_associate,
+ lsm_shm_shmctl,
+ lsm_shm_shmat,
+ lsm_sem_alloc_security,
+ lsm_sem_free_security,
+ lsm_sem_associate,
+ lsm_sem_semctl,
+ lsm_sem_semop,
+ lsm_netlink_send,
+ lsm_d_instantiate,
+ lsm_getprocattr,
+ lsm_setprocattr,
+ lsm_secid_to_secctx,
+ lsm_secctx_to_secid,
+ lsm_release_secctx,
+ lsm_inode_notifysecctx,
+ lsm_inode_setsecctx,
+ lsm_inode_getsecctx,
+ lsm_unix_stream_connect,
+ lsm_unix_may_send,
+ lsm_socket_create,
+ lsm_socket_post_create,
+ lsm_socket_bind,
+ lsm_socket_connect,
+ lsm_socket_listen,
+ lsm_socket_accept,
+ lsm_socket_sendmsg,
+ lsm_socket_recvmsg,
+ lsm_socket_getsockname,
+ lsm_socket_getpeername,
+ lsm_socket_getsockopt,
+ lsm_socket_setsockopt,
+ lsm_socket_shutdown,
+ lsm_socket_sock_rcv_skb,
+ lsm_socket_getpeersec_stream,
+ lsm_socket_getpeersec_dgram,
+ lsm_sk_alloc_security,
+ lsm_sk_free_security,
+ lsm_sk_clone_security,
+ lsm_sk_getsecid,
+ lsm_sock_graft,
+ lsm_inet_conn_request,
+ lsm_inet_csk_clone,
+ lsm_inet_conn_established,
+ lsm_secmark_relabel_packet,
+ lsm_secmark_refcount_inc,
+ lsm_secmark_refcount_dec,
+ lsm_req_classify_flow,
+ lsm_tun_dev_create,
+ lsm_tun_dev_post_create,
+ lsm_tun_dev_attach,
+ lsm_xfrm_policy_alloc_security,
+ lsm_xfrm_policy_clone_security,
+ lsm_xfrm_policy_free_security,
+ lsm_xfrm_policy_delete_security,
+ lsm_xfrm_state_alloc_security,
+ lsm_xfrm_state_free_security,
+ lsm_xfrm_state_delete_security,
+ lsm_xfrm_policy_lookup,
+ lsm_xfrm_state_pol_flow_match,
+ lsm_xfrm_decode_session,
+ lsm_key_alloc,
+ lsm_key_free,
+ lsm_key_permission,
+ lsm_key_getsecurity,
+ lsm_audit_rule_init,
+ lsm_audit_rule_known,
+ lsm_audit_rule_match,
+ lsm_audit_rule_free,
+ lsm_name, /* Used by security/inode.c */
+ LSM_MAX_HOOKS
+};
+
+/*
+ * There is a list for each hook.
+ */
+extern struct list_head lsm_hooks[LSM_MAX_HOOKS];
+
/**
* struct security_operations - main security structure
*
* Security module identifier.
*
+ * @list:
+ * An array of lists of hooks. These are traversed on
+ * hook execution.
+ *
* @name:
* A string that acts as a unique identifier for the LSM with max number
* of characters = SECURITY_NAME_MAX.
*
+ * @order:
+ * The numeric order in which this LSM will be invoked.
+ * Set during LSM initialization. Used to identify
+ * which security blob to use when there is more than one LSM.
+ *
* Security hooks for program execution operations.
*
* @bprm_set_creds:
@@ -1384,7 +1588,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* This is the main security structure.
*/
struct security_operations {
+ struct list_head list[LSM_MAX_HOOKS];
char name[SECURITY_NAME_MAX + 1];
+ int order;
int (*ptrace_access_check) (struct task_struct *child, unsigned int mode);
int (*ptrace_traceme) (struct task_struct *parent);
@@ -1662,12 +1868,18 @@ struct security_operations {
#endif /* CONFIG_AUDIT */
};
+/*
+ * The security operations vector for /proc interfaces.
+ */
+extern struct security_operations *lsm_present;
+
/* prototypes */
extern int security_init(void);
extern int security_module_enable(struct security_operations *ops);
-extern int register_security(struct security_operations *ops);
-extern void __init security_fixup_ops(struct security_operations *ops);
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+extern int reset_security_ops(struct security_operations *ops);
+#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
/* Security operations */
int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
@@ -3035,36 +3247,5 @@ static inline void free_secdata(void *secdata)
{ }
#endif /* CONFIG_SECURITY */
-#ifdef CONFIG_SECURITY_YAMA
-extern int yama_ptrace_access_check(struct task_struct *child,
- unsigned int mode);
-extern int yama_ptrace_traceme(struct task_struct *parent);
-extern void yama_task_free(struct task_struct *task);
-extern int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
- unsigned long arg4, unsigned long arg5);
-#else
-static inline int yama_ptrace_access_check(struct task_struct *child,
- unsigned int mode)
-{
- return 0;
-}
-
-static inline int yama_ptrace_traceme(struct task_struct *parent)
-{
- return 0;
-}
-
-static inline void yama_task_free(struct task_struct *task)
-{
-}
-
-static inline int yama_task_prctl(int option, unsigned long arg2,
- unsigned long arg3, unsigned long arg4,
- unsigned long arg5)
-{
- return -ENOSYS;
-}
-#endif /* CONFIG_SECURITY_YAMA */
-
#endif /* ! __LINUX_SECURITY_H */
diff --git a/security/Kconfig b/security/Kconfig
index e9c6ac7..83415b6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -123,49 +123,74 @@ source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/yama/Kconfig
+config SECURITY_COMPOSER_MAX
+ int "Maximum allowed security modules (1 to 12)"
+ depends on SECURITY
+ default 6
+ range 1 12
+ help
+ The number of security modules that can be loaded.
+ The default value allows for all of the upstream modules.
+ The maximum allowed value is 12.
+
source security/integrity/Kconfig
choice
- prompt "Default security module"
- default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
- default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
- default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
- default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
- default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
- default DEFAULT_SECURITY_DAC
+ depends on SECURITY
+ prompt "Presented security module"
+ default PRESENT_SECURITY_SELINUX \
+ if SECURITY_SELINUX && !(SECURITY_APPARMOR || SECURITY_SMACK)
+ default PRESENT_SECURITY_SMACK \
+ if SECURITY_SMACK && !(SECURITY_APPARMOR || SECURITY_SELINUX)
+ default PRESENT_SECURITY_APPARMOR \
+ if SECURITY_APPARMOR && !(SECURITY_SMACK || SECURITY_SELINUX)
+ default PRESENT_SECURITY_FIRST \
+ if SECURITY_APPARMOR || SECURITY_SMACK || SECURITY_SELINUX
+ default PRESENT_SECURITY_NONE
help
- Select the security module that will be used by default if the
- kernel parameter security= is not specified.
+ Select the security module that will be presented
+ with the /proc/*/attr interface.
+ If not specified the first registered LSM that uses
+ the /proc/*/attr interface will be chosen.
- config DEFAULT_SECURITY_SELINUX
+ config PRESENT_SECURITY_SELINUX
bool "SELinux" if SECURITY_SELINUX=y
+ help
+ Present SELinux context information in the
+ files in /proc/*/attr
- config DEFAULT_SECURITY_SMACK
+ config PRESENT_SECURITY_SMACK
bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+ help
+ Present Smack process label information
+ in /proc/*/attr/current
- config DEFAULT_SECURITY_TOMOYO
- bool "TOMOYO" if SECURITY_TOMOYO=y
-
- config DEFAULT_SECURITY_APPARMOR
+ config PRESENT_SECURITY_APPARMOR
bool "AppArmor" if SECURITY_APPARMOR=y
+ help
+ Present AppArmor context information in the
+ files in /proc/*/attr
- config DEFAULT_SECURITY_YAMA
- bool "Yama" if SECURITY_YAMA=y
+ config PRESENT_SECURITY_FIRST
+ bool "Use first registered LSM"
+ help
+ Present information from the first LSM that uses
+ /proc/*/attr in the files in /proc/*/attr
- config DEFAULT_SECURITY_DAC
- bool "Unix Discretionary Access Controls"
+ config PRESENT_SECURITY_NONE
+ bool "Present Nothing"
+ help
+ Do not present LSM information in /proc/*/attr
endchoice
-config DEFAULT_SECURITY
+config PRESENT_SECURITY
string
- default "selinux" if DEFAULT_SECURITY_SELINUX
- default "smack" if DEFAULT_SECURITY_SMACK
- default "tomoyo" if DEFAULT_SECURITY_TOMOYO
- default "apparmor" if DEFAULT_SECURITY_APPARMOR
- default "yama" if DEFAULT_SECURITY_YAMA
- default "" if DEFAULT_SECURITY_DAC
+ default "selinux" if PRESENT_SECURITY_SELINUX
+ default "smack" if PRESENT_SECURITY_SMACK
+ default "apparmor" if PRESENT_SECURITY_APPARMOR
+ default "FIRSTLSM" if PRESENT_SECURITY_FIRST
+ default "NOTHING"
endmenu
-
diff --git a/security/inode.c b/security/inode.c
index 43ce6e1..1ca6aaf 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -21,6 +21,9 @@
#include <linux/namei.h>
#include <linux/security.h>
#include <linux/magic.h>
+#ifdef CONFIG_SECURITY
+#include <linux/lsm.h>
+#endif
static struct vfsmount *mount;
static int mount_count;
@@ -215,6 +218,70 @@ void securityfs_remove(struct dentry *dentry)
}
EXPORT_SYMBOL_GPL(securityfs_remove);
+#ifdef CONFIG_SECURITY
+static struct dentry *lsm_dentry;
+static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count,
+ loff_t *ppos)
+{
+ struct security_operations *sop;
+ char *data;
+ int len;
+
+ data = kzalloc(COMPOSER_NAMES_MAX + 1, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+
+ list_for_each_entry(sop, &lsm_hooks[lsm_name], list[lsm_name]) {
+ strcat(data, sop->name);
+ strcat(data, ",");
+ }
+ len = strlen(data);
+ if (len > 1)
+ data[len-1] = '\n';
+
+ len = simple_read_from_buffer(buf, count, ppos, data, len);
+ kfree(data);
+
+ return len;
+}
+
+static const struct file_operations lsm_ops = {
+ .read = lsm_read,
+ .llseek = generic_file_llseek,
+};
+
+static struct dentry *present_dentry;
+static ssize_t present_read(struct file *filp, char __user *buf, size_t count,
+ loff_t *ppos)
+{
+ struct security_operations *sop = lsm_present;
+ char *raw;
+ char *data;
+ int len;
+
+ if (sop)
+ raw = sop->name;
+ else
+ raw = "(none)";
+ len = strlen(raw);
+
+ data = kstrdup(raw, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+
+ data[len] = '\n';
+ len = simple_read_from_buffer(buf, count, ppos, data, len + 1);
+ kfree(data);
+
+ return len;
+}
+
+static const struct file_operations present_ops = {
+ .read = present_read,
+ .llseek = generic_file_llseek,
+};
+#endif /* CONFIG_SECURITY */
+
static struct kobject *security_kobj;
static int __init securityfs_init(void)
@@ -226,9 +293,17 @@ static int __init securityfs_init(void)
return -EINVAL;
retval = register_filesystem(&fs_type);
- if (retval)
+ if (retval) {
kobject_put(security_kobj);
- return retval;
+ return retval;
+ }
+#ifdef CONFIG_SECURITY
+ lsm_dentry = securityfs_create_file("lsm", S_IRUGO, NULL, NULL,
+ &lsm_ops);
+ present_dentry = securityfs_create_file("present", S_IRUGO, NULL, NULL,
+ &present_ops);
+#endif /* CONFIG_SECURITY */
+ return 0;
}
core_initcall(securityfs_init);
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 5/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 2:09 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 5/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Add per-LSM interfaces in /proc/*/attr as it is infeasible
to share them when more than one LSM is active.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/proc/base.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 9b43ff77..458422b 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2216,12 +2216,28 @@ static const struct file_operations proc_pid_attr_operations = {
};
static const struct pid_entry attr_dir_stuff[] = {
- REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("prev", S_IRUGO, proc_pid_attr_operations),
- REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("prev", S_IRUGO, proc_pid_attr_operations),
+ REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#ifdef CONFIG_SECURITY_SELINUX
+ REG("selinux.current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.prev", S_IRUGO, proc_pid_attr_operations),
+ REG("selinux.exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#endif
+#ifdef CONFIG_SECURITY_SMACK
+ REG("smack.current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+ REG("apparmor.current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("apparmor.prev", S_IRUGO, proc_pid_attr_operations),
+ REG("apparmor.exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#endif
};
static int proc_attr_dir_readdir(struct file * filp,
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 5/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 2:09 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 5/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Add per-LSM interfaces in /proc/*/attr as it is infeasible
to share them when more than one LSM is active.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/proc/base.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 9b43ff77..458422b 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2216,12 +2216,28 @@ static const struct file_operations proc_pid_attr_operations = {
};
static const struct pid_entry attr_dir_stuff[] = {
- REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("prev", S_IRUGO, proc_pid_attr_operations),
- REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("prev", S_IRUGO, proc_pid_attr_operations),
+ REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#ifdef CONFIG_SECURITY_SELINUX
+ REG("selinux.current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.prev", S_IRUGO, proc_pid_attr_operations),
+ REG("selinux.exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#endif
+#ifdef CONFIG_SECURITY_SMACK
+ REG("smack.current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+ REG("apparmor.current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("apparmor.prev", S_IRUGO, proc_pid_attr_operations),
+ REG("apparmor.exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#endif
};
static int proc_attr_dir_readdir(struct file * filp,
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 6/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 2:09 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 6/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Changes for SELinux. Abstract access to security blobs.
Add the now required parameter to reset_security_ops().
Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/selinux/hooks.c | 410 ++++++++++++++++++-------------------
security/selinux/include/objsec.h | 2 +
security/selinux/include/xfrm.h | 2 +-
security/selinux/netlabel.c | 13 +-
security/selinux/selinuxfs.c | 6 +-
security/selinux/xfrm.c | 9 +-
6 files changed, 222 insertions(+), 220 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 61a5336..8ec7ea0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -150,6 +150,7 @@ static int selinux_secmark_enabled(void)
*/
static void cred_init_security(void)
{
+ int rc;
struct cred *cred = (struct cred *) current->real_cred;
struct task_security_struct *tsec;
@@ -158,7 +159,9 @@ static void cred_init_security(void)
panic("SELinux: Failed to initialize initial task.\n");
tsec->osid = tsec->sid = SECINITSID_KERNEL;
- cred->security = tsec;
+ rc = lsm_set_init_cred(cred, tsec, &selinux_ops);
+ if (rc)
+ panic("SELinux: Failed to initialize initial task.\n");
}
/*
@@ -168,7 +171,7 @@ static inline u32 cred_sid(const struct cred *cred)
{
const struct task_security_struct *tsec;
- tsec = cred->security;
+ tsec = lsm_get_cred(cred, &selinux_ops);
return tsec->sid;
}
@@ -190,8 +193,9 @@ static inline u32 task_sid(const struct task_struct *task)
*/
static inline u32 current_sid(void)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec;
+ tsec = lsm_get_cred(current_cred(), &selinux_ops);
return tsec->sid;
}
@@ -212,22 +216,23 @@ static int inode_alloc_security(struct inode *inode)
isec->sid = SECINITSID_UNLABELED;
isec->sclass = SECCLASS_FILE;
isec->task_sid = sid;
- inode->i_security = isec;
+ lsm_set_inode(inode, isec, &selinux_ops);
return 0;
}
static void inode_free_security(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(inode->i_sb, &selinux_ops);
spin_lock(&sbsec->isec_lock);
if (!list_empty(&isec->list))
list_del_init(&isec->list);
spin_unlock(&sbsec->isec_lock);
- inode->i_security = NULL;
+ lsm_set_inode(inode, NULL, &selinux_ops);
kmem_cache_free(sel_inode_cache, isec);
}
@@ -242,15 +247,15 @@ static int file_alloc_security(struct file *file)
fsec->sid = sid;
fsec->fown_sid = sid;
- file->f_security = fsec;
+ lsm_set_file(file, fsec, &selinux_ops);
return 0;
}
static void file_free_security(struct file *file)
{
- struct file_security_struct *fsec = file->f_security;
- file->f_security = NULL;
+ struct file_security_struct *fsec = lsm_get_file(file, &selinux_ops);
+ lsm_set_file(file, NULL, &selinux_ops);
kfree(fsec);
}
@@ -269,15 +274,16 @@ static int superblock_alloc_security(struct super_block *sb)
sbsec->sid = SECINITSID_UNLABELED;
sbsec->def_sid = SECINITSID_FILE;
sbsec->mntpoint_sid = SECINITSID_UNLABELED;
- sb->s_security = sbsec;
+ lsm_set_super(sb, sbsec, &selinux_ops);
return 0;
}
static void superblock_free_security(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
- sb->s_security = NULL;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
+ lsm_set_super(sb, NULL, &selinux_ops);
kfree(sbsec);
}
@@ -323,9 +329,10 @@ static int may_context_mount_sb_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec;
int rc;
+ tsec = lsm_get_cred(cred, &selinux_ops);
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
@@ -340,8 +347,10 @@ static int may_context_mount_inode_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec;
int rc;
+
+ tsec = lsm_get_cred(cred, &selinux_ops);
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
@@ -354,7 +363,8 @@ static int may_context_mount_inode_relabel(u32 sid,
static int sb_finish_set_opts(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
struct dentry *root = sb->s_root;
struct inode *root_inode = root->d_inode;
int rc = 0;
@@ -444,7 +454,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
struct security_mnt_opts *opts)
{
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
char *context = NULL;
u32 len;
char tmp;
@@ -504,8 +515,9 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct inode *root = sbsec->sb->s_root->d_inode;
- struct inode_security_struct *isec = root->i_security;
+ struct inode_security_struct *isec;
+ isec = lsm_get_inode(root, &selinux_ops);
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
goto out_free;
@@ -555,10 +567,12 @@ static int selinux_set_mnt_opts(struct super_block *sb,
{
const struct cred *cred = current_cred();
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
const char *name = sb->s_type->name;
struct inode *inode = sbsec->sb->s_root->d_inode;
- struct inode_security_struct *root_isec = inode->i_security;
+ struct inode_security_struct *root_isec =
+ lsm_get_inode(inode, &selinux_ops);
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0;
char **mount_options = opts->mnt_opts;
@@ -753,8 +767,10 @@ out_double_mount:
static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
struct super_block *newsb)
{
- const struct superblock_security_struct *oldsbsec = oldsb->s_security;
- struct superblock_security_struct *newsbsec = newsb->s_security;
+ const struct superblock_security_struct *oldsbsec =
+ lsm_get_super(oldsb, &selinux_ops);
+ struct superblock_security_struct *newsbsec =
+ lsm_get_super(newsb, &selinux_ops);
int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
int set_context = (oldsbsec->flags & CONTEXT_MNT);
@@ -789,16 +805,19 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
newsbsec->sid = sid;
if (!set_rootcontext) {
struct inode *newinode = newsb->s_root->d_inode;
- struct inode_security_struct *newisec = newinode->i_security;
+ struct inode_security_struct *newisec =
+ lsm_get_inode(newinode, &selinux_ops);
newisec->sid = sid;
}
newsbsec->mntpoint_sid = sid;
}
if (set_rootcontext) {
const struct inode *oldinode = oldsb->s_root->d_inode;
- const struct inode_security_struct *oldisec = oldinode->i_security;
+ const struct inode_security_struct *oldisec =
+ lsm_get_inode(oldinode, &selinux_ops);
struct inode *newinode = newsb->s_root->d_inode;
- struct inode_security_struct *newisec = newinode->i_security;
+ struct inode_security_struct *newisec =
+ lsm_get_inode(newinode, &selinux_ops);
newisec->sid = oldisec->sid;
}
@@ -1162,7 +1181,7 @@ static int selinux_proc_get_sid(struct dentry *dentry,
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
{
struct superblock_security_struct *sbsec = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 sid;
struct dentry *dentry;
#define INITCONTEXTLEN 255
@@ -1177,7 +1196,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
if (isec->initialized)
goto out_unlock;
- sbsec = inode->i_sb->s_security;
+ sbsec = lsm_get_super(inode->i_sb, &selinux_ops);
if (!(sbsec->flags & SE_SBINITIALIZED)) {
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
@@ -1389,8 +1408,10 @@ static int task_has_perm(const struct task_struct *tsk1,
u32 sid1, sid2;
rcu_read_lock();
- __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
- __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
+ __tsec1 = lsm_get_cred(__task_cred(tsk1), &selinux_ops);
+ sid1 = __tsec1->sid;
+ __tsec2 = lsm_get_cred(__task_cred(tsk2), &selinux_ops);
+ sid2 = __tsec2->sid;
rcu_read_unlock();
return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
}
@@ -1480,7 +1501,7 @@ static int inode_has_perm(const struct cred *cred,
return 0;
sid = cred_sid(cred);
- isec = inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
}
@@ -1527,7 +1548,7 @@ static int file_has_perm(const struct cred *cred,
struct file *file,
u32 av)
{
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = lsm_get_file(file, &selinux_ops);
struct inode *inode = file->f_path.dentry->d_inode;
struct common_audit_data ad;
u32 sid = cred_sid(cred);
@@ -1559,15 +1580,16 @@ static int may_create(struct inode *dir,
struct dentry *dentry,
u16 tclass)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
u32 sid, newsid;
struct common_audit_data ad;
int rc;
- dsec = dir->i_security;
- sbsec = dir->i_sb->s_security;
+ dsec = lsm_get_inode(dir, &selinux_ops);
+ sbsec = lsm_get_super(dir->i_sb, &selinux_ops);
sid = tsec->sid;
newsid = tsec->create_sid;
@@ -1622,8 +1644,8 @@ static int may_link(struct inode *dir,
u32 av;
int rc;
- dsec = dir->i_security;
- isec = dentry->d_inode->i_security;
+ dsec = lsm_get_inode(dir, &selinux_ops);
+ isec = lsm_get_inode(dentry->d_inode, &selinux_ops);
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = dentry;
@@ -1666,10 +1688,10 @@ static inline int may_rename(struct inode *old_dir,
int old_is_dir, new_is_dir;
int rc;
- old_dsec = old_dir->i_security;
- old_isec = old_dentry->d_inode->i_security;
+ old_dsec = lsm_get_inode(old_dir, &selinux_ops);
+ old_isec = lsm_get_inode(old_dentry->d_inode, &selinux_ops);
old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
- new_dsec = new_dir->i_security;
+ new_dsec = lsm_get_inode(new_dir, &selinux_ops);
ad.type = LSM_AUDIT_DATA_DENTRY;
@@ -1697,7 +1719,7 @@ static inline int may_rename(struct inode *old_dir,
if (rc)
return rc;
if (new_dentry->d_inode) {
- new_isec = new_dentry->d_inode->i_security;
+ new_isec = lsm_get_inode(new_dentry->d_inode, &selinux_ops);
new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
rc = avc_has_perm(sid, new_isec->sid,
new_isec->sclass,
@@ -1718,7 +1740,7 @@ static int superblock_has_perm(const struct cred *cred,
struct superblock_security_struct *sbsec;
u32 sid = cred_sid(cred);
- sbsec = sb->s_security;
+ sbsec = lsm_get_super(sb, &selinux_ops);
return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
}
@@ -1792,12 +1814,6 @@ static inline u32 open_file_to_av(struct file *file)
static int selinux_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- int rc;
-
- rc = cap_ptrace_access_check(child, mode);
- if (rc)
- return rc;
-
if (mode & PTRACE_MODE_READ) {
u32 sid = current_sid();
u32 csid = task_sid(child);
@@ -1809,12 +1825,6 @@ static int selinux_ptrace_access_check(struct task_struct *child,
static int selinux_ptrace_traceme(struct task_struct *parent)
{
- int rc;
-
- rc = cap_ptrace_traceme(parent);
- if (rc)
- return rc;
-
return task_has_perm(parent, current, PROCESS__PTRACE);
}
@@ -1835,13 +1845,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *inheritable,
const kernel_cap_t *permitted)
{
- int error;
-
- error = cap_capset(new, old,
- effective, inheritable, permitted);
- if (error)
- return error;
-
return cred_has_perm(old, new, PROCESS__SETCAP);
}
@@ -1858,12 +1861,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit)
{
- int rc;
-
- rc = cap_capable(cred, ns, cap, audit);
- if (rc)
- return rc;
-
return cred_has_capability(cred, cap, audit);
}
@@ -1960,18 +1957,14 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
struct inode *inode = bprm->file->f_path.dentry->d_inode;
int rc;
- rc = cap_bprm_set_creds(bprm);
- if (rc)
- return rc;
-
/* SELinux context only depends on initial program or script and not
* the script interpreter */
if (bprm->cred_prepared)
return 0;
- old_tsec = current_security();
- new_tsec = bprm->cred->security;
- isec = inode->i_security;
+ old_tsec = lsm_get_cred(current_cred(), &selinux_ops);
+ new_tsec = lsm_get_cred(bprm->cred, &selinux_ops);
+ isec = lsm_get_inode(inode, &selinux_ops);
/* Default to the current task SID. */
new_tsec->sid = old_tsec->sid;
@@ -2046,7 +2039,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
rcu_read_lock();
tracer = ptrace_parent(current);
if (likely(tracer != NULL)) {
- sec = __task_cred(tracer)->security;
+ sec = lsm_get_cred(__task_cred(tracer),
+ &selinux_ops);
ptsid = sec->sid;
}
rcu_read_unlock();
@@ -2069,7 +2063,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
static int selinux_bprm_secureexec(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
u32 sid, osid;
int atsecure = 0;
@@ -2085,7 +2080,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm)
PROCESS__NOATSECURE, NULL);
}
- return (atsecure || cap_bprm_secureexec(bprm));
+ return atsecure;
}
static int match_file(const void *p, struct file *file, unsigned fd)
@@ -2151,7 +2146,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
struct rlimit *rlim, *initrlim;
int rc, i;
- new_tsec = bprm->cred->security;
+ new_tsec = lsm_get_cred(bprm->cred, &selinux_ops);
if (new_tsec->sid == new_tsec->osid)
return;
@@ -2192,7 +2187,8 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
*/
static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct itimerval itimer;
u32 osid, sid;
int rc, i;
@@ -2339,7 +2335,8 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
int rc, i, *flags;
struct security_mnt_opts opts;
char *secdata, **mount_options;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
if (!(sbsec->flags & SE_SBINITIALIZED))
return 0;
@@ -2391,7 +2388,8 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
break;
case ROOTCONTEXT_MNT: {
struct inode_security_struct *root_isec;
- root_isec = sb->s_root->d_inode->i_security;
+ root_isec = lsm_get_inode(sb->s_root->d_inode,
+ &selinux_ops);
if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
goto out_bad_option;
@@ -2487,15 +2485,16 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr, char **name,
void **value, size_t *len)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
u32 sid, newsid, clen;
int rc;
char *namep = NULL, *context;
- dsec = dir->i_security;
- sbsec = dir->i_sb->s_security;
+ dsec = lsm_get_inode(dir, &selinux_ops);
+ sbsec = lsm_get_super(dir->i_sb, &selinux_ops);
sid = tsec->sid;
newsid = tsec->create_sid;
@@ -2519,7 +2518,8 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
/* Possibly defer initialization to selinux_complete_init. */
if (sbsec->flags & SE_SBINITIALIZED) {
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec =
+ lsm_get_inode(inode, &selinux_ops);
isec->sclass = inode_mode_to_security_class(inode->i_mode);
isec->sid = newsid;
isec->initialized = 1;
@@ -2608,7 +2608,7 @@ static noinline int audit_inode_permission(struct inode *inode,
unsigned flags)
{
struct common_audit_data ad;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
int rc;
ad.type = LSM_AUDIT_DATA_INODE;
@@ -2648,7 +2648,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
perms = file_mask_to_av(inode->i_mode, mask);
sid = cred_sid(cred);
- isec = inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
audited = avc_audit_required(perms, &avd, rc,
@@ -2723,7 +2723,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
struct inode *inode = dentry->d_inode;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
struct superblock_security_struct *sbsec;
struct common_audit_data ad;
u32 newsid, sid = current_sid();
@@ -2732,7 +2732,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
- sbsec = inode->i_sb->s_security;
+ sbsec = lsm_get_super(inode->i_sb, &selinux_ops);
if (!(sbsec->flags & SE_SBLABELSUPP))
return -EOPNOTSUPP;
@@ -2800,7 +2800,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
int flags)
{
struct inode *inode = dentry->d_inode;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 newsid;
int rc;
@@ -2855,7 +2855,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
u32 size;
int error;
char *context = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
if (strcmp(name, XATTR_SELINUX_SUFFIX))
return -EOPNOTSUPP;
@@ -2891,7 +2891,7 @@ out_nofree:
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 newsid;
int rc;
@@ -2920,7 +2920,7 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
*secid = isec->sid;
}
@@ -2942,8 +2942,8 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
static int selinux_file_permission(struct file *file, int mask)
{
struct inode *inode = file->f_path.dentry->d_inode;
- struct file_security_struct *fsec = file->f_security;
- struct inode_security_struct *isec = inode->i_security;
+ struct file_security_struct *fsec = lsm_get_file(file, &selinux_ops);
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 sid = current_sid();
if (!mask)
@@ -3177,7 +3177,7 @@ static int selinux_file_set_fowner(struct file *file)
{
struct file_security_struct *fsec;
- fsec = file->f_security;
+ fsec = lsm_get_file(file, &selinux_ops);
fsec->fown_sid = current_sid();
return 0;
@@ -3194,7 +3194,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
/* struct fown_struct is never outside the context of a struct file */
file = container_of(fown, struct file, f_owner);
- fsec = file->f_security;
+ fsec = lsm_get_file(file, &selinux_ops);
if (!signum)
perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
@@ -3217,8 +3217,8 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
struct file_security_struct *fsec;
struct inode_security_struct *isec;
- fsec = file->f_security;
- isec = file->f_path.dentry->d_inode->i_security;
+ fsec = lsm_get_file(file, &selinux_ops);
+ isec = lsm_get_inode(file->f_path.dentry->d_inode, &selinux_ops);
/*
* Save inode label and policy sequence number
* at open-time so that selinux_file_permission
@@ -3257,7 +3257,7 @@ static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (!tsec)
return -ENOMEM;
- cred->security = tsec;
+ lsm_set_cred(cred, tsec, &selinux_ops);
return 0;
}
@@ -3266,14 +3266,14 @@ static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/
static void selinux_cred_free(struct cred *cred)
{
- struct task_security_struct *tsec = cred->security;
+ struct task_security_struct *tsec = lsm_get_cred(cred, &selinux_ops);
/*
* cred->security == NULL if security_cred_alloc_blank() or
* security_prepare_creds() returned an error.
*/
- BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
- cred->security = (void *) 0x7UL;
+ BUG_ON(tsec && (unsigned long) tsec < PAGE_SIZE);
+ lsm_set_cred(cred, NULL, &selinux_ops);
kfree(tsec);
}
@@ -3286,13 +3286,13 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
const struct task_security_struct *old_tsec;
struct task_security_struct *tsec;
- old_tsec = old->security;
+ old_tsec = lsm_get_cred(old, &selinux_ops);
tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
if (!tsec)
return -ENOMEM;
- new->security = tsec;
+ lsm_set_cred(new, tsec, &selinux_ops);
return 0;
}
@@ -3301,9 +3301,15 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
*/
static void selinux_cred_transfer(struct cred *new, const struct cred *old)
{
- const struct task_security_struct *old_tsec = old->security;
- struct task_security_struct *tsec = new->security;
+ const struct task_security_struct *old_tsec;
+ struct task_security_struct *tsec;
+ old_tsec = lsm_get_cred(old, &selinux_ops);
+ tsec = lsm_get_cred(new, &selinux_ops);
+
+ /*
+ * This is a data copy, not a pointer assignment.
+ */
*tsec = *old_tsec;
}
@@ -3313,7 +3319,7 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
*/
static int selinux_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_security_struct *tsec = new->security;
+ struct task_security_struct *tsec = lsm_get_cred(new, &selinux_ops);
u32 sid = current_sid();
int ret;
@@ -3336,8 +3342,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
*/
static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct task_security_struct *tsec = new->security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
+ struct task_security_struct *tsec = lsm_get_cred(new, &selinux_ops);
u32 sid = current_sid();
int ret;
@@ -3387,23 +3393,11 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
static int selinux_task_setnice(struct task_struct *p, int nice)
{
- int rc;
-
- rc = cap_task_setnice(p, nice);
- if (rc)
- return rc;
-
return current_has_perm(p, PROCESS__SETSCHED);
}
static int selinux_task_setioprio(struct task_struct *p, int ioprio)
{
- int rc;
-
- rc = cap_task_setioprio(p, ioprio);
- if (rc)
- return rc;
-
return current_has_perm(p, PROCESS__SETSCHED);
}
@@ -3429,12 +3423,6 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
static int selinux_task_setscheduler(struct task_struct *p)
{
- int rc;
-
- rc = cap_task_setscheduler(p);
- if (rc)
- return rc;
-
return current_has_perm(p, PROCESS__SETSCHED);
}
@@ -3474,7 +3462,7 @@ static int selinux_task_wait(struct task_struct *p)
static void selinux_task_to_inode(struct task_struct *p,
struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 sid = task_sid(p);
isec->sid = sid;
@@ -3729,7 +3717,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
u32 tsid = task_sid(task);
@@ -3747,7 +3735,8 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
static int selinux_socket_create(int family, int type,
int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
u32 newsid;
u16 secclass;
int rc;
@@ -3766,8 +3755,10 @@ static int selinux_socket_create(int family, int type,
static int selinux_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
- struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
+ struct inode_security_struct *isec =
+ lsm_get_inode(SOCK_INODE(sock), &selinux_ops);
struct sk_security_struct *sksec;
int err = 0;
@@ -3784,7 +3775,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
isec->initialized = 1;
if (sock->sk) {
- sksec = sock->sk->sk_security;
+ sksec = lsm_get_sock(sock->sk, &selinux_ops);
sksec->sid = isec->sid;
sksec->sclass = isec->sclass;
err = selinux_netlbl_socket_post_create(sock->sk, family);
@@ -3815,7 +3806,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
family = sk->sk_family;
if (family == PF_INET || family == PF_INET6) {
char *addrp;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
struct sockaddr_in *addr4 = NULL;
@@ -3899,7 +3891,7 @@ out:
static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
int err;
err = sock_has_perm(current, sk, SOCKET__CONNECT);
@@ -3967,9 +3959,9 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
if (err)
return err;
- newisec = SOCK_INODE(newsock)->i_security;
+ newisec = lsm_get_inode(SOCK_INODE(newsock), &selinux_ops);
- isec = SOCK_INODE(sock)->i_security;
+ isec = lsm_get_inode(SOCK_INODE(sock), &selinux_ops);
newisec->sclass = isec->sclass;
newisec->sid = isec->sid;
newisec->initialized = 1;
@@ -4025,9 +4017,12 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
struct sock *other,
struct sock *newsk)
{
- struct sk_security_struct *sksec_sock = sock->sk_security;
- struct sk_security_struct *sksec_other = other->sk_security;
- struct sk_security_struct *sksec_new = newsk->sk_security;
+ struct sk_security_struct *sksec_sock =
+ lsm_get_sock(sock, &selinux_ops);
+ struct sk_security_struct *sksec_other =
+ lsm_get_sock(other, &selinux_ops);
+ struct sk_security_struct *sksec_new =
+ lsm_get_sock(newsk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
int err;
@@ -4058,8 +4053,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
static int selinux_socket_unix_may_send(struct socket *sock,
struct socket *other)
{
- struct sk_security_struct *ssec = sock->sk->sk_security;
- struct sk_security_struct *osec = other->sk->sk_security;
+ struct sk_security_struct *ssec = lsm_get_sock(sock->sk, &selinux_ops);
+ struct sk_security_struct *osec = lsm_get_sock(other->sk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4098,7 +4093,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
u16 family)
{
int err = 0;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4130,7 +4125,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
int err;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
@@ -4200,7 +4195,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
int err = 0;
char *scontext;
u32 scontext_len;
- struct sk_security_struct *sksec = sock->sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sock->sk, &selinux_ops);
u32 peer_sid = SECSID_NULL;
if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
@@ -4265,24 +4260,24 @@ static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority
sksec->peer_sid = SECINITSID_UNLABELED;
sksec->sid = SECINITSID_UNLABELED;
selinux_netlbl_sk_security_reset(sksec);
- sk->sk_security = sksec;
+ lsm_set_sock(sk, sksec, &selinux_ops);
return 0;
}
static void selinux_sk_free_security(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
- sk->sk_security = NULL;
+ lsm_set_sock(sk, NULL, &selinux_ops);
selinux_netlbl_sk_security_free(sksec);
kfree(sksec);
}
static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
{
- struct sk_security_struct *sksec = sk->sk_security;
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
+ struct sk_security_struct *newsksec = lsm_get_sock(newsk, &selinux_ops);
newsksec->sid = sksec->sid;
newsksec->peer_sid = sksec->peer_sid;
@@ -4296,7 +4291,8 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
if (!sk)
*secid = SECINITSID_ANY_SOCKET;
else {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
*secid = sksec->sid;
}
@@ -4304,8 +4300,9 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{
- struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct inode_security_struct *isec =
+ lsm_get_inode(SOCK_INODE(parent), &selinux_ops);
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
sk->sk_family == PF_UNIX)
@@ -4316,7 +4313,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
struct request_sock *req)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
int err;
u16 family = sk->sk_family;
u32 newsid;
@@ -4346,7 +4343,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void selinux_inet_csk_clone(struct sock *newsk,
const struct request_sock *req)
{
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *newsksec = lsm_get_sock(newsk, &selinux_ops);
newsksec->sid = req->secid;
newsksec->peer_sid = req->peer_secid;
@@ -4363,7 +4360,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
{
u16 family = sk->sk_family;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
/* handle mapped IPv4 packets arriving via IPv6 sockets */
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -4377,7 +4374,7 @@ static int selinux_secmark_relabel_packet(u32 sid)
const struct task_security_struct *__tsec;
u32 tsid;
- __tsec = current_security();
+ __tsec = lsm_get_cred(current_cred(), &selinux_ops);
tsid = __tsec->sid;
return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
@@ -4416,7 +4413,7 @@ static int selinux_tun_dev_create(void)
static void selinux_tun_dev_post_create(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
/* we don't currently perform any NetLabel based labeling here and it
* isn't clear that we would want to do so anyway; while we could apply
@@ -4434,7 +4431,7 @@ static void selinux_tun_dev_post_create(struct sock *sk)
static int selinux_tun_dev_attach(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
u32 sid = current_sid();
int err;
@@ -4457,7 +4454,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
int err = 0;
u32 perm;
struct nlmsghdr *nlh;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
if (skb->len < NLMSG_SPACE(0)) {
err = -EINVAL;
@@ -4577,7 +4574,8 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
* because we want to make sure we apply the necessary labeling
* before IPsec is applied so we can leverage AH protection */
if (skb->sk) {
- struct sk_security_struct *sksec = skb->sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(skb->sk, &selinux_ops);
sid = sksec->sid;
} else
sid = SECINITSID_KERNEL;
@@ -4609,7 +4607,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
if (sk == NULL)
return NF_ACCEPT;
- sksec = sk->sk_security;
+ sksec = lsm_get_sock(sk, &selinux_ops);
ad.type = LSM_AUDIT_DATA_NET;
ad.u.net = &net;
@@ -4677,7 +4675,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
peer_sid = SECINITSID_KERNEL;
}
} else {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
peer_sid = sksec->sid;
secmark_perm = PACKET__SEND;
}
@@ -4738,12 +4737,6 @@ static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
{
- int err;
-
- err = cap_netlink_send(sk, skb);
- if (err)
- return err;
-
return selinux_nlmsg_perm(sk, skb);
}
@@ -4761,15 +4754,15 @@ static int ipc_alloc_security(struct task_struct *task,
sid = task_sid(task);
isec->sclass = sclass;
isec->sid = sid;
- perm->security = isec;
+ lsm_set_ipc(perm, isec, &selinux_ops);
return 0;
}
static void ipc_free_security(struct kern_ipc_perm *perm)
{
- struct ipc_security_struct *isec = perm->security;
- perm->security = NULL;
+ struct ipc_security_struct *isec = lsm_get_ipc(perm, &selinux_ops);
+ lsm_set_ipc(perm, NULL, &selinux_ops);
kfree(isec);
}
@@ -4782,16 +4775,16 @@ static int msg_msg_alloc_security(struct msg_msg *msg)
return -ENOMEM;
msec->sid = SECINITSID_UNLABELED;
- msg->security = msec;
+ lsm_set_msg(msg, msec, &selinux_ops);
return 0;
}
static void msg_msg_free_security(struct msg_msg *msg)
{
- struct msg_security_struct *msec = msg->security;
+ struct msg_security_struct *msec = lsm_get_msg(msg, &selinux_ops);
- msg->security = NULL;
+ lsm_set_msg(msg, NULL, &selinux_ops);
kfree(msec);
}
@@ -4802,7 +4795,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
struct common_audit_data ad;
u32 sid = current_sid();
- isec = ipc_perms->security;
+ isec = lsm_get_ipc(ipc_perms, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = ipc_perms->key;
@@ -4832,7 +4825,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
if (rc)
return rc;
- isec = msq->q_perm.security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -4857,7 +4850,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = msq->q_perm.security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -4902,8 +4895,8 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = current_sid();
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
+ msec = lsm_get_msg(msg, &selinux_ops);
/*
* First time through, need to assign label to the message
@@ -4947,8 +4940,8 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = task_sid(target);
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
+ msec = lsm_get_msg(msg, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -4973,7 +4966,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
if (rc)
return rc;
- isec = shp->shm_perm.security;
+ isec = lsm_get_ipc(&shp->shm_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
@@ -4998,7 +4991,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = shp->shm_perm.security;
+ isec = lsm_get_ipc(&shp->shm_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
@@ -5065,7 +5058,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
if (rc)
return rc;
- isec = sma->sem_perm.security;
+ isec = lsm_get_ipc(&sma->sem_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
@@ -5090,7 +5083,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = sma->sem_perm.security;
+ isec = lsm_get_ipc(&sma->sem_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
@@ -5172,7 +5165,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- struct ipc_security_struct *isec = ipcp->security;
+ struct ipc_security_struct *isec = lsm_get_ipc(ipcp, &selinux_ops);
*secid = isec->sid;
}
@@ -5197,7 +5190,7 @@ static int selinux_getprocattr(struct task_struct *p,
}
rcu_read_lock();
- __tsec = __task_cred(p)->security;
+ __tsec = lsm_get_cred(__task_cred(p), &selinux_ops);
if (!strcmp(name, "current"))
sid = __tsec->sid;
@@ -5306,7 +5299,7 @@ static int selinux_setprocattr(struct task_struct *p,
operation. See selinux_bprm_set_creds for the execve
checks and may_create for the file creation checks. The
operation will then fail if the context is not permitted. */
- tsec = new->security;
+ tsec = lsm_get_cred(new, &selinux_ops);
if (!strcmp(name, "exec")) {
tsec->exec_sid = sid;
} else if (!strcmp(name, "fscreate")) {
@@ -5420,21 +5413,21 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
if (!ksec)
return -ENOMEM;
- tsec = cred->security;
+ tsec = lsm_get_cred(cred, &selinux_ops);
if (tsec->keycreate_sid)
ksec->sid = tsec->keycreate_sid;
else
ksec->sid = tsec->sid;
- k->security = ksec;
+ lsm_set_key(k, ksec, &selinux_ops);
return 0;
}
static void selinux_key_free(struct key *k)
{
- struct key_security_struct *ksec = k->security;
+ struct key_security_struct *ksec = lsm_get_key(k, &selinux_ops);
- k->security = NULL;
+ lsm_set_key(k, NULL, &selinux_ops);
kfree(ksec);
}
@@ -5455,14 +5448,14 @@ static int selinux_key_permission(key_ref_t key_ref,
sid = cred_sid(cred);
key = key_ref_to_ptr(key_ref);
- ksec = key->security;
+ ksec = lsm_get_key(key, &selinux_ops);
return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
}
static int selinux_key_getsecurity(struct key *key, char **_buffer)
{
- struct key_security_struct *ksec = key->security;
+ struct key_security_struct *ksec = lsm_get_key(key, &selinux_ops);
char *context = NULL;
unsigned len;
int rc;
@@ -5476,7 +5469,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
-static struct security_operations selinux_ops = {
+struct security_operations selinux_ops = {
.name = "selinux",
.ptrace_access_check = selinux_ptrace_access_check,
@@ -5676,13 +5669,13 @@ static struct security_operations selinux_ops = {
static __init int selinux_init(void)
{
- if (!security_module_enable(&selinux_ops)) {
- selinux_enabled = 0;
+ if (!selinux_enabled) {
+ pr_info("SELinux: Disabled at boot.\n");
return 0;
}
- if (!selinux_enabled) {
- printk(KERN_INFO "SELinux: Disabled at boot.\n");
+ if (!security_module_enable(&selinux_ops)) {
+ selinux_enabled = 0;
return 0;
}
@@ -5694,13 +5687,10 @@ static __init int selinux_init(void)
default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
sel_inode_cache = kmem_cache_create("selinux_inode_security",
- sizeof(struct inode_security_struct),
- 0, SLAB_PANIC, NULL);
+ sizeof(struct inode_security_struct),
+ 0, SLAB_PANIC, NULL);
avc_init();
- if (register_security(&selinux_ops))
- panic("SELinux: Unable to register with kernel.\n");
-
if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
else
@@ -5824,6 +5814,8 @@ static int selinux_disabled;
int selinux_disable(void)
{
+ int rc;
+
if (ss_initialized) {
/* Not permitted after initial policy load. */
return -EINVAL;
@@ -5834,13 +5826,17 @@ int selinux_disable(void)
return -EINVAL;
}
+ rc = reset_security_ops(&selinux_ops);
+ if (rc) {
+ pr_info("SELinux: Runtime disable disallowed.\n");
+ return rc;
+ }
+
printk(KERN_INFO "SELinux: Disabled at runtime.\n");
selinux_disabled = 1;
selinux_enabled = 0;
- reset_security_ops();
-
/* Try to destroy the avc node cache */
avc_disable();
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 26c7eee..1d1dd10 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -24,6 +24,7 @@
#include <linux/binfmts.h>
#include <linux/in.h>
#include <linux/spinlock.h>
+#include <linux/lsm.h>
#include "flask.h"
#include "avc.h"
@@ -115,5 +116,6 @@ struct key_security_struct {
};
extern unsigned int selinux_checkreqprot;
+extern struct security_operations selinux_ops;
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 65f67cb..1219221 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -31,7 +31,7 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
if (!sk->sk_socket)
return NULL;
- return SOCK_INODE(sk->sk_socket)->i_security;
+ return lsm_get_inode(SOCK_INODE(sk->sk_socket), &selinux_ops);
}
#ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index da4b8b2..7a9cbd0 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -81,7 +81,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_secattr != NULL)
@@ -221,7 +221,8 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
* being labeled by it's parent socket, if it is just exit */
sk = skb->sk;
if (sk != NULL) {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
if (sksec->nlbl_state != NLBL_REQSKB)
return 0;
secattr = sksec->nlbl_secattr;
@@ -283,7 +284,7 @@ inet_conn_request_return:
*/
void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
if (family == PF_INET)
sksec->nlbl_state = NLBL_LABELED;
@@ -304,7 +305,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr *secattr;
if (family != PF_INET)
@@ -402,7 +403,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
{
int rc = 0;
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr secattr;
if (level == IPPROTO_IP && optname == IP_OPTIONS &&
@@ -435,7 +436,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_state != NLBL_REQSKB &&
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 3a6e873..415c6b7 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -83,7 +83,7 @@ static int task_has_security(struct task_struct *tsk,
u32 sid = 0;
rcu_read_lock();
- tsec = __task_cred(tsk)->security;
+ tsec = lsm_get_cred(__task_cred(tsk), &selinux_ops);
if (tsec)
sid = tsec->sid;
rcu_read_unlock();
@@ -1264,7 +1264,7 @@ static int sel_make_bools(void)
if (len >= PAGE_SIZE)
goto out;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
if (ret)
goto out;
@@ -1831,7 +1831,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
goto err;
inode->i_ino = ++sel_last_ino;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = 1;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 48665ec..02979a3 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -198,7 +198,8 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
struct xfrm_user_sec_ctx *uctx, u32 sid)
{
int rc = 0;
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct xfrm_sec_ctx *ctx = NULL;
char *ctx_str = NULL;
u32 str_len;
@@ -334,7 +335,8 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
*/
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
int rc = 0;
if (ctx) {
@@ -379,7 +381,8 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
*/
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct xfrm_sec_ctx *ctx = x->security;
int rc = 0;
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 6/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 2:09 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 6/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Changes for SELinux. Abstract access to security blobs.
Add the now required parameter to reset_security_ops().
Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/selinux/hooks.c | 410 ++++++++++++++++++-------------------
security/selinux/include/objsec.h | 2 +
security/selinux/include/xfrm.h | 2 +-
security/selinux/netlabel.c | 13 +-
security/selinux/selinuxfs.c | 6 +-
security/selinux/xfrm.c | 9 +-
6 files changed, 222 insertions(+), 220 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 61a5336..8ec7ea0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -150,6 +150,7 @@ static int selinux_secmark_enabled(void)
*/
static void cred_init_security(void)
{
+ int rc;
struct cred *cred = (struct cred *) current->real_cred;
struct task_security_struct *tsec;
@@ -158,7 +159,9 @@ static void cred_init_security(void)
panic("SELinux: Failed to initialize initial task.\n");
tsec->osid = tsec->sid = SECINITSID_KERNEL;
- cred->security = tsec;
+ rc = lsm_set_init_cred(cred, tsec, &selinux_ops);
+ if (rc)
+ panic("SELinux: Failed to initialize initial task.\n");
}
/*
@@ -168,7 +171,7 @@ static inline u32 cred_sid(const struct cred *cred)
{
const struct task_security_struct *tsec;
- tsec = cred->security;
+ tsec = lsm_get_cred(cred, &selinux_ops);
return tsec->sid;
}
@@ -190,8 +193,9 @@ static inline u32 task_sid(const struct task_struct *task)
*/
static inline u32 current_sid(void)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec;
+ tsec = lsm_get_cred(current_cred(), &selinux_ops);
return tsec->sid;
}
@@ -212,22 +216,23 @@ static int inode_alloc_security(struct inode *inode)
isec->sid = SECINITSID_UNLABELED;
isec->sclass = SECCLASS_FILE;
isec->task_sid = sid;
- inode->i_security = isec;
+ lsm_set_inode(inode, isec, &selinux_ops);
return 0;
}
static void inode_free_security(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(inode->i_sb, &selinux_ops);
spin_lock(&sbsec->isec_lock);
if (!list_empty(&isec->list))
list_del_init(&isec->list);
spin_unlock(&sbsec->isec_lock);
- inode->i_security = NULL;
+ lsm_set_inode(inode, NULL, &selinux_ops);
kmem_cache_free(sel_inode_cache, isec);
}
@@ -242,15 +247,15 @@ static int file_alloc_security(struct file *file)
fsec->sid = sid;
fsec->fown_sid = sid;
- file->f_security = fsec;
+ lsm_set_file(file, fsec, &selinux_ops);
return 0;
}
static void file_free_security(struct file *file)
{
- struct file_security_struct *fsec = file->f_security;
- file->f_security = NULL;
+ struct file_security_struct *fsec = lsm_get_file(file, &selinux_ops);
+ lsm_set_file(file, NULL, &selinux_ops);
kfree(fsec);
}
@@ -269,15 +274,16 @@ static int superblock_alloc_security(struct super_block *sb)
sbsec->sid = SECINITSID_UNLABELED;
sbsec->def_sid = SECINITSID_FILE;
sbsec->mntpoint_sid = SECINITSID_UNLABELED;
- sb->s_security = sbsec;
+ lsm_set_super(sb, sbsec, &selinux_ops);
return 0;
}
static void superblock_free_security(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
- sb->s_security = NULL;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
+ lsm_set_super(sb, NULL, &selinux_ops);
kfree(sbsec);
}
@@ -323,9 +329,10 @@ static int may_context_mount_sb_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec;
int rc;
+ tsec = lsm_get_cred(cred, &selinux_ops);
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
@@ -340,8 +347,10 @@ static int may_context_mount_inode_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec;
int rc;
+
+ tsec = lsm_get_cred(cred, &selinux_ops);
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
@@ -354,7 +363,8 @@ static int may_context_mount_inode_relabel(u32 sid,
static int sb_finish_set_opts(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
struct dentry *root = sb->s_root;
struct inode *root_inode = root->d_inode;
int rc = 0;
@@ -444,7 +454,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
struct security_mnt_opts *opts)
{
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
char *context = NULL;
u32 len;
char tmp;
@@ -504,8 +515,9 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct inode *root = sbsec->sb->s_root->d_inode;
- struct inode_security_struct *isec = root->i_security;
+ struct inode_security_struct *isec;
+ isec = lsm_get_inode(root, &selinux_ops);
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
goto out_free;
@@ -555,10 +567,12 @@ static int selinux_set_mnt_opts(struct super_block *sb,
{
const struct cred *cred = current_cred();
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
const char *name = sb->s_type->name;
struct inode *inode = sbsec->sb->s_root->d_inode;
- struct inode_security_struct *root_isec = inode->i_security;
+ struct inode_security_struct *root_isec =
+ lsm_get_inode(inode, &selinux_ops);
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0;
char **mount_options = opts->mnt_opts;
@@ -753,8 +767,10 @@ out_double_mount:
static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
struct super_block *newsb)
{
- const struct superblock_security_struct *oldsbsec = oldsb->s_security;
- struct superblock_security_struct *newsbsec = newsb->s_security;
+ const struct superblock_security_struct *oldsbsec =
+ lsm_get_super(oldsb, &selinux_ops);
+ struct superblock_security_struct *newsbsec =
+ lsm_get_super(newsb, &selinux_ops);
int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
int set_context = (oldsbsec->flags & CONTEXT_MNT);
@@ -789,16 +805,19 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
newsbsec->sid = sid;
if (!set_rootcontext) {
struct inode *newinode = newsb->s_root->d_inode;
- struct inode_security_struct *newisec = newinode->i_security;
+ struct inode_security_struct *newisec =
+ lsm_get_inode(newinode, &selinux_ops);
newisec->sid = sid;
}
newsbsec->mntpoint_sid = sid;
}
if (set_rootcontext) {
const struct inode *oldinode = oldsb->s_root->d_inode;
- const struct inode_security_struct *oldisec = oldinode->i_security;
+ const struct inode_security_struct *oldisec =
+ lsm_get_inode(oldinode, &selinux_ops);
struct inode *newinode = newsb->s_root->d_inode;
- struct inode_security_struct *newisec = newinode->i_security;
+ struct inode_security_struct *newisec =
+ lsm_get_inode(newinode, &selinux_ops);
newisec->sid = oldisec->sid;
}
@@ -1162,7 +1181,7 @@ static int selinux_proc_get_sid(struct dentry *dentry,
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
{
struct superblock_security_struct *sbsec = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 sid;
struct dentry *dentry;
#define INITCONTEXTLEN 255
@@ -1177,7 +1196,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
if (isec->initialized)
goto out_unlock;
- sbsec = inode->i_sb->s_security;
+ sbsec = lsm_get_super(inode->i_sb, &selinux_ops);
if (!(sbsec->flags & SE_SBINITIALIZED)) {
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
@@ -1389,8 +1408,10 @@ static int task_has_perm(const struct task_struct *tsk1,
u32 sid1, sid2;
rcu_read_lock();
- __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
- __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
+ __tsec1 = lsm_get_cred(__task_cred(tsk1), &selinux_ops);
+ sid1 = __tsec1->sid;
+ __tsec2 = lsm_get_cred(__task_cred(tsk2), &selinux_ops);
+ sid2 = __tsec2->sid;
rcu_read_unlock();
return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
}
@@ -1480,7 +1501,7 @@ static int inode_has_perm(const struct cred *cred,
return 0;
sid = cred_sid(cred);
- isec = inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
}
@@ -1527,7 +1548,7 @@ static int file_has_perm(const struct cred *cred,
struct file *file,
u32 av)
{
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = lsm_get_file(file, &selinux_ops);
struct inode *inode = file->f_path.dentry->d_inode;
struct common_audit_data ad;
u32 sid = cred_sid(cred);
@@ -1559,15 +1580,16 @@ static int may_create(struct inode *dir,
struct dentry *dentry,
u16 tclass)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
u32 sid, newsid;
struct common_audit_data ad;
int rc;
- dsec = dir->i_security;
- sbsec = dir->i_sb->s_security;
+ dsec = lsm_get_inode(dir, &selinux_ops);
+ sbsec = lsm_get_super(dir->i_sb, &selinux_ops);
sid = tsec->sid;
newsid = tsec->create_sid;
@@ -1622,8 +1644,8 @@ static int may_link(struct inode *dir,
u32 av;
int rc;
- dsec = dir->i_security;
- isec = dentry->d_inode->i_security;
+ dsec = lsm_get_inode(dir, &selinux_ops);
+ isec = lsm_get_inode(dentry->d_inode, &selinux_ops);
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = dentry;
@@ -1666,10 +1688,10 @@ static inline int may_rename(struct inode *old_dir,
int old_is_dir, new_is_dir;
int rc;
- old_dsec = old_dir->i_security;
- old_isec = old_dentry->d_inode->i_security;
+ old_dsec = lsm_get_inode(old_dir, &selinux_ops);
+ old_isec = lsm_get_inode(old_dentry->d_inode, &selinux_ops);
old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
- new_dsec = new_dir->i_security;
+ new_dsec = lsm_get_inode(new_dir, &selinux_ops);
ad.type = LSM_AUDIT_DATA_DENTRY;
@@ -1697,7 +1719,7 @@ static inline int may_rename(struct inode *old_dir,
if (rc)
return rc;
if (new_dentry->d_inode) {
- new_isec = new_dentry->d_inode->i_security;
+ new_isec = lsm_get_inode(new_dentry->d_inode, &selinux_ops);
new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
rc = avc_has_perm(sid, new_isec->sid,
new_isec->sclass,
@@ -1718,7 +1740,7 @@ static int superblock_has_perm(const struct cred *cred,
struct superblock_security_struct *sbsec;
u32 sid = cred_sid(cred);
- sbsec = sb->s_security;
+ sbsec = lsm_get_super(sb, &selinux_ops);
return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
}
@@ -1792,12 +1814,6 @@ static inline u32 open_file_to_av(struct file *file)
static int selinux_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- int rc;
-
- rc = cap_ptrace_access_check(child, mode);
- if (rc)
- return rc;
-
if (mode & PTRACE_MODE_READ) {
u32 sid = current_sid();
u32 csid = task_sid(child);
@@ -1809,12 +1825,6 @@ static int selinux_ptrace_access_check(struct task_struct *child,
static int selinux_ptrace_traceme(struct task_struct *parent)
{
- int rc;
-
- rc = cap_ptrace_traceme(parent);
- if (rc)
- return rc;
-
return task_has_perm(parent, current, PROCESS__PTRACE);
}
@@ -1835,13 +1845,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *inheritable,
const kernel_cap_t *permitted)
{
- int error;
-
- error = cap_capset(new, old,
- effective, inheritable, permitted);
- if (error)
- return error;
-
return cred_has_perm(old, new, PROCESS__SETCAP);
}
@@ -1858,12 +1861,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit)
{
- int rc;
-
- rc = cap_capable(cred, ns, cap, audit);
- if (rc)
- return rc;
-
return cred_has_capability(cred, cap, audit);
}
@@ -1960,18 +1957,14 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
struct inode *inode = bprm->file->f_path.dentry->d_inode;
int rc;
- rc = cap_bprm_set_creds(bprm);
- if (rc)
- return rc;
-
/* SELinux context only depends on initial program or script and not
* the script interpreter */
if (bprm->cred_prepared)
return 0;
- old_tsec = current_security();
- new_tsec = bprm->cred->security;
- isec = inode->i_security;
+ old_tsec = lsm_get_cred(current_cred(), &selinux_ops);
+ new_tsec = lsm_get_cred(bprm->cred, &selinux_ops);
+ isec = lsm_get_inode(inode, &selinux_ops);
/* Default to the current task SID. */
new_tsec->sid = old_tsec->sid;
@@ -2046,7 +2039,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
rcu_read_lock();
tracer = ptrace_parent(current);
if (likely(tracer != NULL)) {
- sec = __task_cred(tracer)->security;
+ sec = lsm_get_cred(__task_cred(tracer),
+ &selinux_ops);
ptsid = sec->sid;
}
rcu_read_unlock();
@@ -2069,7 +2063,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
static int selinux_bprm_secureexec(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
u32 sid, osid;
int atsecure = 0;
@@ -2085,7 +2080,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm)
PROCESS__NOATSECURE, NULL);
}
- return (atsecure || cap_bprm_secureexec(bprm));
+ return atsecure;
}
static int match_file(const void *p, struct file *file, unsigned fd)
@@ -2151,7 +2146,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
struct rlimit *rlim, *initrlim;
int rc, i;
- new_tsec = bprm->cred->security;
+ new_tsec = lsm_get_cred(bprm->cred, &selinux_ops);
if (new_tsec->sid == new_tsec->osid)
return;
@@ -2192,7 +2187,8 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
*/
static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct itimerval itimer;
u32 osid, sid;
int rc, i;
@@ -2339,7 +2335,8 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
int rc, i, *flags;
struct security_mnt_opts opts;
char *secdata, **mount_options;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
if (!(sbsec->flags & SE_SBINITIALIZED))
return 0;
@@ -2391,7 +2388,8 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
break;
case ROOTCONTEXT_MNT: {
struct inode_security_struct *root_isec;
- root_isec = sb->s_root->d_inode->i_security;
+ root_isec = lsm_get_inode(sb->s_root->d_inode,
+ &selinux_ops);
if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
goto out_bad_option;
@@ -2487,15 +2485,16 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr, char **name,
void **value, size_t *len)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
u32 sid, newsid, clen;
int rc;
char *namep = NULL, *context;
- dsec = dir->i_security;
- sbsec = dir->i_sb->s_security;
+ dsec = lsm_get_inode(dir, &selinux_ops);
+ sbsec = lsm_get_super(dir->i_sb, &selinux_ops);
sid = tsec->sid;
newsid = tsec->create_sid;
@@ -2519,7 +2518,8 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
/* Possibly defer initialization to selinux_complete_init. */
if (sbsec->flags & SE_SBINITIALIZED) {
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec =
+ lsm_get_inode(inode, &selinux_ops);
isec->sclass = inode_mode_to_security_class(inode->i_mode);
isec->sid = newsid;
isec->initialized = 1;
@@ -2608,7 +2608,7 @@ static noinline int audit_inode_permission(struct inode *inode,
unsigned flags)
{
struct common_audit_data ad;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
int rc;
ad.type = LSM_AUDIT_DATA_INODE;
@@ -2648,7 +2648,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
perms = file_mask_to_av(inode->i_mode, mask);
sid = cred_sid(cred);
- isec = inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
audited = avc_audit_required(perms, &avd, rc,
@@ -2723,7 +2723,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
struct inode *inode = dentry->d_inode;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
struct superblock_security_struct *sbsec;
struct common_audit_data ad;
u32 newsid, sid = current_sid();
@@ -2732,7 +2732,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
- sbsec = inode->i_sb->s_security;
+ sbsec = lsm_get_super(inode->i_sb, &selinux_ops);
if (!(sbsec->flags & SE_SBLABELSUPP))
return -EOPNOTSUPP;
@@ -2800,7 +2800,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
int flags)
{
struct inode *inode = dentry->d_inode;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 newsid;
int rc;
@@ -2855,7 +2855,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
u32 size;
int error;
char *context = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
if (strcmp(name, XATTR_SELINUX_SUFFIX))
return -EOPNOTSUPP;
@@ -2891,7 +2891,7 @@ out_nofree:
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 newsid;
int rc;
@@ -2920,7 +2920,7 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
*secid = isec->sid;
}
@@ -2942,8 +2942,8 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
static int selinux_file_permission(struct file *file, int mask)
{
struct inode *inode = file->f_path.dentry->d_inode;
- struct file_security_struct *fsec = file->f_security;
- struct inode_security_struct *isec = inode->i_security;
+ struct file_security_struct *fsec = lsm_get_file(file, &selinux_ops);
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 sid = current_sid();
if (!mask)
@@ -3177,7 +3177,7 @@ static int selinux_file_set_fowner(struct file *file)
{
struct file_security_struct *fsec;
- fsec = file->f_security;
+ fsec = lsm_get_file(file, &selinux_ops);
fsec->fown_sid = current_sid();
return 0;
@@ -3194,7 +3194,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
/* struct fown_struct is never outside the context of a struct file */
file = container_of(fown, struct file, f_owner);
- fsec = file->f_security;
+ fsec = lsm_get_file(file, &selinux_ops);
if (!signum)
perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
@@ -3217,8 +3217,8 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
struct file_security_struct *fsec;
struct inode_security_struct *isec;
- fsec = file->f_security;
- isec = file->f_path.dentry->d_inode->i_security;
+ fsec = lsm_get_file(file, &selinux_ops);
+ isec = lsm_get_inode(file->f_path.dentry->d_inode, &selinux_ops);
/*
* Save inode label and policy sequence number
* at open-time so that selinux_file_permission
@@ -3257,7 +3257,7 @@ static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (!tsec)
return -ENOMEM;
- cred->security = tsec;
+ lsm_set_cred(cred, tsec, &selinux_ops);
return 0;
}
@@ -3266,14 +3266,14 @@ static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/
static void selinux_cred_free(struct cred *cred)
{
- struct task_security_struct *tsec = cred->security;
+ struct task_security_struct *tsec = lsm_get_cred(cred, &selinux_ops);
/*
* cred->security == NULL if security_cred_alloc_blank() or
* security_prepare_creds() returned an error.
*/
- BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
- cred->security = (void *) 0x7UL;
+ BUG_ON(tsec && (unsigned long) tsec < PAGE_SIZE);
+ lsm_set_cred(cred, NULL, &selinux_ops);
kfree(tsec);
}
@@ -3286,13 +3286,13 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
const struct task_security_struct *old_tsec;
struct task_security_struct *tsec;
- old_tsec = old->security;
+ old_tsec = lsm_get_cred(old, &selinux_ops);
tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
if (!tsec)
return -ENOMEM;
- new->security = tsec;
+ lsm_set_cred(new, tsec, &selinux_ops);
return 0;
}
@@ -3301,9 +3301,15 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
*/
static void selinux_cred_transfer(struct cred *new, const struct cred *old)
{
- const struct task_security_struct *old_tsec = old->security;
- struct task_security_struct *tsec = new->security;
+ const struct task_security_struct *old_tsec;
+ struct task_security_struct *tsec;
+ old_tsec = lsm_get_cred(old, &selinux_ops);
+ tsec = lsm_get_cred(new, &selinux_ops);
+
+ /*
+ * This is a data copy, not a pointer assignment.
+ */
*tsec = *old_tsec;
}
@@ -3313,7 +3319,7 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
*/
static int selinux_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_security_struct *tsec = new->security;
+ struct task_security_struct *tsec = lsm_get_cred(new, &selinux_ops);
u32 sid = current_sid();
int ret;
@@ -3336,8 +3342,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
*/
static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct task_security_struct *tsec = new->security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
+ struct task_security_struct *tsec = lsm_get_cred(new, &selinux_ops);
u32 sid = current_sid();
int ret;
@@ -3387,23 +3393,11 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
static int selinux_task_setnice(struct task_struct *p, int nice)
{
- int rc;
-
- rc = cap_task_setnice(p, nice);
- if (rc)
- return rc;
-
return current_has_perm(p, PROCESS__SETSCHED);
}
static int selinux_task_setioprio(struct task_struct *p, int ioprio)
{
- int rc;
-
- rc = cap_task_setioprio(p, ioprio);
- if (rc)
- return rc;
-
return current_has_perm(p, PROCESS__SETSCHED);
}
@@ -3429,12 +3423,6 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
static int selinux_task_setscheduler(struct task_struct *p)
{
- int rc;
-
- rc = cap_task_setscheduler(p);
- if (rc)
- return rc;
-
return current_has_perm(p, PROCESS__SETSCHED);
}
@@ -3474,7 +3462,7 @@ static int selinux_task_wait(struct task_struct *p)
static void selinux_task_to_inode(struct task_struct *p,
struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 sid = task_sid(p);
isec->sid = sid;
@@ -3729,7 +3717,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
u32 tsid = task_sid(task);
@@ -3747,7 +3735,8 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
static int selinux_socket_create(int family, int type,
int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
u32 newsid;
u16 secclass;
int rc;
@@ -3766,8 +3755,10 @@ static int selinux_socket_create(int family, int type,
static int selinux_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
- struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
+ struct inode_security_struct *isec =
+ lsm_get_inode(SOCK_INODE(sock), &selinux_ops);
struct sk_security_struct *sksec;
int err = 0;
@@ -3784,7 +3775,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
isec->initialized = 1;
if (sock->sk) {
- sksec = sock->sk->sk_security;
+ sksec = lsm_get_sock(sock->sk, &selinux_ops);
sksec->sid = isec->sid;
sksec->sclass = isec->sclass;
err = selinux_netlbl_socket_post_create(sock->sk, family);
@@ -3815,7 +3806,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
family = sk->sk_family;
if (family == PF_INET || family == PF_INET6) {
char *addrp;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
struct sockaddr_in *addr4 = NULL;
@@ -3899,7 +3891,7 @@ out:
static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
int err;
err = sock_has_perm(current, sk, SOCKET__CONNECT);
@@ -3967,9 +3959,9 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
if (err)
return err;
- newisec = SOCK_INODE(newsock)->i_security;
+ newisec = lsm_get_inode(SOCK_INODE(newsock), &selinux_ops);
- isec = SOCK_INODE(sock)->i_security;
+ isec = lsm_get_inode(SOCK_INODE(sock), &selinux_ops);
newisec->sclass = isec->sclass;
newisec->sid = isec->sid;
newisec->initialized = 1;
@@ -4025,9 +4017,12 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
struct sock *other,
struct sock *newsk)
{
- struct sk_security_struct *sksec_sock = sock->sk_security;
- struct sk_security_struct *sksec_other = other->sk_security;
- struct sk_security_struct *sksec_new = newsk->sk_security;
+ struct sk_security_struct *sksec_sock =
+ lsm_get_sock(sock, &selinux_ops);
+ struct sk_security_struct *sksec_other =
+ lsm_get_sock(other, &selinux_ops);
+ struct sk_security_struct *sksec_new =
+ lsm_get_sock(newsk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
int err;
@@ -4058,8 +4053,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
static int selinux_socket_unix_may_send(struct socket *sock,
struct socket *other)
{
- struct sk_security_struct *ssec = sock->sk->sk_security;
- struct sk_security_struct *osec = other->sk->sk_security;
+ struct sk_security_struct *ssec = lsm_get_sock(sock->sk, &selinux_ops);
+ struct sk_security_struct *osec = lsm_get_sock(other->sk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4098,7 +4093,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
u16 family)
{
int err = 0;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4130,7 +4125,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
int err;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
@@ -4200,7 +4195,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
int err = 0;
char *scontext;
u32 scontext_len;
- struct sk_security_struct *sksec = sock->sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sock->sk, &selinux_ops);
u32 peer_sid = SECSID_NULL;
if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
@@ -4265,24 +4260,24 @@ static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority
sksec->peer_sid = SECINITSID_UNLABELED;
sksec->sid = SECINITSID_UNLABELED;
selinux_netlbl_sk_security_reset(sksec);
- sk->sk_security = sksec;
+ lsm_set_sock(sk, sksec, &selinux_ops);
return 0;
}
static void selinux_sk_free_security(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
- sk->sk_security = NULL;
+ lsm_set_sock(sk, NULL, &selinux_ops);
selinux_netlbl_sk_security_free(sksec);
kfree(sksec);
}
static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
{
- struct sk_security_struct *sksec = sk->sk_security;
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
+ struct sk_security_struct *newsksec = lsm_get_sock(newsk, &selinux_ops);
newsksec->sid = sksec->sid;
newsksec->peer_sid = sksec->peer_sid;
@@ -4296,7 +4291,8 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
if (!sk)
*secid = SECINITSID_ANY_SOCKET;
else {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
*secid = sksec->sid;
}
@@ -4304,8 +4300,9 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{
- struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct inode_security_struct *isec =
+ lsm_get_inode(SOCK_INODE(parent), &selinux_ops);
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
sk->sk_family == PF_UNIX)
@@ -4316,7 +4313,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
struct request_sock *req)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
int err;
u16 family = sk->sk_family;
u32 newsid;
@@ -4346,7 +4343,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void selinux_inet_csk_clone(struct sock *newsk,
const struct request_sock *req)
{
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *newsksec = lsm_get_sock(newsk, &selinux_ops);
newsksec->sid = req->secid;
newsksec->peer_sid = req->peer_secid;
@@ -4363,7 +4360,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
{
u16 family = sk->sk_family;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
/* handle mapped IPv4 packets arriving via IPv6 sockets */
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -4377,7 +4374,7 @@ static int selinux_secmark_relabel_packet(u32 sid)
const struct task_security_struct *__tsec;
u32 tsid;
- __tsec = current_security();
+ __tsec = lsm_get_cred(current_cred(), &selinux_ops);
tsid = __tsec->sid;
return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
@@ -4416,7 +4413,7 @@ static int selinux_tun_dev_create(void)
static void selinux_tun_dev_post_create(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
/* we don't currently perform any NetLabel based labeling here and it
* isn't clear that we would want to do so anyway; while we could apply
@@ -4434,7 +4431,7 @@ static void selinux_tun_dev_post_create(struct sock *sk)
static int selinux_tun_dev_attach(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
u32 sid = current_sid();
int err;
@@ -4457,7 +4454,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
int err = 0;
u32 perm;
struct nlmsghdr *nlh;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
if (skb->len < NLMSG_SPACE(0)) {
err = -EINVAL;
@@ -4577,7 +4574,8 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
* because we want to make sure we apply the necessary labeling
* before IPsec is applied so we can leverage AH protection */
if (skb->sk) {
- struct sk_security_struct *sksec = skb->sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(skb->sk, &selinux_ops);
sid = sksec->sid;
} else
sid = SECINITSID_KERNEL;
@@ -4609,7 +4607,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
if (sk == NULL)
return NF_ACCEPT;
- sksec = sk->sk_security;
+ sksec = lsm_get_sock(sk, &selinux_ops);
ad.type = LSM_AUDIT_DATA_NET;
ad.u.net = &net;
@@ -4677,7 +4675,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
peer_sid = SECINITSID_KERNEL;
}
} else {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
peer_sid = sksec->sid;
secmark_perm = PACKET__SEND;
}
@@ -4738,12 +4737,6 @@ static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
{
- int err;
-
- err = cap_netlink_send(sk, skb);
- if (err)
- return err;
-
return selinux_nlmsg_perm(sk, skb);
}
@@ -4761,15 +4754,15 @@ static int ipc_alloc_security(struct task_struct *task,
sid = task_sid(task);
isec->sclass = sclass;
isec->sid = sid;
- perm->security = isec;
+ lsm_set_ipc(perm, isec, &selinux_ops);
return 0;
}
static void ipc_free_security(struct kern_ipc_perm *perm)
{
- struct ipc_security_struct *isec = perm->security;
- perm->security = NULL;
+ struct ipc_security_struct *isec = lsm_get_ipc(perm, &selinux_ops);
+ lsm_set_ipc(perm, NULL, &selinux_ops);
kfree(isec);
}
@@ -4782,16 +4775,16 @@ static int msg_msg_alloc_security(struct msg_msg *msg)
return -ENOMEM;
msec->sid = SECINITSID_UNLABELED;
- msg->security = msec;
+ lsm_set_msg(msg, msec, &selinux_ops);
return 0;
}
static void msg_msg_free_security(struct msg_msg *msg)
{
- struct msg_security_struct *msec = msg->security;
+ struct msg_security_struct *msec = lsm_get_msg(msg, &selinux_ops);
- msg->security = NULL;
+ lsm_set_msg(msg, NULL, &selinux_ops);
kfree(msec);
}
@@ -4802,7 +4795,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
struct common_audit_data ad;
u32 sid = current_sid();
- isec = ipc_perms->security;
+ isec = lsm_get_ipc(ipc_perms, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = ipc_perms->key;
@@ -4832,7 +4825,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
if (rc)
return rc;
- isec = msq->q_perm.security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -4857,7 +4850,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = msq->q_perm.security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -4902,8 +4895,8 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = current_sid();
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
+ msec = lsm_get_msg(msg, &selinux_ops);
/*
* First time through, need to assign label to the message
@@ -4947,8 +4940,8 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = task_sid(target);
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
+ msec = lsm_get_msg(msg, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -4973,7 +4966,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
if (rc)
return rc;
- isec = shp->shm_perm.security;
+ isec = lsm_get_ipc(&shp->shm_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
@@ -4998,7 +4991,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = shp->shm_perm.security;
+ isec = lsm_get_ipc(&shp->shm_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
@@ -5065,7 +5058,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
if (rc)
return rc;
- isec = sma->sem_perm.security;
+ isec = lsm_get_ipc(&sma->sem_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
@@ -5090,7 +5083,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = sma->sem_perm.security;
+ isec = lsm_get_ipc(&sma->sem_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
@@ -5172,7 +5165,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- struct ipc_security_struct *isec = ipcp->security;
+ struct ipc_security_struct *isec = lsm_get_ipc(ipcp, &selinux_ops);
*secid = isec->sid;
}
@@ -5197,7 +5190,7 @@ static int selinux_getprocattr(struct task_struct *p,
}
rcu_read_lock();
- __tsec = __task_cred(p)->security;
+ __tsec = lsm_get_cred(__task_cred(p), &selinux_ops);
if (!strcmp(name, "current"))
sid = __tsec->sid;
@@ -5306,7 +5299,7 @@ static int selinux_setprocattr(struct task_struct *p,
operation. See selinux_bprm_set_creds for the execve
checks and may_create for the file creation checks. The
operation will then fail if the context is not permitted. */
- tsec = new->security;
+ tsec = lsm_get_cred(new, &selinux_ops);
if (!strcmp(name, "exec")) {
tsec->exec_sid = sid;
} else if (!strcmp(name, "fscreate")) {
@@ -5420,21 +5413,21 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
if (!ksec)
return -ENOMEM;
- tsec = cred->security;
+ tsec = lsm_get_cred(cred, &selinux_ops);
if (tsec->keycreate_sid)
ksec->sid = tsec->keycreate_sid;
else
ksec->sid = tsec->sid;
- k->security = ksec;
+ lsm_set_key(k, ksec, &selinux_ops);
return 0;
}
static void selinux_key_free(struct key *k)
{
- struct key_security_struct *ksec = k->security;
+ struct key_security_struct *ksec = lsm_get_key(k, &selinux_ops);
- k->security = NULL;
+ lsm_set_key(k, NULL, &selinux_ops);
kfree(ksec);
}
@@ -5455,14 +5448,14 @@ static int selinux_key_permission(key_ref_t key_ref,
sid = cred_sid(cred);
key = key_ref_to_ptr(key_ref);
- ksec = key->security;
+ ksec = lsm_get_key(key, &selinux_ops);
return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
}
static int selinux_key_getsecurity(struct key *key, char **_buffer)
{
- struct key_security_struct *ksec = key->security;
+ struct key_security_struct *ksec = lsm_get_key(key, &selinux_ops);
char *context = NULL;
unsigned len;
int rc;
@@ -5476,7 +5469,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
-static struct security_operations selinux_ops = {
+struct security_operations selinux_ops = {
.name = "selinux",
.ptrace_access_check = selinux_ptrace_access_check,
@@ -5676,13 +5669,13 @@ static struct security_operations selinux_ops = {
static __init int selinux_init(void)
{
- if (!security_module_enable(&selinux_ops)) {
- selinux_enabled = 0;
+ if (!selinux_enabled) {
+ pr_info("SELinux: Disabled at boot.\n");
return 0;
}
- if (!selinux_enabled) {
- printk(KERN_INFO "SELinux: Disabled at boot.\n");
+ if (!security_module_enable(&selinux_ops)) {
+ selinux_enabled = 0;
return 0;
}
@@ -5694,13 +5687,10 @@ static __init int selinux_init(void)
default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
sel_inode_cache = kmem_cache_create("selinux_inode_security",
- sizeof(struct inode_security_struct),
- 0, SLAB_PANIC, NULL);
+ sizeof(struct inode_security_struct),
+ 0, SLAB_PANIC, NULL);
avc_init();
- if (register_security(&selinux_ops))
- panic("SELinux: Unable to register with kernel.\n");
-
if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
else
@@ -5824,6 +5814,8 @@ static int selinux_disabled;
int selinux_disable(void)
{
+ int rc;
+
if (ss_initialized) {
/* Not permitted after initial policy load. */
return -EINVAL;
@@ -5834,13 +5826,17 @@ int selinux_disable(void)
return -EINVAL;
}
+ rc = reset_security_ops(&selinux_ops);
+ if (rc) {
+ pr_info("SELinux: Runtime disable disallowed.\n");
+ return rc;
+ }
+
printk(KERN_INFO "SELinux: Disabled at runtime.\n");
selinux_disabled = 1;
selinux_enabled = 0;
- reset_security_ops();
-
/* Try to destroy the avc node cache */
avc_disable();
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 26c7eee..1d1dd10 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -24,6 +24,7 @@
#include <linux/binfmts.h>
#include <linux/in.h>
#include <linux/spinlock.h>
+#include <linux/lsm.h>
#include "flask.h"
#include "avc.h"
@@ -115,5 +116,6 @@ struct key_security_struct {
};
extern unsigned int selinux_checkreqprot;
+extern struct security_operations selinux_ops;
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 65f67cb..1219221 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -31,7 +31,7 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
if (!sk->sk_socket)
return NULL;
- return SOCK_INODE(sk->sk_socket)->i_security;
+ return lsm_get_inode(SOCK_INODE(sk->sk_socket), &selinux_ops);
}
#ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index da4b8b2..7a9cbd0 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -81,7 +81,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_secattr != NULL)
@@ -221,7 +221,8 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
* being labeled by it's parent socket, if it is just exit */
sk = skb->sk;
if (sk != NULL) {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
if (sksec->nlbl_state != NLBL_REQSKB)
return 0;
secattr = sksec->nlbl_secattr;
@@ -283,7 +284,7 @@ inet_conn_request_return:
*/
void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
if (family == PF_INET)
sksec->nlbl_state = NLBL_LABELED;
@@ -304,7 +305,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr *secattr;
if (family != PF_INET)
@@ -402,7 +403,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
{
int rc = 0;
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr secattr;
if (level == IPPROTO_IP && optname == IP_OPTIONS &&
@@ -435,7 +436,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_state != NLBL_REQSKB &&
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 3a6e873..415c6b7 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -83,7 +83,7 @@ static int task_has_security(struct task_struct *tsk,
u32 sid = 0;
rcu_read_lock();
- tsec = __task_cred(tsk)->security;
+ tsec = lsm_get_cred(__task_cred(tsk), &selinux_ops);
if (tsec)
sid = tsec->sid;
rcu_read_unlock();
@@ -1264,7 +1264,7 @@ static int sel_make_bools(void)
if (len >= PAGE_SIZE)
goto out;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
if (ret)
goto out;
@@ -1831,7 +1831,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
goto err;
inode->i_ino = ++sel_last_ino;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = 1;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 48665ec..02979a3 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -198,7 +198,8 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
struct xfrm_user_sec_ctx *uctx, u32 sid)
{
int rc = 0;
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct xfrm_sec_ctx *ctx = NULL;
char *ctx_str = NULL;
u32 str_len;
@@ -334,7 +335,8 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
*/
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
int rc = 0;
if (ctx) {
@@ -379,7 +381,8 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
*/
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct xfrm_sec_ctx *ctx = x->security;
int rc = 0;
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 7/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 2:09 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 7/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Abstract access to security blobs.
Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/smack/smack.h | 14 +-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 367 ++++++++++++++++++-----------------------
security/smack/smackfs.c | 16 +-
4 files changed, 183 insertions(+), 216 deletions(-)
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 99b3612..c012d94 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -20,6 +20,7 @@
#include <net/netlabel.h>
#include <linux/list.h>
#include <linux/rculist.h>
+#include <linux/lsm.h>
#include <linux/lsm_audit.h>
/*
@@ -203,6 +204,7 @@ struct smk_audit_info {
* These functions are in smack_lsm.c
*/
struct inode_smack *new_inode_smack(char *);
+int smk_setcurrent(char *, size_t);
/*
* These functions are in smack_access.c
@@ -243,18 +245,18 @@ extern struct security_operations smack_ops;
/*
* Is the directory transmuting?
*/
-static inline int smk_inode_transmutable(const struct inode *isp)
+static inline int smk_inode_transmutable(struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = lsm_get_inode(isp, &smack_ops);
return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
}
/*
* Present a pointer to the smack label in an inode blob.
*/
-static inline char *smk_of_inode(const struct inode *isp)
+static inline char *smk_of_inode(struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = lsm_get_inode(isp, &smack_ops);
return sip->smk_inode;
}
@@ -279,7 +281,9 @@ static inline char *smk_of_forked(const struct task_smack *tsp)
*/
static inline char *smk_of_current(void)
{
- return smk_of_task(current_security());
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
+
+ return tsp->smk_task;
}
/*
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index db14689..b4b4044 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -197,7 +197,7 @@ out_audit:
*/
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
char *sp = smk_of_task(tsp);
int may;
int rc;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 38be92c..e625cbe 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -40,7 +40,16 @@
#include <linux/binfmts.h>
#include "smack.h"
-#define task_security(task) (task_cred_xxx((task), security))
+static void *task_security(struct task_struct *task)
+{
+ const struct cred *cred;
+
+ rcu_read_lock();
+ cred = __task_cred(task);
+ rcu_read_unlock();
+
+ return lsm_get_cred(cred, &smack_ops);
+}
#define TRANS_TRUE "TRUE"
#define TRANS_TRUE_SIZE 4
@@ -162,20 +171,14 @@ static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,
*/
static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
{
- int rc;
struct smk_audit_info ad;
char *tsp;
- rc = cap_ptrace_access_check(ctp, mode);
- if (rc != 0)
- return rc;
-
tsp = smk_of_task(task_security(ctp));
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, ctp);
- rc = smk_curacc(tsp, MAY_READWRITE, &ad);
- return rc;
+ return smk_curacc(tsp, MAY_READWRITE, &ad);
}
/**
@@ -188,20 +191,14 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
*/
static int smack_ptrace_traceme(struct task_struct *ptp)
{
- int rc;
struct smk_audit_info ad;
char *tsp;
- rc = cap_ptrace_traceme(ptp);
- if (rc != 0)
- return rc;
-
tsp = smk_of_task(task_security(ptp));
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, ptp);
- rc = smk_curacc(tsp, MAY_READWRITE, &ad);
- return rc;
+ return smk_curacc(tsp, MAY_READWRITE, &ad);
}
/**
@@ -252,7 +249,7 @@ static int smack_sb_alloc_security(struct super_block *sb)
sbsp->smk_hat = smack_known_hat.smk_known;
sbsp->smk_initialized = 0;
- sb->s_security = sbsp;
+ lsm_set_super(sb, sbsp, &smack_ops);
return 0;
}
@@ -264,8 +261,10 @@ static int smack_sb_alloc_security(struct super_block *sb)
*/
static void smack_sb_free_security(struct super_block *sb)
{
- kfree(sb->s_security);
- sb->s_security = NULL;
+ struct superblock_smack *sbsp = lsm_get_super(sb, &smack_ops);
+
+ kfree(sbsp);
+ lsm_set_super(sb, NULL, &smack_ops);
}
/**
@@ -325,7 +324,7 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
{
struct dentry *root = sb->s_root;
struct inode *inode = root->d_inode;
- struct superblock_smack *sp = sb->s_security;
+ struct superblock_smack *sp = lsm_get_super(sb, &smack_ops);
struct inode_smack *isp;
char *op;
char *commap;
@@ -368,9 +367,9 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
/*
* Initialize the root inode.
*/
- isp = inode->i_security;
+ isp = lsm_get_inode(inode, &smack_ops);
if (isp == NULL)
- inode->i_security = new_inode_smack(sp->smk_root);
+ lsm_set_inode(inode, new_inode_smack(sp->smk_root), &smack_ops);
else
isp->smk_inode = sp->smk_root;
@@ -386,7 +385,7 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
*/
static int smack_sb_statfs(struct dentry *dentry)
{
- struct superblock_smack *sbp = dentry->d_sb->s_security;
+ struct superblock_smack *sbp = lsm_get_super(dentry->d_sb, &smack_ops);
int rc;
struct smk_audit_info ad;
@@ -411,12 +410,13 @@ static int smack_sb_statfs(struct dentry *dentry)
static int smack_sb_mount(const char *dev_name, struct path *path,
const char *type, unsigned long flags, void *data)
{
- struct superblock_smack *sbp = path->dentry->d_sb->s_security;
+ struct superblock_smack *sbp;
struct smk_audit_info ad;
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, *path);
+ sbp = lsm_get_super(path->dentry->d_sb, &smack_ops);
return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
}
@@ -440,7 +440,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, path);
- sbp = path.dentry->d_sb->s_security;
+ sbp = lsm_get_super(path.dentry->d_sb, &smack_ops);
return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
}
@@ -457,18 +457,13 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
static int smack_bprm_set_creds(struct linux_binprm *bprm)
{
struct inode *inode = bprm->file->f_path.dentry->d_inode;
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = lsm_get_cred(bprm->cred, &smack_ops);
struct inode_smack *isp;
- int rc;
-
- rc = cap_bprm_set_creds(bprm);
- if (rc != 0)
- return rc;
if (bprm->cred_prepared)
return 0;
- isp = inode->i_security;
+ isp = lsm_get_inode(inode, &smack_ops);
if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
return 0;
@@ -489,7 +484,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
*/
static void smack_bprm_committing_creds(struct linux_binprm *bprm)
{
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = lsm_get_cred(bprm->cred, &smack_ops);
if (bsp->smk_task != bsp->smk_forked)
current->pdeath_signal = 0;
@@ -503,13 +498,9 @@ static void smack_bprm_committing_creds(struct linux_binprm *bprm)
*/
static int smack_bprm_secureexec(struct linux_binprm *bprm)
{
- struct task_smack *tsp = current_security();
- int ret = cap_bprm_secureexec(bprm);
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
- if (!ret && (tsp->smk_task != tsp->smk_forked))
- ret = 1;
-
- return ret;
+ return (tsp->smk_task != tsp->smk_forked);
}
/*
@@ -524,9 +515,12 @@ static int smack_bprm_secureexec(struct linux_binprm *bprm)
*/
static int smack_inode_alloc_security(struct inode *inode)
{
- inode->i_security = new_inode_smack(smk_of_current());
- if (inode->i_security == NULL)
+ struct inode_smack *isp = new_inode_smack(smk_of_current());
+
+ if (isp == NULL)
return -ENOMEM;
+
+ lsm_set_inode(inode, isp, &smack_ops);
return 0;
}
@@ -538,8 +532,8 @@ static int smack_inode_alloc_security(struct inode *inode)
*/
static void smack_inode_free_security(struct inode *inode)
{
- kfree(inode->i_security);
- inode->i_security = NULL;
+ kfree(lsm_get_inode(inode, &smack_ops));
+ lsm_set_inode(inode, NULL, &smack_ops);
}
/**
@@ -558,7 +552,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
void **value, size_t *len)
{
struct smack_known *skp;
- struct inode_smack *issp = inode->i_security;
+ struct inode_smack *issp = lsm_get_inode(inode, &smack_ops);
char *csp = smk_of_current();
char *isp = smk_of_inode(inode);
char *dsp = smk_of_inode(dir);
@@ -863,7 +857,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
char *nsp;
- struct inode_smack *isp = dentry->d_inode->i_security;
+ struct inode_smack *isp = lsm_get_inode(dentry->d_inode, &smack_ops);
if (strcmp(name, XATTR_NAME_SMACK) == 0) {
nsp = smk_import(value, size);
@@ -938,7 +932,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
if (rc == 0) {
- isp = dentry->d_inode->i_security;
+ isp = lsm_get_inode(dentry->d_inode, &smack_ops);
isp->smk_task = NULL;
isp->smk_mmap = NULL;
}
@@ -955,9 +949,8 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
*
* Returns the size of the attribute or an error code
*/
-static int smack_inode_getsecurity(const struct inode *inode,
- const char *name, void **buffer,
- bool alloc)
+static int smack_inode_getsecurity(const struct inode *inode, const char *name,
+ void **buffer, bool alloc)
{
struct socket_smack *ssp;
struct socket *sock;
@@ -968,7 +961,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
int rc = 0;
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
- isp = smk_of_inode(inode);
+ isp = smk_of_inode(ip);
ilen = strlen(isp) + 1;
*buffer = isp;
return ilen;
@@ -985,7 +978,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
isp = ssp->smk_in;
@@ -1015,13 +1008,11 @@ static int smack_inode_getsecurity(const struct inode *inode,
static int smack_inode_listsecurity(struct inode *inode, char *buffer,
size_t buffer_size)
{
- int len = strlen(XATTR_NAME_SMACK);
+ const int len = sizeof(XATTR_NAME_SMACK);
- if (buffer != NULL && len <= buffer_size) {
+ if (buffer != NULL && len <= buffer_size)
memcpy(buffer, XATTR_NAME_SMACK, len);
- return len;
- }
- return -EINVAL;
+ return len;
}
/**
@@ -1031,7 +1022,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
*/
static void smack_inode_getsecid(const struct inode *inode, u32 *secid)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = lsm_get_inode(inode, &smack_ops);
*secid = smack_to_secid(isp->smk_inode);
}
@@ -1070,7 +1061,7 @@ static int smack_file_permission(struct file *file, int mask)
*/
static int smack_file_alloc_security(struct file *file)
{
- file->f_security = smk_of_current();
+ lsm_set_file(file, smk_of_current(), &smack_ops);
return 0;
}
@@ -1083,7 +1074,7 @@ static int smack_file_alloc_security(struct file *file)
*/
static void smack_file_free_security(struct file *file)
{
- file->f_security = NULL;
+ lsm_set_file(file, NULL, &smack_ops);
}
/**
@@ -1101,15 +1092,16 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd,
{
int rc = 0;
struct smk_audit_info ad;
+ char *fsp = lsm_get_file(file, &smack_ops);
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, file->f_path);
if (_IOC_DIR(cmd) & _IOC_WRITE)
- rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
+ rc = smk_curacc(fsp, MAY_WRITE, &ad);
if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ))
- rc = smk_curacc(file->f_security, MAY_READ, &ad);
+ rc = smk_curacc(fsp, MAY_READ, &ad);
return rc;
}
@@ -1127,7 +1119,7 @@ static int smack_file_lock(struct file *file, unsigned int cmd)
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, file->f_path);
- return smk_curacc(file->f_security, MAY_WRITE, &ad);
+ return smk_curacc(lsm_get_file(file, &smack_ops), MAY_WRITE, &ad);
}
/**
@@ -1157,7 +1149,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
case F_SETSIG:
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, file->f_path);
- rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
+ rc = smk_curacc(lsm_get_file(file, &smack_ops), MAY_WRITE, &ad);
break;
default:
break;
@@ -1201,12 +1193,12 @@ static int smack_mmap_file(struct file *file,
if (dp->d_inode == NULL)
return 0;
- isp = dp->d_inode->i_security;
+ isp = lsm_get_inode(dp->d_inode, &smack_ops);
if (isp->smk_mmap == NULL)
return 0;
msmack = isp->smk_mmap;
- tsp = current_security();
+ tsp = lsm_get_cred(current_cred(), &smack_ops);
sp = smk_of_current();
skp = smk_find_entry(sp);
rc = 0;
@@ -1285,7 +1277,7 @@ static int smack_mmap_file(struct file *file,
*/
static int smack_file_set_fowner(struct file *file)
{
- file->f_security = smk_of_current();
+ lsm_set_file(file, smk_of_current(), &smack_ops);
return 0;
}
@@ -1305,22 +1297,24 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
{
struct file *file;
int rc;
- char *tsp = smk_of_task(tsk->cred->security);
+ char *tsp = smk_of_task(lsm_get_cred(tsk->cred, &smack_ops));
+ char *fsp;
struct smk_audit_info ad;
/*
* struct fown_struct is never outside the context of a struct file
*/
file = container_of(fown, struct file, f_owner);
+ fsp = lsm_get_file(file, &smack_ops);
/* we don't log here as rc can be overriden */
- rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL);
+ rc = smk_access(fsp, tsp, MAY_WRITE, NULL);
if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
rc = 0;
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, tsk);
- smack_log(file->f_security, tsp, MAY_WRITE, rc, &ad);
+ smack_log(fsp, tsp, MAY_WRITE, rc, &ad);
return rc;
}
@@ -1345,7 +1339,7 @@ static int smack_file_receive(struct file *file)
if (file->f_mode & FMODE_WRITE)
may |= MAY_WRITE;
- return smk_curacc(file->f_security, may, &ad);
+ return smk_curacc(lsm_get_file(file, &smack_ops), may, &ad);
}
/**
@@ -1359,9 +1353,10 @@ static int smack_file_receive(struct file *file)
*/
static int smack_file_open(struct file *file, const struct cred *cred)
{
- struct inode_smack *isp = file->f_path.dentry->d_inode->i_security;
+ struct inode_smack *isp;
- file->f_security = isp->smk_inode;
+ isp = lsm_get_inode(file->f_path.dentry->d_inode, &smack_ops);
+ lsm_set_file(file, isp->smk_inode, &smack_ops);
return 0;
}
@@ -1387,7 +1382,7 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (tsp == NULL)
return -ENOMEM;
- cred->security = tsp;
+ lsm_set_cred(cred, tsp, &smack_ops);
return 0;
}
@@ -1400,14 +1395,14 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/
static void smack_cred_free(struct cred *cred)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = lsm_get_cred(cred, &smack_ops);
struct smack_rule *rp;
struct list_head *l;
struct list_head *n;
if (tsp == NULL)
return;
- cred->security = NULL;
+ lsm_set_cred(cred, NULL, &smack_ops);
list_for_each_safe(l, n, &tsp->smk_rules) {
rp = list_entry(l, struct smack_rule, list);
@@ -1428,7 +1423,7 @@ static void smack_cred_free(struct cred *cred)
static int smack_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct task_smack *old_tsp = old->security;
+ struct task_smack *old_tsp = lsm_get_cred(old, &smack_ops);
struct task_smack *new_tsp;
int rc;
@@ -1440,7 +1435,7 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
if (rc != 0)
return rc;
- new->security = new_tsp;
+ lsm_set_cred(new, new_tsp, &smack_ops);
return 0;
}
@@ -1453,8 +1448,8 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
*/
static void smack_cred_transfer(struct cred *new, const struct cred *old)
{
- struct task_smack *old_tsp = old->security;
- struct task_smack *new_tsp = new->security;
+ struct task_smack *old_tsp = lsm_get_cred(old, &smack_ops);
+ struct task_smack *new_tsp = lsm_get_cred(new, &smack_ops);
new_tsp->smk_task = old_tsp->smk_task;
new_tsp->smk_forked = old_tsp->smk_task;
@@ -1474,7 +1469,7 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
*/
static int smack_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_smack *new_tsp = new->security;
+ struct task_smack *new_tsp = lsm_get_cred(new, &smack_ops);
char *smack = smack_from_secid(secid);
if (smack == NULL)
@@ -1495,8 +1490,8 @@ static int smack_kernel_act_as(struct cred *new, u32 secid)
static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
- struct task_smack *tsp = new->security;
+ struct inode_smack *isp = lsm_get_inode(inode, &smack_ops);
+ struct task_smack *tsp = lsm_get_cred(new, &smack_ops);
tsp->smk_forked = isp->smk_inode;
tsp->smk_task = isp->smk_inode;
@@ -1576,12 +1571,7 @@ static void smack_task_getsecid(struct task_struct *p, u32 *secid)
*/
static int smack_task_setnice(struct task_struct *p, int nice)
{
- int rc;
-
- rc = cap_task_setnice(p, nice);
- if (rc == 0)
- rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
- return rc;
+ return smk_curacc_on_task(p, MAY_WRITE, __func__);
}
/**
@@ -1593,12 +1583,7 @@ static int smack_task_setnice(struct task_struct *p, int nice)
*/
static int smack_task_setioprio(struct task_struct *p, int ioprio)
{
- int rc;
-
- rc = cap_task_setioprio(p, ioprio);
- if (rc == 0)
- rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
- return rc;
+ return smk_curacc_on_task(p, MAY_WRITE, __func__);
}
/**
@@ -1622,12 +1607,7 @@ static int smack_task_getioprio(struct task_struct *p)
*/
static int smack_task_setscheduler(struct task_struct *p)
{
- int rc;
-
- rc = cap_task_setscheduler(p);
- if (rc == 0)
- rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
- return rc;
+ return smk_curacc_on_task(p, MAY_WRITE, __func__);
}
/**
@@ -1715,7 +1695,7 @@ static int smack_task_wait(struct task_struct *p)
*/
static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = lsm_get_inode(inode, &smack_ops);
isp->smk_inode = smk_of_task(task_security(p));
}
@@ -1746,7 +1726,7 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
ssp->smk_out = csp;
ssp->smk_packet = NULL;
- sk->sk_security = ssp;
+ lsm_set_sock(sk, ssp, &smack_ops);
return 0;
}
@@ -1759,7 +1739,8 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
*/
static void smack_sk_free_security(struct sock *sk)
{
- kfree(sk->sk_security);
+ kfree(lsm_get_sock(sk, &smack_ops));
+ lsm_set_sock(sk, NULL, &smack_ops);
}
/**
@@ -1812,7 +1793,7 @@ static char *smack_host_label(struct sockaddr_in *sip)
static int smack_netlabel(struct sock *sk, int labeled)
{
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
int rc = 0;
/*
@@ -1856,7 +1837,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
int rc;
int sk_lbl;
char *hostsp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
struct smk_audit_info ad;
rcu_read_lock();
@@ -1899,7 +1880,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
char *sp;
- struct inode_smack *nsp = inode->i_security;
+ struct inode_smack *nsp = lsm_get_inode(inode, &smack_ops);
struct socket_smack *ssp;
struct socket *sock;
int rc = 0;
@@ -1926,7 +1907,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
ssp->smk_in = sp;
@@ -2017,7 +1998,7 @@ static int smack_flags_to_may(int flags)
*/
static int smack_msg_msg_alloc_security(struct msg_msg *msg)
{
- msg->security = smk_of_current();
+ lsm_set_msg(msg, smk_of_current(), &smack_ops);
return 0;
}
@@ -2029,7 +2010,7 @@ static int smack_msg_msg_alloc_security(struct msg_msg *msg)
*/
static void smack_msg_msg_free_security(struct msg_msg *msg)
{
- msg->security = NULL;
+ lsm_set_msg(msg, NULL, &smack_ops);
}
/**
@@ -2040,7 +2021,7 @@ static void smack_msg_msg_free_security(struct msg_msg *msg)
*/
static char *smack_of_shm(struct shmid_kernel *shp)
{
- return (char *)shp->shm_perm.security;
+ return lsm_get_ipc(&shp->shm_perm, &smack_ops);
}
/**
@@ -2051,9 +2032,7 @@ static char *smack_of_shm(struct shmid_kernel *shp)
*/
static int smack_shm_alloc_security(struct shmid_kernel *shp)
{
- struct kern_ipc_perm *isp = &shp->shm_perm;
-
- isp->security = smk_of_current();
+ lsm_set_ipc(&shp->shm_perm, smk_of_current(), &smack_ops);
return 0;
}
@@ -2065,9 +2044,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp)
*/
static void smack_shm_free_security(struct shmid_kernel *shp)
{
- struct kern_ipc_perm *isp = &shp->shm_perm;
-
- isp->security = NULL;
+ lsm_set_ipc(&shp->shm_perm, NULL, &smack_ops);
}
/**
@@ -2079,14 +2056,13 @@ static void smack_shm_free_security(struct shmid_kernel *shp)
*/
static int smk_curacc_shm(struct shmid_kernel *shp, int access)
{
- char *ssp = smack_of_shm(shp);
struct smk_audit_info ad;
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
ad.a.u.ipc_id = shp->shm_perm.id;
#endif
- return smk_curacc(ssp, access, &ad);
+ return smk_curacc(smack_of_shm(shp), access, &ad);
}
/**
@@ -2098,10 +2074,7 @@ static int smk_curacc_shm(struct shmid_kernel *shp, int access)
*/
static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
{
- int may;
-
- may = smack_flags_to_may(shmflg);
- return smk_curacc_shm(shp, may);
+ return smk_curacc_shm(shp, smack_flags_to_may(shmflg));
}
/**
@@ -2149,10 +2122,7 @@ static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd)
static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
int shmflg)
{
- int may;
-
- may = smack_flags_to_may(shmflg);
- return smk_curacc_shm(shp, may);
+ return smk_curacc_shm(shp, smack_flags_to_may(shmflg));
}
/**
@@ -2163,7 +2133,7 @@ static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
*/
static char *smack_of_sem(struct sem_array *sma)
{
- return (char *)sma->sem_perm.security;
+ return lsm_get_ipc(&sma->sem_perm, &smack_ops);
}
/**
@@ -2174,9 +2144,7 @@ static char *smack_of_sem(struct sem_array *sma)
*/
static int smack_sem_alloc_security(struct sem_array *sma)
{
- struct kern_ipc_perm *isp = &sma->sem_perm;
-
- isp->security = smk_of_current();
+ lsm_set_ipc(&sma->sem_perm, smk_of_current(), &smack_ops);
return 0;
}
@@ -2188,9 +2156,7 @@ static int smack_sem_alloc_security(struct sem_array *sma)
*/
static void smack_sem_free_security(struct sem_array *sma)
{
- struct kern_ipc_perm *isp = &sma->sem_perm;
-
- isp->security = NULL;
+ lsm_set_ipc(&sma->sem_perm, NULL, &smack_ops);
}
/**
@@ -2221,10 +2187,7 @@ static int smk_curacc_sem(struct sem_array *sma, int access)
*/
static int smack_sem_associate(struct sem_array *sma, int semflg)
{
- int may;
-
- may = smack_flags_to_may(semflg);
- return smk_curacc_sem(sma, may);
+ return smk_curacc_sem(sma, smack_flags_to_may(semflg));
}
/**
@@ -2292,9 +2255,7 @@ static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
*/
static int smack_msg_queue_alloc_security(struct msg_queue *msq)
{
- struct kern_ipc_perm *kisp = &msq->q_perm;
-
- kisp->security = smk_of_current();
+ lsm_set_ipc(&msq->q_perm, smk_of_current(), &smack_ops);
return 0;
}
@@ -2306,9 +2267,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq)
*/
static void smack_msg_queue_free_security(struct msg_queue *msq)
{
- struct kern_ipc_perm *kisp = &msq->q_perm;
-
- kisp->security = NULL;
+ lsm_set_ipc(&msq->q_perm, NULL, &smack_ops);
}
/**
@@ -2319,7 +2278,7 @@ static void smack_msg_queue_free_security(struct msg_queue *msq)
*/
static char *smack_of_msq(struct msg_queue *msq)
{
- return (char *)msq->q_perm.security;
+ return lsm_get_ipc(&msq->q_perm, &smack_ops);
}
/**
@@ -2350,10 +2309,7 @@ static int smk_curacc_msq(struct msg_queue *msq, int access)
*/
static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg)
{
- int may;
-
- may = smack_flags_to_may(msqflg);
- return smk_curacc_msq(msq, may);
+ return smk_curacc_msq(msq, smack_flags_to_may(msqflg));
}
/**
@@ -2400,10 +2356,7 @@ static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd)
static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
int msqflg)
{
- int may;
-
- may = smack_flags_to_may(msqflg);
- return smk_curacc_msq(msq, may);
+ return smk_curacc_msq(msq, smack_flags_to_may(msqflg));
}
/**
@@ -2431,15 +2384,14 @@ static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
*/
static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
{
- char *isp = ipp->security;
- int may = smack_flags_to_may(flag);
struct smk_audit_info ad;
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
ad.a.u.ipc_id = ipp->id;
#endif
- return smk_curacc(isp, may, &ad);
+ return smk_curacc(lsm_get_ipc(ipp, &smack_ops),
+ smack_flags_to_may(flag), &ad);
}
/**
@@ -2449,9 +2401,7 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
*/
static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
{
- char *smack = ipp->security;
-
- *secid = smack_to_secid(smack);
+ *secid = smack_to_secid(lsm_get_ipc(ipp, &smack_ops));
}
/**
@@ -2477,7 +2427,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
if (inode == NULL)
return;
- isp = inode->i_security;
+ isp = lsm_get_inode(inode, &smack_ops);
mutex_lock(&isp->smk_lock);
/*
@@ -2488,7 +2438,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
goto unlockandout;
sbp = inode->i_sb;
- sbsp = sbp->s_security;
+ sbsp = lsm_get_super(sbp, &smack_ops);
/*
* We're going to use the superblock default label
* if there's no label on the file.
@@ -2670,40 +2620,26 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
}
/**
- * smack_setprocattr - Smack process attribute setting
- * @p: the object task
- * @name: the name of the attribute in /proc/.../attr
+ * smk_setcurrent - Set Smack process attribute setting
* @value: the value to set
* @size: the size of the value
*
- * Sets the Smack value of the task. Only setting self
- * is permitted and only with privilege
+ * Sets the Smack value of the task. Only with privilege
*
* Returns the length of the smack label or an error code
*/
-static int smack_setprocattr(struct task_struct *p, char *name,
- void *value, size_t size)
+int smk_setcurrent(char *value, size_t size)
{
struct task_smack *tsp;
struct cred *new;
char *newsmack;
- /*
- * Changing another process' Smack value is too dangerous
- * and supports no sane use case.
- */
- if (p != current)
- return -EPERM;
-
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
return -EINVAL;
- if (strcmp(name, "current") != 0)
- return -EINVAL;
-
newsmack = smk_import(value, size);
if (newsmack == NULL)
return -EINVAL;
@@ -2718,7 +2654,7 @@ static int smack_setprocattr(struct task_struct *p, char *name,
if (new == NULL)
return -ENOMEM;
- tsp = new->security;
+ tsp = lsm_get_cred(new, &smack_ops);
tsp->smk_task = newsmack;
commit_creds(new);
@@ -2726,6 +2662,33 @@ static int smack_setprocattr(struct task_struct *p, char *name,
}
/**
+ * smack_setprocattr - Smack process attribute setting
+ * @p: the object task
+ * @name: the name of the attribute in /proc/.../attr
+ * @value: the value to set
+ * @size: the size of the value
+ *
+ * Sets the Smack value of the task. Only setting self
+ * is permitted and only with privilege
+ *
+ * Returns the length of the smack label or an error code
+ */
+static int smack_setprocattr(struct task_struct *p, char *name,
+ void *value, size_t size)
+{
+ /*
+ * Changing another process' Smack value is too dangerous
+ * and supports no sane use case.
+ */
+ if (p != current)
+ return -EPERM;
+ if (strcmp(name, "current") != 0)
+ return -EINVAL;
+
+ return smk_setcurrent(value, size);
+}
+
+/**
* smack_unix_stream_connect - Smack access on UDS
* @sock: one sock
* @other: the other sock
@@ -2737,9 +2700,9 @@ static int smack_setprocattr(struct task_struct *p, char *name,
static int smack_unix_stream_connect(struct sock *sock,
struct sock *other, struct sock *newsk)
{
- struct socket_smack *ssp = sock->sk_security;
- struct socket_smack *osp = other->sk_security;
- struct socket_smack *nsp = newsk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sock, &smack_ops);
+ struct socket_smack *osp = lsm_get_sock(other, &smack_ops);
+ struct socket_smack *nsp = lsm_get_sock(newsk, &smack_ops);
struct smk_audit_info ad;
int rc = 0;
@@ -2774,8 +2737,8 @@ static int smack_unix_stream_connect(struct sock *sock,
*/
static int smack_unix_may_send(struct socket *sock, struct socket *other)
{
- struct socket_smack *ssp = sock->sk->sk_security;
- struct socket_smack *osp = other->sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sock->sk, &smack_ops);
+ struct socket_smack *osp = lsm_get_sock(other->sk, &smack_ops);
struct smk_audit_info ad;
int rc = 0;
@@ -2894,7 +2857,7 @@ static char *smack_from_secattr(struct netlbl_lsm_secattr *sap,
static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct netlbl_lsm_secattr secattr;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
char *csp;
int rc;
struct smk_audit_info ad;
@@ -2953,7 +2916,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
int slen = 1;
int rc = 0;
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
if (ssp->smk_packet != NULL) {
rcp = ssp->smk_packet;
slen = strlen(rcp) + 1;
@@ -3000,14 +2963,14 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
family = sock->sk->sk_family;
if (family == PF_UNIX) {
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
s = smack_to_secid(ssp->smk_out);
} else if (family == PF_INET || family == PF_INET6) {
/*
* Translate what netlabel gave us.
*/
if (sock != NULL && sock->sk != NULL)
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0) {
@@ -3038,7 +3001,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
(sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
return;
- ssp = sk->sk_security;
+ ssp = lsm_get_sock(sk, &smack_ops);
ssp->smk_in = ssp->smk_out = smk_of_current();
/* cssp->smk_packet is already set in smack_inet_csk_clone() */
}
@@ -3057,7 +3020,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
{
u16 family = sk->sk_family;
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
struct netlbl_lsm_secattr secattr;
struct sockaddr_in addr;
struct iphdr *hdr;
@@ -3131,7 +3094,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void smack_inet_csk_clone(struct sock *sk,
const struct request_sock *req)
{
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
if (req->peer_secid != 0)
ssp->smk_packet = smack_from_secid(req->peer_secid);
@@ -3161,7 +3124,8 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- key->security = smk_of_task(cred->security);
+ lsm_set_key(key, smk_of_task(lsm_get_cred(cred, &smack_ops)),
+ &smack_ops);
return 0;
}
@@ -3173,7 +3137,7 @@ static int smack_key_alloc(struct key *key, const struct cred *cred,
*/
static void smack_key_free(struct key *key)
{
- key->security = NULL;
+ lsm_set_key(key, NULL, &smack_ops);
}
/*
@@ -3190,16 +3154,18 @@ static int smack_key_permission(key_ref_t key_ref,
{
struct key *keyp;
struct smk_audit_info ad;
- char *tsp = smk_of_task(cred->security);
+ char *tsp = smk_of_task(lsm_get_cred(cred, &smack_ops));
+ char *ksp;
keyp = key_ref_to_ptr(key_ref);
if (keyp == NULL)
return -EINVAL;
+ ksp = lsm_get_key(keyp, &smack_ops);
/*
* If the key hasn't been initialized give it access so that
* it may do so.
*/
- if (keyp->security == NULL)
+ if (ksp == NULL)
return 0;
/*
* This should not occur
@@ -3211,8 +3177,7 @@ static int smack_key_permission(key_ref_t key_ref,
ad.a.u.key_struct.key = keyp->serial;
ad.a.u.key_struct.key_desc = keyp->description;
#endif
- return smk_access(tsp, keyp->security,
- MAY_READWRITE, &ad);
+ return smk_access(tsp, ksp, MAY_READWRITE, &ad);
}
#endif /* CONFIG_KEYS */
@@ -3577,6 +3542,7 @@ static __init void init_smack_known_list(void)
*/
static __init int smack_init(void)
{
+ int rc;
struct cred *cred;
struct task_smack *tsp;
@@ -3594,17 +3560,14 @@ static __init int smack_init(void)
* Set the security state for the initial task.
*/
cred = (struct cred *) current->cred;
- cred->security = tsp;
+
+ rc = lsm_set_init_cred(cred, tsp, &smack_ops);
+ if (rc != 0)
+ panic("smack: Unable to initialize credentials.\n");
/* initialize the smack_known_list */
init_smack_known_list();
- /*
- * Register with LSM
- */
- if (register_security(&smack_ops))
- panic("smack: Unable to register with kernel.\n");
-
return 0;
}
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 76a5dca..60071ef 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -108,7 +108,7 @@ struct smack_master_list {
struct smack_rule *smk_rule;
};
-LIST_HEAD(smack_rule_list);
+static LIST_HEAD(smack_rule_list);
static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
@@ -1582,7 +1582,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *data;
- char *sp = smk_of_task(current->cred->security);
+ char *sp = smk_of_task(lsm_get_cred(current->cred, &smack_ops));
int rc = count;
if (!smack_privileged(CAP_MAC_ADMIN))
@@ -1696,14 +1696,14 @@ static const struct file_operations smk_logging_ops = {
static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -1750,7 +1750,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_FIXED24_FMT);
@@ -1905,14 +1905,14 @@ static const struct file_operations smk_load2_ops = {
static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -1958,7 +1958,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_LONG_FMT);
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 7/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 2:09 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 7/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Abstract access to security blobs.
Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/smack/smack.h | 14 +-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 367 ++++++++++++++++++-----------------------
security/smack/smackfs.c | 16 +-
4 files changed, 183 insertions(+), 216 deletions(-)
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 99b3612..c012d94 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -20,6 +20,7 @@
#include <net/netlabel.h>
#include <linux/list.h>
#include <linux/rculist.h>
+#include <linux/lsm.h>
#include <linux/lsm_audit.h>
/*
@@ -203,6 +204,7 @@ struct smk_audit_info {
* These functions are in smack_lsm.c
*/
struct inode_smack *new_inode_smack(char *);
+int smk_setcurrent(char *, size_t);
/*
* These functions are in smack_access.c
@@ -243,18 +245,18 @@ extern struct security_operations smack_ops;
/*
* Is the directory transmuting?
*/
-static inline int smk_inode_transmutable(const struct inode *isp)
+static inline int smk_inode_transmutable(struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = lsm_get_inode(isp, &smack_ops);
return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
}
/*
* Present a pointer to the smack label in an inode blob.
*/
-static inline char *smk_of_inode(const struct inode *isp)
+static inline char *smk_of_inode(struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = lsm_get_inode(isp, &smack_ops);
return sip->smk_inode;
}
@@ -279,7 +281,9 @@ static inline char *smk_of_forked(const struct task_smack *tsp)
*/
static inline char *smk_of_current(void)
{
- return smk_of_task(current_security());
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
+
+ return tsp->smk_task;
}
/*
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index db14689..b4b4044 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -197,7 +197,7 @@ out_audit:
*/
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
char *sp = smk_of_task(tsp);
int may;
int rc;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 38be92c..e625cbe 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -40,7 +40,16 @@
#include <linux/binfmts.h>
#include "smack.h"
-#define task_security(task) (task_cred_xxx((task), security))
+static void *task_security(struct task_struct *task)
+{
+ const struct cred *cred;
+
+ rcu_read_lock();
+ cred = __task_cred(task);
+ rcu_read_unlock();
+
+ return lsm_get_cred(cred, &smack_ops);
+}
#define TRANS_TRUE "TRUE"
#define TRANS_TRUE_SIZE 4
@@ -162,20 +171,14 @@ static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,
*/
static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
{
- int rc;
struct smk_audit_info ad;
char *tsp;
- rc = cap_ptrace_access_check(ctp, mode);
- if (rc != 0)
- return rc;
-
tsp = smk_of_task(task_security(ctp));
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, ctp);
- rc = smk_curacc(tsp, MAY_READWRITE, &ad);
- return rc;
+ return smk_curacc(tsp, MAY_READWRITE, &ad);
}
/**
@@ -188,20 +191,14 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
*/
static int smack_ptrace_traceme(struct task_struct *ptp)
{
- int rc;
struct smk_audit_info ad;
char *tsp;
- rc = cap_ptrace_traceme(ptp);
- if (rc != 0)
- return rc;
-
tsp = smk_of_task(task_security(ptp));
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, ptp);
- rc = smk_curacc(tsp, MAY_READWRITE, &ad);
- return rc;
+ return smk_curacc(tsp, MAY_READWRITE, &ad);
}
/**
@@ -252,7 +249,7 @@ static int smack_sb_alloc_security(struct super_block *sb)
sbsp->smk_hat = smack_known_hat.smk_known;
sbsp->smk_initialized = 0;
- sb->s_security = sbsp;
+ lsm_set_super(sb, sbsp, &smack_ops);
return 0;
}
@@ -264,8 +261,10 @@ static int smack_sb_alloc_security(struct super_block *sb)
*/
static void smack_sb_free_security(struct super_block *sb)
{
- kfree(sb->s_security);
- sb->s_security = NULL;
+ struct superblock_smack *sbsp = lsm_get_super(sb, &smack_ops);
+
+ kfree(sbsp);
+ lsm_set_super(sb, NULL, &smack_ops);
}
/**
@@ -325,7 +324,7 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
{
struct dentry *root = sb->s_root;
struct inode *inode = root->d_inode;
- struct superblock_smack *sp = sb->s_security;
+ struct superblock_smack *sp = lsm_get_super(sb, &smack_ops);
struct inode_smack *isp;
char *op;
char *commap;
@@ -368,9 +367,9 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
/*
* Initialize the root inode.
*/
- isp = inode->i_security;
+ isp = lsm_get_inode(inode, &smack_ops);
if (isp == NULL)
- inode->i_security = new_inode_smack(sp->smk_root);
+ lsm_set_inode(inode, new_inode_smack(sp->smk_root), &smack_ops);
else
isp->smk_inode = sp->smk_root;
@@ -386,7 +385,7 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
*/
static int smack_sb_statfs(struct dentry *dentry)
{
- struct superblock_smack *sbp = dentry->d_sb->s_security;
+ struct superblock_smack *sbp = lsm_get_super(dentry->d_sb, &smack_ops);
int rc;
struct smk_audit_info ad;
@@ -411,12 +410,13 @@ static int smack_sb_statfs(struct dentry *dentry)
static int smack_sb_mount(const char *dev_name, struct path *path,
const char *type, unsigned long flags, void *data)
{
- struct superblock_smack *sbp = path->dentry->d_sb->s_security;
+ struct superblock_smack *sbp;
struct smk_audit_info ad;
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, *path);
+ sbp = lsm_get_super(path->dentry->d_sb, &smack_ops);
return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
}
@@ -440,7 +440,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, path);
- sbp = path.dentry->d_sb->s_security;
+ sbp = lsm_get_super(path.dentry->d_sb, &smack_ops);
return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
}
@@ -457,18 +457,13 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
static int smack_bprm_set_creds(struct linux_binprm *bprm)
{
struct inode *inode = bprm->file->f_path.dentry->d_inode;
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = lsm_get_cred(bprm->cred, &smack_ops);
struct inode_smack *isp;
- int rc;
-
- rc = cap_bprm_set_creds(bprm);
- if (rc != 0)
- return rc;
if (bprm->cred_prepared)
return 0;
- isp = inode->i_security;
+ isp = lsm_get_inode(inode, &smack_ops);
if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
return 0;
@@ -489,7 +484,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
*/
static void smack_bprm_committing_creds(struct linux_binprm *bprm)
{
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = lsm_get_cred(bprm->cred, &smack_ops);
if (bsp->smk_task != bsp->smk_forked)
current->pdeath_signal = 0;
@@ -503,13 +498,9 @@ static void smack_bprm_committing_creds(struct linux_binprm *bprm)
*/
static int smack_bprm_secureexec(struct linux_binprm *bprm)
{
- struct task_smack *tsp = current_security();
- int ret = cap_bprm_secureexec(bprm);
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
- if (!ret && (tsp->smk_task != tsp->smk_forked))
- ret = 1;
-
- return ret;
+ return (tsp->smk_task != tsp->smk_forked);
}
/*
@@ -524,9 +515,12 @@ static int smack_bprm_secureexec(struct linux_binprm *bprm)
*/
static int smack_inode_alloc_security(struct inode *inode)
{
- inode->i_security = new_inode_smack(smk_of_current());
- if (inode->i_security == NULL)
+ struct inode_smack *isp = new_inode_smack(smk_of_current());
+
+ if (isp == NULL)
return -ENOMEM;
+
+ lsm_set_inode(inode, isp, &smack_ops);
return 0;
}
@@ -538,8 +532,8 @@ static int smack_inode_alloc_security(struct inode *inode)
*/
static void smack_inode_free_security(struct inode *inode)
{
- kfree(inode->i_security);
- inode->i_security = NULL;
+ kfree(lsm_get_inode(inode, &smack_ops));
+ lsm_set_inode(inode, NULL, &smack_ops);
}
/**
@@ -558,7 +552,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
void **value, size_t *len)
{
struct smack_known *skp;
- struct inode_smack *issp = inode->i_security;
+ struct inode_smack *issp = lsm_get_inode(inode, &smack_ops);
char *csp = smk_of_current();
char *isp = smk_of_inode(inode);
char *dsp = smk_of_inode(dir);
@@ -863,7 +857,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
char *nsp;
- struct inode_smack *isp = dentry->d_inode->i_security;
+ struct inode_smack *isp = lsm_get_inode(dentry->d_inode, &smack_ops);
if (strcmp(name, XATTR_NAME_SMACK) == 0) {
nsp = smk_import(value, size);
@@ -938,7 +932,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
if (rc == 0) {
- isp = dentry->d_inode->i_security;
+ isp = lsm_get_inode(dentry->d_inode, &smack_ops);
isp->smk_task = NULL;
isp->smk_mmap = NULL;
}
@@ -955,9 +949,8 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
*
* Returns the size of the attribute or an error code
*/
-static int smack_inode_getsecurity(const struct inode *inode,
- const char *name, void **buffer,
- bool alloc)
+static int smack_inode_getsecurity(const struct inode *inode, const char *name,
+ void **buffer, bool alloc)
{
struct socket_smack *ssp;
struct socket *sock;
@@ -968,7 +961,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
int rc = 0;
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
- isp = smk_of_inode(inode);
+ isp = smk_of_inode(ip);
ilen = strlen(isp) + 1;
*buffer = isp;
return ilen;
@@ -985,7 +978,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
isp = ssp->smk_in;
@@ -1015,13 +1008,11 @@ static int smack_inode_getsecurity(const struct inode *inode,
static int smack_inode_listsecurity(struct inode *inode, char *buffer,
size_t buffer_size)
{
- int len = strlen(XATTR_NAME_SMACK);
+ const int len = sizeof(XATTR_NAME_SMACK);
- if (buffer != NULL && len <= buffer_size) {
+ if (buffer != NULL && len <= buffer_size)
memcpy(buffer, XATTR_NAME_SMACK, len);
- return len;
- }
- return -EINVAL;
+ return len;
}
/**
@@ -1031,7 +1022,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
*/
static void smack_inode_getsecid(const struct inode *inode, u32 *secid)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = lsm_get_inode(inode, &smack_ops);
*secid = smack_to_secid(isp->smk_inode);
}
@@ -1070,7 +1061,7 @@ static int smack_file_permission(struct file *file, int mask)
*/
static int smack_file_alloc_security(struct file *file)
{
- file->f_security = smk_of_current();
+ lsm_set_file(file, smk_of_current(), &smack_ops);
return 0;
}
@@ -1083,7 +1074,7 @@ static int smack_file_alloc_security(struct file *file)
*/
static void smack_file_free_security(struct file *file)
{
- file->f_security = NULL;
+ lsm_set_file(file, NULL, &smack_ops);
}
/**
@@ -1101,15 +1092,16 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd,
{
int rc = 0;
struct smk_audit_info ad;
+ char *fsp = lsm_get_file(file, &smack_ops);
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, file->f_path);
if (_IOC_DIR(cmd) & _IOC_WRITE)
- rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
+ rc = smk_curacc(fsp, MAY_WRITE, &ad);
if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ))
- rc = smk_curacc(file->f_security, MAY_READ, &ad);
+ rc = smk_curacc(fsp, MAY_READ, &ad);
return rc;
}
@@ -1127,7 +1119,7 @@ static int smack_file_lock(struct file *file, unsigned int cmd)
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, file->f_path);
- return smk_curacc(file->f_security, MAY_WRITE, &ad);
+ return smk_curacc(lsm_get_file(file, &smack_ops), MAY_WRITE, &ad);
}
/**
@@ -1157,7 +1149,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
case F_SETSIG:
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, file->f_path);
- rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
+ rc = smk_curacc(lsm_get_file(file, &smack_ops), MAY_WRITE, &ad);
break;
default:
break;
@@ -1201,12 +1193,12 @@ static int smack_mmap_file(struct file *file,
if (dp->d_inode == NULL)
return 0;
- isp = dp->d_inode->i_security;
+ isp = lsm_get_inode(dp->d_inode, &smack_ops);
if (isp->smk_mmap == NULL)
return 0;
msmack = isp->smk_mmap;
- tsp = current_security();
+ tsp = lsm_get_cred(current_cred(), &smack_ops);
sp = smk_of_current();
skp = smk_find_entry(sp);
rc = 0;
@@ -1285,7 +1277,7 @@ static int smack_mmap_file(struct file *file,
*/
static int smack_file_set_fowner(struct file *file)
{
- file->f_security = smk_of_current();
+ lsm_set_file(file, smk_of_current(), &smack_ops);
return 0;
}
@@ -1305,22 +1297,24 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
{
struct file *file;
int rc;
- char *tsp = smk_of_task(tsk->cred->security);
+ char *tsp = smk_of_task(lsm_get_cred(tsk->cred, &smack_ops));
+ char *fsp;
struct smk_audit_info ad;
/*
* struct fown_struct is never outside the context of a struct file
*/
file = container_of(fown, struct file, f_owner);
+ fsp = lsm_get_file(file, &smack_ops);
/* we don't log here as rc can be overriden */
- rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL);
+ rc = smk_access(fsp, tsp, MAY_WRITE, NULL);
if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
rc = 0;
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, tsk);
- smack_log(file->f_security, tsp, MAY_WRITE, rc, &ad);
+ smack_log(fsp, tsp, MAY_WRITE, rc, &ad);
return rc;
}
@@ -1345,7 +1339,7 @@ static int smack_file_receive(struct file *file)
if (file->f_mode & FMODE_WRITE)
may |= MAY_WRITE;
- return smk_curacc(file->f_security, may, &ad);
+ return smk_curacc(lsm_get_file(file, &smack_ops), may, &ad);
}
/**
@@ -1359,9 +1353,10 @@ static int smack_file_receive(struct file *file)
*/
static int smack_file_open(struct file *file, const struct cred *cred)
{
- struct inode_smack *isp = file->f_path.dentry->d_inode->i_security;
+ struct inode_smack *isp;
- file->f_security = isp->smk_inode;
+ isp = lsm_get_inode(file->f_path.dentry->d_inode, &smack_ops);
+ lsm_set_file(file, isp->smk_inode, &smack_ops);
return 0;
}
@@ -1387,7 +1382,7 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (tsp == NULL)
return -ENOMEM;
- cred->security = tsp;
+ lsm_set_cred(cred, tsp, &smack_ops);
return 0;
}
@@ -1400,14 +1395,14 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/
static void smack_cred_free(struct cred *cred)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = lsm_get_cred(cred, &smack_ops);
struct smack_rule *rp;
struct list_head *l;
struct list_head *n;
if (tsp == NULL)
return;
- cred->security = NULL;
+ lsm_set_cred(cred, NULL, &smack_ops);
list_for_each_safe(l, n, &tsp->smk_rules) {
rp = list_entry(l, struct smack_rule, list);
@@ -1428,7 +1423,7 @@ static void smack_cred_free(struct cred *cred)
static int smack_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct task_smack *old_tsp = old->security;
+ struct task_smack *old_tsp = lsm_get_cred(old, &smack_ops);
struct task_smack *new_tsp;
int rc;
@@ -1440,7 +1435,7 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
if (rc != 0)
return rc;
- new->security = new_tsp;
+ lsm_set_cred(new, new_tsp, &smack_ops);
return 0;
}
@@ -1453,8 +1448,8 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
*/
static void smack_cred_transfer(struct cred *new, const struct cred *old)
{
- struct task_smack *old_tsp = old->security;
- struct task_smack *new_tsp = new->security;
+ struct task_smack *old_tsp = lsm_get_cred(old, &smack_ops);
+ struct task_smack *new_tsp = lsm_get_cred(new, &smack_ops);
new_tsp->smk_task = old_tsp->smk_task;
new_tsp->smk_forked = old_tsp->smk_task;
@@ -1474,7 +1469,7 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
*/
static int smack_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_smack *new_tsp = new->security;
+ struct task_smack *new_tsp = lsm_get_cred(new, &smack_ops);
char *smack = smack_from_secid(secid);
if (smack == NULL)
@@ -1495,8 +1490,8 @@ static int smack_kernel_act_as(struct cred *new, u32 secid)
static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
- struct task_smack *tsp = new->security;
+ struct inode_smack *isp = lsm_get_inode(inode, &smack_ops);
+ struct task_smack *tsp = lsm_get_cred(new, &smack_ops);
tsp->smk_forked = isp->smk_inode;
tsp->smk_task = isp->smk_inode;
@@ -1576,12 +1571,7 @@ static void smack_task_getsecid(struct task_struct *p, u32 *secid)
*/
static int smack_task_setnice(struct task_struct *p, int nice)
{
- int rc;
-
- rc = cap_task_setnice(p, nice);
- if (rc == 0)
- rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
- return rc;
+ return smk_curacc_on_task(p, MAY_WRITE, __func__);
}
/**
@@ -1593,12 +1583,7 @@ static int smack_task_setnice(struct task_struct *p, int nice)
*/
static int smack_task_setioprio(struct task_struct *p, int ioprio)
{
- int rc;
-
- rc = cap_task_setioprio(p, ioprio);
- if (rc == 0)
- rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
- return rc;
+ return smk_curacc_on_task(p, MAY_WRITE, __func__);
}
/**
@@ -1622,12 +1607,7 @@ static int smack_task_getioprio(struct task_struct *p)
*/
static int smack_task_setscheduler(struct task_struct *p)
{
- int rc;
-
- rc = cap_task_setscheduler(p);
- if (rc == 0)
- rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
- return rc;
+ return smk_curacc_on_task(p, MAY_WRITE, __func__);
}
/**
@@ -1715,7 +1695,7 @@ static int smack_task_wait(struct task_struct *p)
*/
static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = lsm_get_inode(inode, &smack_ops);
isp->smk_inode = smk_of_task(task_security(p));
}
@@ -1746,7 +1726,7 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
ssp->smk_out = csp;
ssp->smk_packet = NULL;
- sk->sk_security = ssp;
+ lsm_set_sock(sk, ssp, &smack_ops);
return 0;
}
@@ -1759,7 +1739,8 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
*/
static void smack_sk_free_security(struct sock *sk)
{
- kfree(sk->sk_security);
+ kfree(lsm_get_sock(sk, &smack_ops));
+ lsm_set_sock(sk, NULL, &smack_ops);
}
/**
@@ -1812,7 +1793,7 @@ static char *smack_host_label(struct sockaddr_in *sip)
static int smack_netlabel(struct sock *sk, int labeled)
{
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
int rc = 0;
/*
@@ -1856,7 +1837,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
int rc;
int sk_lbl;
char *hostsp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
struct smk_audit_info ad;
rcu_read_lock();
@@ -1899,7 +1880,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
char *sp;
- struct inode_smack *nsp = inode->i_security;
+ struct inode_smack *nsp = lsm_get_inode(inode, &smack_ops);
struct socket_smack *ssp;
struct socket *sock;
int rc = 0;
@@ -1926,7 +1907,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
ssp->smk_in = sp;
@@ -2017,7 +1998,7 @@ static int smack_flags_to_may(int flags)
*/
static int smack_msg_msg_alloc_security(struct msg_msg *msg)
{
- msg->security = smk_of_current();
+ lsm_set_msg(msg, smk_of_current(), &smack_ops);
return 0;
}
@@ -2029,7 +2010,7 @@ static int smack_msg_msg_alloc_security(struct msg_msg *msg)
*/
static void smack_msg_msg_free_security(struct msg_msg *msg)
{
- msg->security = NULL;
+ lsm_set_msg(msg, NULL, &smack_ops);
}
/**
@@ -2040,7 +2021,7 @@ static void smack_msg_msg_free_security(struct msg_msg *msg)
*/
static char *smack_of_shm(struct shmid_kernel *shp)
{
- return (char *)shp->shm_perm.security;
+ return lsm_get_ipc(&shp->shm_perm, &smack_ops);
}
/**
@@ -2051,9 +2032,7 @@ static char *smack_of_shm(struct shmid_kernel *shp)
*/
static int smack_shm_alloc_security(struct shmid_kernel *shp)
{
- struct kern_ipc_perm *isp = &shp->shm_perm;
-
- isp->security = smk_of_current();
+ lsm_set_ipc(&shp->shm_perm, smk_of_current(), &smack_ops);
return 0;
}
@@ -2065,9 +2044,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp)
*/
static void smack_shm_free_security(struct shmid_kernel *shp)
{
- struct kern_ipc_perm *isp = &shp->shm_perm;
-
- isp->security = NULL;
+ lsm_set_ipc(&shp->shm_perm, NULL, &smack_ops);
}
/**
@@ -2079,14 +2056,13 @@ static void smack_shm_free_security(struct shmid_kernel *shp)
*/
static int smk_curacc_shm(struct shmid_kernel *shp, int access)
{
- char *ssp = smack_of_shm(shp);
struct smk_audit_info ad;
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
ad.a.u.ipc_id = shp->shm_perm.id;
#endif
- return smk_curacc(ssp, access, &ad);
+ return smk_curacc(smack_of_shm(shp), access, &ad);
}
/**
@@ -2098,10 +2074,7 @@ static int smk_curacc_shm(struct shmid_kernel *shp, int access)
*/
static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
{
- int may;
-
- may = smack_flags_to_may(shmflg);
- return smk_curacc_shm(shp, may);
+ return smk_curacc_shm(shp, smack_flags_to_may(shmflg));
}
/**
@@ -2149,10 +2122,7 @@ static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd)
static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
int shmflg)
{
- int may;
-
- may = smack_flags_to_may(shmflg);
- return smk_curacc_shm(shp, may);
+ return smk_curacc_shm(shp, smack_flags_to_may(shmflg));
}
/**
@@ -2163,7 +2133,7 @@ static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
*/
static char *smack_of_sem(struct sem_array *sma)
{
- return (char *)sma->sem_perm.security;
+ return lsm_get_ipc(&sma->sem_perm, &smack_ops);
}
/**
@@ -2174,9 +2144,7 @@ static char *smack_of_sem(struct sem_array *sma)
*/
static int smack_sem_alloc_security(struct sem_array *sma)
{
- struct kern_ipc_perm *isp = &sma->sem_perm;
-
- isp->security = smk_of_current();
+ lsm_set_ipc(&sma->sem_perm, smk_of_current(), &smack_ops);
return 0;
}
@@ -2188,9 +2156,7 @@ static int smack_sem_alloc_security(struct sem_array *sma)
*/
static void smack_sem_free_security(struct sem_array *sma)
{
- struct kern_ipc_perm *isp = &sma->sem_perm;
-
- isp->security = NULL;
+ lsm_set_ipc(&sma->sem_perm, NULL, &smack_ops);
}
/**
@@ -2221,10 +2187,7 @@ static int smk_curacc_sem(struct sem_array *sma, int access)
*/
static int smack_sem_associate(struct sem_array *sma, int semflg)
{
- int may;
-
- may = smack_flags_to_may(semflg);
- return smk_curacc_sem(sma, may);
+ return smk_curacc_sem(sma, smack_flags_to_may(semflg));
}
/**
@@ -2292,9 +2255,7 @@ static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
*/
static int smack_msg_queue_alloc_security(struct msg_queue *msq)
{
- struct kern_ipc_perm *kisp = &msq->q_perm;
-
- kisp->security = smk_of_current();
+ lsm_set_ipc(&msq->q_perm, smk_of_current(), &smack_ops);
return 0;
}
@@ -2306,9 +2267,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq)
*/
static void smack_msg_queue_free_security(struct msg_queue *msq)
{
- struct kern_ipc_perm *kisp = &msq->q_perm;
-
- kisp->security = NULL;
+ lsm_set_ipc(&msq->q_perm, NULL, &smack_ops);
}
/**
@@ -2319,7 +2278,7 @@ static void smack_msg_queue_free_security(struct msg_queue *msq)
*/
static char *smack_of_msq(struct msg_queue *msq)
{
- return (char *)msq->q_perm.security;
+ return lsm_get_ipc(&msq->q_perm, &smack_ops);
}
/**
@@ -2350,10 +2309,7 @@ static int smk_curacc_msq(struct msg_queue *msq, int access)
*/
static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg)
{
- int may;
-
- may = smack_flags_to_may(msqflg);
- return smk_curacc_msq(msq, may);
+ return smk_curacc_msq(msq, smack_flags_to_may(msqflg));
}
/**
@@ -2400,10 +2356,7 @@ static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd)
static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
int msqflg)
{
- int may;
-
- may = smack_flags_to_may(msqflg);
- return smk_curacc_msq(msq, may);
+ return smk_curacc_msq(msq, smack_flags_to_may(msqflg));
}
/**
@@ -2431,15 +2384,14 @@ static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
*/
static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
{
- char *isp = ipp->security;
- int may = smack_flags_to_may(flag);
struct smk_audit_info ad;
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
ad.a.u.ipc_id = ipp->id;
#endif
- return smk_curacc(isp, may, &ad);
+ return smk_curacc(lsm_get_ipc(ipp, &smack_ops),
+ smack_flags_to_may(flag), &ad);
}
/**
@@ -2449,9 +2401,7 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
*/
static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
{
- char *smack = ipp->security;
-
- *secid = smack_to_secid(smack);
+ *secid = smack_to_secid(lsm_get_ipc(ipp, &smack_ops));
}
/**
@@ -2477,7 +2427,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
if (inode == NULL)
return;
- isp = inode->i_security;
+ isp = lsm_get_inode(inode, &smack_ops);
mutex_lock(&isp->smk_lock);
/*
@@ -2488,7 +2438,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
goto unlockandout;
sbp = inode->i_sb;
- sbsp = sbp->s_security;
+ sbsp = lsm_get_super(sbp, &smack_ops);
/*
* We're going to use the superblock default label
* if there's no label on the file.
@@ -2670,40 +2620,26 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
}
/**
- * smack_setprocattr - Smack process attribute setting
- * @p: the object task
- * @name: the name of the attribute in /proc/.../attr
+ * smk_setcurrent - Set Smack process attribute setting
* @value: the value to set
* @size: the size of the value
*
- * Sets the Smack value of the task. Only setting self
- * is permitted and only with privilege
+ * Sets the Smack value of the task. Only with privilege
*
* Returns the length of the smack label or an error code
*/
-static int smack_setprocattr(struct task_struct *p, char *name,
- void *value, size_t size)
+int smk_setcurrent(char *value, size_t size)
{
struct task_smack *tsp;
struct cred *new;
char *newsmack;
- /*
- * Changing another process' Smack value is too dangerous
- * and supports no sane use case.
- */
- if (p != current)
- return -EPERM;
-
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
return -EINVAL;
- if (strcmp(name, "current") != 0)
- return -EINVAL;
-
newsmack = smk_import(value, size);
if (newsmack == NULL)
return -EINVAL;
@@ -2718,7 +2654,7 @@ static int smack_setprocattr(struct task_struct *p, char *name,
if (new == NULL)
return -ENOMEM;
- tsp = new->security;
+ tsp = lsm_get_cred(new, &smack_ops);
tsp->smk_task = newsmack;
commit_creds(new);
@@ -2726,6 +2662,33 @@ static int smack_setprocattr(struct task_struct *p, char *name,
}
/**
+ * smack_setprocattr - Smack process attribute setting
+ * @p: the object task
+ * @name: the name of the attribute in /proc/.../attr
+ * @value: the value to set
+ * @size: the size of the value
+ *
+ * Sets the Smack value of the task. Only setting self
+ * is permitted and only with privilege
+ *
+ * Returns the length of the smack label or an error code
+ */
+static int smack_setprocattr(struct task_struct *p, char *name,
+ void *value, size_t size)
+{
+ /*
+ * Changing another process' Smack value is too dangerous
+ * and supports no sane use case.
+ */
+ if (p != current)
+ return -EPERM;
+ if (strcmp(name, "current") != 0)
+ return -EINVAL;
+
+ return smk_setcurrent(value, size);
+}
+
+/**
* smack_unix_stream_connect - Smack access on UDS
* @sock: one sock
* @other: the other sock
@@ -2737,9 +2700,9 @@ static int smack_setprocattr(struct task_struct *p, char *name,
static int smack_unix_stream_connect(struct sock *sock,
struct sock *other, struct sock *newsk)
{
- struct socket_smack *ssp = sock->sk_security;
- struct socket_smack *osp = other->sk_security;
- struct socket_smack *nsp = newsk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sock, &smack_ops);
+ struct socket_smack *osp = lsm_get_sock(other, &smack_ops);
+ struct socket_smack *nsp = lsm_get_sock(newsk, &smack_ops);
struct smk_audit_info ad;
int rc = 0;
@@ -2774,8 +2737,8 @@ static int smack_unix_stream_connect(struct sock *sock,
*/
static int smack_unix_may_send(struct socket *sock, struct socket *other)
{
- struct socket_smack *ssp = sock->sk->sk_security;
- struct socket_smack *osp = other->sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sock->sk, &smack_ops);
+ struct socket_smack *osp = lsm_get_sock(other->sk, &smack_ops);
struct smk_audit_info ad;
int rc = 0;
@@ -2894,7 +2857,7 @@ static char *smack_from_secattr(struct netlbl_lsm_secattr *sap,
static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct netlbl_lsm_secattr secattr;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
char *csp;
int rc;
struct smk_audit_info ad;
@@ -2953,7 +2916,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
int slen = 1;
int rc = 0;
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
if (ssp->smk_packet != NULL) {
rcp = ssp->smk_packet;
slen = strlen(rcp) + 1;
@@ -3000,14 +2963,14 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
family = sock->sk->sk_family;
if (family == PF_UNIX) {
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
s = smack_to_secid(ssp->smk_out);
} else if (family == PF_INET || family == PF_INET6) {
/*
* Translate what netlabel gave us.
*/
if (sock != NULL && sock->sk != NULL)
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0) {
@@ -3038,7 +3001,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
(sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
return;
- ssp = sk->sk_security;
+ ssp = lsm_get_sock(sk, &smack_ops);
ssp->smk_in = ssp->smk_out = smk_of_current();
/* cssp->smk_packet is already set in smack_inet_csk_clone() */
}
@@ -3057,7 +3020,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
{
u16 family = sk->sk_family;
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
struct netlbl_lsm_secattr secattr;
struct sockaddr_in addr;
struct iphdr *hdr;
@@ -3131,7 +3094,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void smack_inet_csk_clone(struct sock *sk,
const struct request_sock *req)
{
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
if (req->peer_secid != 0)
ssp->smk_packet = smack_from_secid(req->peer_secid);
@@ -3161,7 +3124,8 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- key->security = smk_of_task(cred->security);
+ lsm_set_key(key, smk_of_task(lsm_get_cred(cred, &smack_ops)),
+ &smack_ops);
return 0;
}
@@ -3173,7 +3137,7 @@ static int smack_key_alloc(struct key *key, const struct cred *cred,
*/
static void smack_key_free(struct key *key)
{
- key->security = NULL;
+ lsm_set_key(key, NULL, &smack_ops);
}
/*
@@ -3190,16 +3154,18 @@ static int smack_key_permission(key_ref_t key_ref,
{
struct key *keyp;
struct smk_audit_info ad;
- char *tsp = smk_of_task(cred->security);
+ char *tsp = smk_of_task(lsm_get_cred(cred, &smack_ops));
+ char *ksp;
keyp = key_ref_to_ptr(key_ref);
if (keyp == NULL)
return -EINVAL;
+ ksp = lsm_get_key(keyp, &smack_ops);
/*
* If the key hasn't been initialized give it access so that
* it may do so.
*/
- if (keyp->security == NULL)
+ if (ksp == NULL)
return 0;
/*
* This should not occur
@@ -3211,8 +3177,7 @@ static int smack_key_permission(key_ref_t key_ref,
ad.a.u.key_struct.key = keyp->serial;
ad.a.u.key_struct.key_desc = keyp->description;
#endif
- return smk_access(tsp, keyp->security,
- MAY_READWRITE, &ad);
+ return smk_access(tsp, ksp, MAY_READWRITE, &ad);
}
#endif /* CONFIG_KEYS */
@@ -3577,6 +3542,7 @@ static __init void init_smack_known_list(void)
*/
static __init int smack_init(void)
{
+ int rc;
struct cred *cred;
struct task_smack *tsp;
@@ -3594,17 +3560,14 @@ static __init int smack_init(void)
* Set the security state for the initial task.
*/
cred = (struct cred *) current->cred;
- cred->security = tsp;
+
+ rc = lsm_set_init_cred(cred, tsp, &smack_ops);
+ if (rc != 0)
+ panic("smack: Unable to initialize credentials.\n");
/* initialize the smack_known_list */
init_smack_known_list();
- /*
- * Register with LSM
- */
- if (register_security(&smack_ops))
- panic("smack: Unable to register with kernel.\n");
-
return 0;
}
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 76a5dca..60071ef 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -108,7 +108,7 @@ struct smack_master_list {
struct smack_rule *smk_rule;
};
-LIST_HEAD(smack_rule_list);
+static LIST_HEAD(smack_rule_list);
static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
@@ -1582,7 +1582,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *data;
- char *sp = smk_of_task(current->cred->security);
+ char *sp = smk_of_task(lsm_get_cred(current->cred, &smack_ops));
int rc = count;
if (!smack_privileged(CAP_MAC_ADMIN))
@@ -1696,14 +1696,14 @@ static const struct file_operations smk_logging_ops = {
static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -1750,7 +1750,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_FIXED24_FMT);
@@ -1905,14 +1905,14 @@ static const struct file_operations smk_load2_ops = {
static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -1958,7 +1958,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_LONG_FMT);
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 8/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 2:09 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 8/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Abstract access to security blobs.
Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/tomoyo/common.h | 6 +++--
security/tomoyo/domain.c | 2 +-
security/tomoyo/securityfs_if.c | 9 +++++---
security/tomoyo/tomoyo.c | 47 ++++++++++++++++++++++-----------------
4 files changed, 38 insertions(+), 26 deletions(-)
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index d4f166b..ef0cdcc 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -28,6 +28,7 @@
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/un.h>
+#include <linux/lsm.h>
#include <net/sock.h>
#include <net/af_unix.h>
#include <net/ip.h>
@@ -1079,6 +1080,7 @@ extern struct list_head tomoyo_domain_list;
extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
extern struct list_head tomoyo_namespace_list;
extern struct mutex tomoyo_policy_lock;
+extern struct security_operations tomoyo_security_ops;
extern struct srcu_struct tomoyo_ss;
extern struct tomoyo_domain_info tomoyo_kernel_domain;
extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
@@ -1202,7 +1204,7 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
*/
static inline struct tomoyo_domain_info *tomoyo_domain(void)
{
- return current_cred()->security;
+ return lsm_get_cred(current_cred(), &tomoyo_security_ops);
}
/**
@@ -1215,7 +1217,7 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void)
static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
*task)
{
- return task_cred_xxx(task, security);
+ return lsm_get_cred(__task_cred(task), &tomoyo_security_ops);
}
/**
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 3865145..15042e7 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -840,7 +840,7 @@ force_jump_domain:
domain = old_domain;
/* Update reference count on "struct tomoyo_domain_info". */
atomic_inc(&domain->users);
- bprm->cred->security = domain;
+ lsm_set_cred(bprm->cred, domain, &tomoyo_security_ops);
kfree(exename.name);
if (!retval) {
ee->r.domain = domain;
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 8592f2fc..37feaf5 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -75,8 +75,10 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
error = -ENOMEM;
} else {
struct tomoyo_domain_info *old_domain =
- cred->security;
- cred->security = new_domain;
+ lsm_get_cred(cred,
+ &tomoyo_security_ops);
+ lsm_set_cred(cred, new_domain,
+ &tomoyo_security_ops);
atomic_inc(&new_domain->users);
atomic_dec(&old_domain->users);
commit_creds(cred);
@@ -242,7 +244,8 @@ static int __init tomoyo_initerface_init(void)
struct dentry *tomoyo_dir;
/* Don't create securityfs entries unless registered. */
- if (current_cred()->security != &tomoyo_kernel_domain)
+ if (lsm_get_cred(current_cred(), &tomoyo_security_ops) !=
+ &tomoyo_kernel_domain)
return 0;
tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index a2ee362..b2a58ae 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -17,7 +17,7 @@
*/
static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
{
- new->security = NULL;
+ lsm_set_cred(new, NULL, &tomoyo_security_ops);
return 0;
}
@@ -33,8 +33,10 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct tomoyo_domain_info *domain = old->security;
- new->security = domain;
+ struct tomoyo_domain_info *domain;
+
+ domain = lsm_get_cred(old, &tomoyo_security_ops);
+ lsm_set_cred(new, domain, &tomoyo_security_ops);
if (domain)
atomic_inc(&domain->users);
return 0;
@@ -58,9 +60,13 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
*/
static void tomoyo_cred_free(struct cred *cred)
{
- struct tomoyo_domain_info *domain = cred->security;
- if (domain)
+ struct tomoyo_domain_info *domain;
+
+ domain = lsm_get_cred(cred, &tomoyo_security_ops);
+ if (domain) {
atomic_dec(&domain->users);
+ lsm_set_cred(cred, NULL, &tomoyo_security_ops);
+ }
}
/**
@@ -72,12 +78,6 @@ static void tomoyo_cred_free(struct cred *cred)
*/
static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
{
- int rc;
-
- rc = cap_bprm_set_creds(bprm);
- if (rc)
- return rc;
-
/*
* Do only if this function is called for the first time of an execve
* operation.
@@ -98,13 +98,13 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
* stored inside "bprm->cred->security" will be acquired later inside
* tomoyo_find_next_domain().
*/
- atomic_dec(&((struct tomoyo_domain_info *)
- bprm->cred->security)->users);
+ atomic_dec(&((struct tomoyo_domain_info *)lsm_get_cred(bprm->cred,
+ &tomoyo_security_ops))->users);
/*
* Tell tomoyo_bprm_check_security() is called for the first time of an
* execve operation.
*/
- bprm->cred->security = NULL;
+ lsm_set_cred(bprm->cred, NULL, &tomoyo_security_ops);
return 0;
}
@@ -117,8 +117,9 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
*/
static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
{
- struct tomoyo_domain_info *domain = bprm->cred->security;
+ struct tomoyo_domain_info *domain;
+ domain = lsm_get_cred(bprm->cred, &tomoyo_security_ops);
/*
* Execute permission is checked against pathname passed to do_execve()
* using current domain.
@@ -503,7 +504,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
*/
-static struct security_operations tomoyo_security_ops = {
+struct security_operations tomoyo_security_ops = {
.name = "tomoyo",
.cred_alloc_blank = tomoyo_cred_alloc_blank,
.cred_prepare = tomoyo_cred_prepare,
@@ -545,16 +546,22 @@ struct srcu_struct tomoyo_ss;
*/
static int __init tomoyo_init(void)
{
+ int rc;
struct cred *cred = (struct cred *) current_cred();
+ /* register ourselves with the security framework */
if (!security_module_enable(&tomoyo_security_ops))
return 0;
- /* register ourselves with the security framework */
- if (register_security(&tomoyo_security_ops) ||
- init_srcu_struct(&tomoyo_ss))
+
+ if (init_srcu_struct(&tomoyo_ss))
panic("Failure registering TOMOYO Linux");
printk(KERN_INFO "TOMOYO Linux initialized\n");
- cred->security = &tomoyo_kernel_domain;
+
+ rc = lsm_set_init_cred(cred, &tomoyo_kernel_domain,
+ &tomoyo_security_ops);
+ if (rc)
+ panic("Failure allocating credential for TOMOYO Linux");
+
tomoyo_mm_init();
return 0;
}
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 8/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 2:09 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 8/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Abstract access to security blobs.
Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/tomoyo/common.h | 6 +++--
security/tomoyo/domain.c | 2 +-
security/tomoyo/securityfs_if.c | 9 +++++---
security/tomoyo/tomoyo.c | 47 ++++++++++++++++++++++-----------------
4 files changed, 38 insertions(+), 26 deletions(-)
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index d4f166b..ef0cdcc 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -28,6 +28,7 @@
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/un.h>
+#include <linux/lsm.h>
#include <net/sock.h>
#include <net/af_unix.h>
#include <net/ip.h>
@@ -1079,6 +1080,7 @@ extern struct list_head tomoyo_domain_list;
extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
extern struct list_head tomoyo_namespace_list;
extern struct mutex tomoyo_policy_lock;
+extern struct security_operations tomoyo_security_ops;
extern struct srcu_struct tomoyo_ss;
extern struct tomoyo_domain_info tomoyo_kernel_domain;
extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
@@ -1202,7 +1204,7 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
*/
static inline struct tomoyo_domain_info *tomoyo_domain(void)
{
- return current_cred()->security;
+ return lsm_get_cred(current_cred(), &tomoyo_security_ops);
}
/**
@@ -1215,7 +1217,7 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void)
static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
*task)
{
- return task_cred_xxx(task, security);
+ return lsm_get_cred(__task_cred(task), &tomoyo_security_ops);
}
/**
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 3865145..15042e7 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -840,7 +840,7 @@ force_jump_domain:
domain = old_domain;
/* Update reference count on "struct tomoyo_domain_info". */
atomic_inc(&domain->users);
- bprm->cred->security = domain;
+ lsm_set_cred(bprm->cred, domain, &tomoyo_security_ops);
kfree(exename.name);
if (!retval) {
ee->r.domain = domain;
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 8592f2fc..37feaf5 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -75,8 +75,10 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
error = -ENOMEM;
} else {
struct tomoyo_domain_info *old_domain =
- cred->security;
- cred->security = new_domain;
+ lsm_get_cred(cred,
+ &tomoyo_security_ops);
+ lsm_set_cred(cred, new_domain,
+ &tomoyo_security_ops);
atomic_inc(&new_domain->users);
atomic_dec(&old_domain->users);
commit_creds(cred);
@@ -242,7 +244,8 @@ static int __init tomoyo_initerface_init(void)
struct dentry *tomoyo_dir;
/* Don't create securityfs entries unless registered. */
- if (current_cred()->security != &tomoyo_kernel_domain)
+ if (lsm_get_cred(current_cred(), &tomoyo_security_ops) !=
+ &tomoyo_kernel_domain)
return 0;
tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index a2ee362..b2a58ae 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -17,7 +17,7 @@
*/
static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
{
- new->security = NULL;
+ lsm_set_cred(new, NULL, &tomoyo_security_ops);
return 0;
}
@@ -33,8 +33,10 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct tomoyo_domain_info *domain = old->security;
- new->security = domain;
+ struct tomoyo_domain_info *domain;
+
+ domain = lsm_get_cred(old, &tomoyo_security_ops);
+ lsm_set_cred(new, domain, &tomoyo_security_ops);
if (domain)
atomic_inc(&domain->users);
return 0;
@@ -58,9 +60,13 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
*/
static void tomoyo_cred_free(struct cred *cred)
{
- struct tomoyo_domain_info *domain = cred->security;
- if (domain)
+ struct tomoyo_domain_info *domain;
+
+ domain = lsm_get_cred(cred, &tomoyo_security_ops);
+ if (domain) {
atomic_dec(&domain->users);
+ lsm_set_cred(cred, NULL, &tomoyo_security_ops);
+ }
}
/**
@@ -72,12 +78,6 @@ static void tomoyo_cred_free(struct cred *cred)
*/
static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
{
- int rc;
-
- rc = cap_bprm_set_creds(bprm);
- if (rc)
- return rc;
-
/*
* Do only if this function is called for the first time of an execve
* operation.
@@ -98,13 +98,13 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
* stored inside "bprm->cred->security" will be acquired later inside
* tomoyo_find_next_domain().
*/
- atomic_dec(&((struct tomoyo_domain_info *)
- bprm->cred->security)->users);
+ atomic_dec(&((struct tomoyo_domain_info *)lsm_get_cred(bprm->cred,
+ &tomoyo_security_ops))->users);
/*
* Tell tomoyo_bprm_check_security() is called for the first time of an
* execve operation.
*/
- bprm->cred->security = NULL;
+ lsm_set_cred(bprm->cred, NULL, &tomoyo_security_ops);
return 0;
}
@@ -117,8 +117,9 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
*/
static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
{
- struct tomoyo_domain_info *domain = bprm->cred->security;
+ struct tomoyo_domain_info *domain;
+ domain = lsm_get_cred(bprm->cred, &tomoyo_security_ops);
/*
* Execute permission is checked against pathname passed to do_execve()
* using current domain.
@@ -503,7 +504,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
*/
-static struct security_operations tomoyo_security_ops = {
+struct security_operations tomoyo_security_ops = {
.name = "tomoyo",
.cred_alloc_blank = tomoyo_cred_alloc_blank,
.cred_prepare = tomoyo_cred_prepare,
@@ -545,16 +546,22 @@ struct srcu_struct tomoyo_ss;
*/
static int __init tomoyo_init(void)
{
+ int rc;
struct cred *cred = (struct cred *) current_cred();
+ /* register ourselves with the security framework */
if (!security_module_enable(&tomoyo_security_ops))
return 0;
- /* register ourselves with the security framework */
- if (register_security(&tomoyo_security_ops) ||
- init_srcu_struct(&tomoyo_ss))
+
+ if (init_srcu_struct(&tomoyo_ss))
panic("Failure registering TOMOYO Linux");
printk(KERN_INFO "TOMOYO Linux initialized\n");
- cred->security = &tomoyo_kernel_domain;
+
+ rc = lsm_set_init_cred(cred, &tomoyo_kernel_domain,
+ &tomoyo_security_ops);
+ if (rc)
+ panic("Failure allocating credential for TOMOYO Linux");
+
tomoyo_mm_init();
return 0;
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 9/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 2:09 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 9/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Remove special case Yama stacking. Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/yama/Kconfig | 7 -------
security/yama/yama_lsm.c | 33 +++------------------------------
2 files changed, 3 insertions(+), 37 deletions(-)
diff --git a/security/yama/Kconfig b/security/yama/Kconfig
index 20ef514..a99aa1d 100644
--- a/security/yama/Kconfig
+++ b/security/yama/Kconfig
@@ -12,10 +12,3 @@ config SECURITY_YAMA
If you are unsure how to answer this question, answer N.
-config SECURITY_YAMA_STACKED
- bool "Yama stacked with other LSMs"
- depends on SECURITY_YAMA
- default n
- help
- When Yama is built into the kernel, force it to stack with the
- selected primary LSM.
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 23414b9..acfe1f0 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -154,13 +154,9 @@ void yama_task_free(struct task_struct *task)
int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
- int rc;
+ int rc = -ENOSYS;
struct task_struct *myself = current;
- rc = cap_task_prctl(option, arg2, arg3, arg4, arg5);
- if (rc != -ENOSYS)
- return rc;
-
switch (option) {
case PR_SET_PTRACER:
/* Since a thread can call prctl(), find the group leader
@@ -282,14 +278,7 @@ static int ptracer_exception_found(struct task_struct *tracer,
int yama_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- int rc;
-
- /* If standard caps disallows it, so does Yama. We should
- * only tighten restrictions further.
- */
- rc = cap_ptrace_access_check(child, mode);
- if (rc)
- return rc;
+ int rc = 0;
/* require ptrace target be a child of ptracer on attach */
if (mode == PTRACE_MODE_ATTACH) {
@@ -335,14 +324,7 @@ int yama_ptrace_access_check(struct task_struct *child,
*/
int yama_ptrace_traceme(struct task_struct *parent)
{
- int rc;
-
- /* If standard caps disallows it, so does Yama. We should
- * only tighten restrictions further.
- */
- rc = cap_ptrace_traceme(parent);
- if (rc)
- return rc;
+ int rc = 0;
/* Only disallow PTRACE_TRACEME on more aggressive settings. */
switch (ptrace_scope) {
@@ -366,7 +348,6 @@ int yama_ptrace_traceme(struct task_struct *parent)
return rc;
}
-#ifndef CONFIG_SECURITY_YAMA_STACKED
static struct security_operations yama_ops = {
.name = "yama",
@@ -375,7 +356,6 @@ static struct security_operations yama_ops = {
.task_prctl = yama_task_prctl,
.task_free = yama_task_free,
};
-#endif
#ifdef CONFIG_SYSCTL
static int yama_dointvec_minmax(struct ctl_table *table, int write,
@@ -422,18 +402,11 @@ static struct ctl_table yama_sysctl_table[] = {
static __init int yama_init(void)
{
-#ifndef CONFIG_SECURITY_YAMA_STACKED
if (!security_module_enable(&yama_ops))
return 0;
-#endif
printk(KERN_INFO "Yama: becoming mindful.\n");
-#ifndef CONFIG_SECURITY_YAMA_STACKED
- if (register_security(&yama_ops))
- panic("Yama: kernel registration failed.\n");
-#endif
-
#ifdef CONFIG_SYSCTL
if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table))
panic("Yama: sysctl registration failed.\n");
^ permalink raw reply related [flat|nested] 67+ messages in thread
* [PATCH v12 9/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 2:09 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 2:09 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
Subject: [PATCH v12 9/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s
from a single vector of hook handlers to a list based method
for handling multiple concurrent modules.
Remove special case Yama stacking. Remove commoncap calls.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/yama/Kconfig | 7 -------
security/yama/yama_lsm.c | 33 +++------------------------------
2 files changed, 3 insertions(+), 37 deletions(-)
diff --git a/security/yama/Kconfig b/security/yama/Kconfig
index 20ef514..a99aa1d 100644
--- a/security/yama/Kconfig
+++ b/security/yama/Kconfig
@@ -12,10 +12,3 @@ config SECURITY_YAMA
If you are unsure how to answer this question, answer N.
-config SECURITY_YAMA_STACKED
- bool "Yama stacked with other LSMs"
- depends on SECURITY_YAMA
- default n
- help
- When Yama is built into the kernel, force it to stack with the
- selected primary LSM.
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 23414b9..acfe1f0 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -154,13 +154,9 @@ void yama_task_free(struct task_struct *task)
int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
- int rc;
+ int rc = -ENOSYS;
struct task_struct *myself = current;
- rc = cap_task_prctl(option, arg2, arg3, arg4, arg5);
- if (rc != -ENOSYS)
- return rc;
-
switch (option) {
case PR_SET_PTRACER:
/* Since a thread can call prctl(), find the group leader
@@ -282,14 +278,7 @@ static int ptracer_exception_found(struct task_struct *tracer,
int yama_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- int rc;
-
- /* If standard caps disallows it, so does Yama. We should
- * only tighten restrictions further.
- */
- rc = cap_ptrace_access_check(child, mode);
- if (rc)
- return rc;
+ int rc = 0;
/* require ptrace target be a child of ptracer on attach */
if (mode == PTRACE_MODE_ATTACH) {
@@ -335,14 +324,7 @@ int yama_ptrace_access_check(struct task_struct *child,
*/
int yama_ptrace_traceme(struct task_struct *parent)
{
- int rc;
-
- /* If standard caps disallows it, so does Yama. We should
- * only tighten restrictions further.
- */
- rc = cap_ptrace_traceme(parent);
- if (rc)
- return rc;
+ int rc = 0;
/* Only disallow PTRACE_TRACEME on more aggressive settings. */
switch (ptrace_scope) {
@@ -366,7 +348,6 @@ int yama_ptrace_traceme(struct task_struct *parent)
return rc;
}
-#ifndef CONFIG_SECURITY_YAMA_STACKED
static struct security_operations yama_ops = {
.name = "yama",
@@ -375,7 +356,6 @@ static struct security_operations yama_ops = {
.task_prctl = yama_task_prctl,
.task_free = yama_task_free,
};
-#endif
#ifdef CONFIG_SYSCTL
static int yama_dointvec_minmax(struct ctl_table *table, int write,
@@ -422,18 +402,11 @@ static struct ctl_table yama_sysctl_table[] = {
static __init int yama_init(void)
{
-#ifndef CONFIG_SECURITY_YAMA_STACKED
if (!security_module_enable(&yama_ops))
return 0;
-#endif
printk(KERN_INFO "Yama: becoming mindful.\n");
-#ifndef CONFIG_SECURITY_YAMA_STACKED
- if (register_security(&yama_ops))
- panic("Yama: kernel registration failed.\n");
-#endif
-
#ifdef CONFIG_SYSCTL
if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table))
panic("Yama: sysctl registration failed.\n");
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
` (9 preceding siblings ...)
(?)
@ 2013-01-08 3:01 ` Stephen Rothwell
2013-01-08 3:59 ` Stephen Rothwell
2013-01-08 4:02 ` Casey Schaufler
-1 siblings, 2 replies; 67+ messages in thread
From: Stephen Rothwell @ 2013-01-08 3:01 UTC (permalink / raw)
To: Casey Schaufler
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton
[-- Attachment #1: Type: text/plain, Size: 2223 bytes --]
Hi Casey,
On Mon, 07 Jan 2013 17:54:24 -0800 Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>
> Change the infrastructure for Linux Security Modules (LSM)s
> from a single vector of hook handlers to a list based method
> for handling multiple concurrent modules.
>
> A level of indirection has been introduced in the handling of
> security blobs. LSMs no longer access ->security fields directly,
> instead they use an abstraction provided by lsm_[gs]et field
> functions.
>
> The XFRM hooks are only used by SELinux and it is not clear
> that they can be shared. The First LSM that registers using
> those hooks gets to use them. Any subsequent LSM that uses
> those hooks is denied registration.
>
> Secids have not been made shareable. Only one LSM that uses
> secids (SELinux and Smack) can be used at a time. The first
> to register wins.
>
> The "security=" boot option takes a comma separated list of
> LSMs, registering them in the order presented. The LSM hooks
> will be executed in the order registered. Hooks that return
> errors are not short circuited. All hooks are called even
> if one of the LSM hooks fails. The result returned will be
> that of the last LSM hook that failed.
>
> Some hooks don't fit that model. setprocattr, getprocattr,
> and a few others are special cased. All behavior from
> security/capability.c has been moved into the hook handling.
> The security/commoncap functions used to get called from
> the LSM specific code. The handling of the capability
> functions has been moved out of the LSMs and into the
> hook handling.
>
> The /proc/*/attr interfaces are given to one LSM. This
> can be done by setting CONFIG_SECURITY_PRESENT. Additional
> interfaces have been created in /proc/*/attr so that
> each LSM has its own named interfaces.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Let me ask Andrew's question: Why do you want to do this (what is the
use case)? What does this gain us?
Also, you should use unique subjects for each of the patches in the
series.
--
Cheers,
Stephen Rothwell sfr@canb.auug.org.au
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 3:01 ` [PATCH v12 0/9] " Stephen Rothwell
@ 2013-01-08 3:59 ` Stephen Rothwell
2013-01-08 4:11 ` Casey Schaufler
2013-01-08 4:02 ` Casey Schaufler
1 sibling, 1 reply; 67+ messages in thread
From: Stephen Rothwell @ 2013-01-08 3:59 UTC (permalink / raw)
To: Casey Schaufler
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton
[-- Attachment #1: Type: text/plain, Size: 567 bytes --]
Hi Casey,
On Tue, 8 Jan 2013 14:01:59 +1100 Stephen Rothwell <sfr@canb.auug.org.au> wrote:
>
> Let me ask Andrew's question: Why do you want to do this (what is the
> use case)? What does this gain us?
>
> Also, you should use unique subjects for each of the patches in the
> series.
You probably also want to think a bit harder about the order of the
patches - you should introduce new APIs before you use them and remove
calls to functions before you remove the functions.
--
Cheers,
Stephen Rothwell sfr@canb.auug.org.au
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 3:01 ` [PATCH v12 0/9] " Stephen Rothwell
@ 2013-01-08 4:02 ` Casey Schaufler
2013-01-08 4:02 ` Casey Schaufler
1 sibling, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 4:02 UTC (permalink / raw)
To: Stephen Rothwell
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton, Casey Schaufler
On 1/7/2013 7:01 PM, Stephen Rothwell wrote:
> Hi Casey,
>
> On Mon, 07 Jan 2013 17:54:24 -0800 Casey Schaufler <casey@schaufler-ca.com> wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list based method
>> for handling multiple concurrent modules.
>>
>> A level of indirection has been introduced in the handling of
>> security blobs. LSMs no longer access ->security fields directly,
>> instead they use an abstraction provided by lsm_[gs]et field
>> functions.
>>
>> The XFRM hooks are only used by SELinux and it is not clear
>> that they can be shared. The First LSM that registers using
>> those hooks gets to use them. Any subsequent LSM that uses
>> those hooks is denied registration.
>>
>> Secids have not been made shareable. Only one LSM that uses
>> secids (SELinux and Smack) can be used at a time. The first
>> to register wins.
>>
>> The "security=" boot option takes a comma separated list of
>> LSMs, registering them in the order presented. The LSM hooks
>> will be executed in the order registered. Hooks that return
>> errors are not short circuited. All hooks are called even
>> if one of the LSM hooks fails. The result returned will be
>> that of the last LSM hook that failed.
>>
>> Some hooks don't fit that model. setprocattr, getprocattr,
>> and a few others are special cased. All behavior from
>> security/capability.c has been moved into the hook handling.
>> The security/commoncap functions used to get called from
>> the LSM specific code. The handling of the capability
>> functions has been moved out of the LSMs and into the
>> hook handling.
>>
>> The /proc/*/attr interfaces are given to one LSM. This
>> can be done by setting CONFIG_SECURITY_PRESENT. Additional
>> interfaces have been created in /proc/*/attr so that
>> each LSM has its own named interfaces.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Let me ask Andrew's question: Why do you want to do this (what is the
> use case)? What does this gain us?
There has been an amazing amount of development in system security
over the past three years. Almost none of it has been in the kernel.
One important reason that it is not getting done in the kernel is
that the current single LSM restriction requires an all or nothing
approach to security. Either you address all your needs with a single
LSM or you have to go with a user space solution, in which case you
may as well do everything in user space.
Multiple concurrent LSMs allows a system to be developed incrementally
and to combine a variety of approaches that meet new and interesting
needs. It allows for systems that are based on an LSM that does not
meet all of the requirements but that can be supplemented by another
LSM that fills the gaps. It allows an LSM like Smack that implements
label based access controls to remain true to its purpose even in the
face of pressure to add controls based on other mechanisms.
I have had requests for running Smack and AppArmor together Tetsuo has
long had need to put SELinux and TOMOYO on the same box. Yama was
recently special cased for stackability.
We are looking at security from different directions than ever before.
What good is a UID on a cell phone? I hear complaints about Android's
"abuse" of the UID. With the option of independent groups creating
smallish LSMs and integrating them by stacking we have the ability to
make the security systems modern devices require using a architecturally
clean model rather than hijacking existing mechanisms that work a
little bit like what you want to do.
I used to believe in a single, integrated security module that addressed
all the issues. Now that Linux is supporting everything from real time
tire pressure gauges in tricycles to the global no-fly list that just
doesn't seem reasonable. We need better turn around on supplemental
mechanisms. That means collections of smaller, simpler LSMs instead of
monoliths that only a few select individuals or organizations have any
hope of configuring properly.
The topic has been discussed at the past couple of Linux Security Summits
and the only real issue has been who would grind out the code. All of
the existing LSM maintainers are open to stacking.
> Also, you should use unique subjects for each of the patches in the
> series.
>
Yes, I noticed I'd mucked that up as they flew into the ether.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 4:02 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 4:02 UTC (permalink / raw)
To: Stephen Rothwell
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton, Casey Schaufler
On 1/7/2013 7:01 PM, Stephen Rothwell wrote:
> Hi Casey,
>
> On Mon, 07 Jan 2013 17:54:24 -0800 Casey Schaufler <casey@schaufler-ca.com> wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list based method
>> for handling multiple concurrent modules.
>>
>> A level of indirection has been introduced in the handling of
>> security blobs. LSMs no longer access ->security fields directly,
>> instead they use an abstraction provided by lsm_[gs]et field
>> functions.
>>
>> The XFRM hooks are only used by SELinux and it is not clear
>> that they can be shared. The First LSM that registers using
>> those hooks gets to use them. Any subsequent LSM that uses
>> those hooks is denied registration.
>>
>> Secids have not been made shareable. Only one LSM that uses
>> secids (SELinux and Smack) can be used at a time. The first
>> to register wins.
>>
>> The "security=" boot option takes a comma separated list of
>> LSMs, registering them in the order presented. The LSM hooks
>> will be executed in the order registered. Hooks that return
>> errors are not short circuited. All hooks are called even
>> if one of the LSM hooks fails. The result returned will be
>> that of the last LSM hook that failed.
>>
>> Some hooks don't fit that model. setprocattr, getprocattr,
>> and a few others are special cased. All behavior from
>> security/capability.c has been moved into the hook handling.
>> The security/commoncap functions used to get called from
>> the LSM specific code. The handling of the capability
>> functions has been moved out of the LSMs and into the
>> hook handling.
>>
>> The /proc/*/attr interfaces are given to one LSM. This
>> can be done by setting CONFIG_SECURITY_PRESENT. Additional
>> interfaces have been created in /proc/*/attr so that
>> each LSM has its own named interfaces.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Let me ask Andrew's question: Why do you want to do this (what is the
> use case)? What does this gain us?
There has been an amazing amount of development in system security
over the past three years. Almost none of it has been in the kernel.
One important reason that it is not getting done in the kernel is
that the current single LSM restriction requires an all or nothing
approach to security. Either you address all your needs with a single
LSM or you have to go with a user space solution, in which case you
may as well do everything in user space.
Multiple concurrent LSMs allows a system to be developed incrementally
and to combine a variety of approaches that meet new and interesting
needs. It allows for systems that are based on an LSM that does not
meet all of the requirements but that can be supplemented by another
LSM that fills the gaps. It allows an LSM like Smack that implements
label based access controls to remain true to its purpose even in the
face of pressure to add controls based on other mechanisms.
I have had requests for running Smack and AppArmor together Tetsuo has
long had need to put SELinux and TOMOYO on the same box. Yama was
recently special cased for stackability.
We are looking at security from different directions than ever before.
What good is a UID on a cell phone? I hear complaints about Android's
"abuse" of the UID. With the option of independent groups creating
smallish LSMs and integrating them by stacking we have the ability to
make the security systems modern devices require using a architecturally
clean model rather than hijacking existing mechanisms that work a
little bit like what you want to do.
I used to believe in a single, integrated security module that addressed
all the issues. Now that Linux is supporting everything from real time
tire pressure gauges in tricycles to the global no-fly list that just
doesn't seem reasonable. We need better turn around on supplemental
mechanisms. That means collections of smaller, simpler LSMs instead of
monoliths that only a few select individuals or organizations have any
hope of configuring properly.
The topic has been discussed at the past couple of Linux Security Summits
and the only real issue has been who would grind out the code. All of
the existing LSM maintainers are open to stacking.
> Also, you should use unique subjects for each of the patches in the
> series.
>
Yes, I noticed I'd mucked that up as they flew into the ether.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 3:59 ` Stephen Rothwell
@ 2013-01-08 4:11 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 4:11 UTC (permalink / raw)
To: Stephen Rothwell
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton, Casey Schaufler
On 1/7/2013 7:59 PM, Stephen Rothwell wrote:
> Hi Casey,
>
> On Tue, 8 Jan 2013 14:01:59 +1100 Stephen Rothwell <sfr@canb.auug.org.au> wrote:
>> Let me ask Andrew's question: Why do you want to do this (what is the
>> use case)? What does this gain us?
>>
>> Also, you should use unique subjects for each of the patches in the
>> series.
> You probably also want to think a bit harder about the order of the
> patches - you should introduce new APIs before you use them and remove
> calls to functions before you remove the functions.
>
The unfortunate reality is that I couldn't find a good way to stage the
changes. It's a wonking big set of infrastructure change. I could introduce
the security blob abstraction separately but that is a fraction of the
change. If it would have gone through mail filters as a single patch I'd
have sent it that way.
I can spend time on patch presentation, and will if necessary. As it is,
I can start getting substantive commentary from beyond the LSM crowd, who
have already been extremely cooperative and often critical.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 4:11 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 4:11 UTC (permalink / raw)
To: Stephen Rothwell
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton, Casey Schaufler
On 1/7/2013 7:59 PM, Stephen Rothwell wrote:
> Hi Casey,
>
> On Tue, 8 Jan 2013 14:01:59 +1100 Stephen Rothwell <sfr@canb.auug.org.au> wrote:
>> Let me ask Andrew's question: Why do you want to do this (what is the
>> use case)? What does this gain us?
>>
>> Also, you should use unique subjects for each of the patches in the
>> series.
> You probably also want to think a bit harder about the order of the
> patches - you should introduce new APIs before you use them and remove
> calls to functions before you remove the functions.
>
The unfortunate reality is that I couldn't find a good way to stage the
changes. It's a wonking big set of infrastructure change. I could introduce
the security blob abstraction separately but that is a fraction of the
change. If it would have gone through mail filters as a single patch I'd
have sent it that way.
I can spend time on patch presentation, and will if necessary. As it is,
I can start getting substantive commentary from beyond the LSM crowd, who
have already been extremely cooperative and often critical.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 4:11 ` Casey Schaufler
(?)
@ 2013-01-08 6:34 ` Vasily Kulikov
-1 siblings, 0 replies; 67+ messages in thread
From: Vasily Kulikov @ 2013-01-08 6:34 UTC (permalink / raw)
To: Casey Schaufler
Cc: Stephen Rothwell, James Morris, LSM, LKLM, SE Linux,
John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Andrew Morton
On Mon, Jan 07, 2013 at 20:11 -0800, Casey Schaufler wrote:
> On 1/7/2013 7:59 PM, Stephen Rothwell wrote:
> > You probably also want to think a bit harder about the order of the
> > patches - you should introduce new APIs before you use them and remove
> > calls to functions before you remove the functions.
> >
> The unfortunate reality is that I couldn't find a good way to stage the
> changes. It's a wonking big set of infrastructure change. I could introduce
> the security blob abstraction separately but that is a fraction of the
> change. If it would have gone through mail filters as a single patch I'd
> have sent it that way.
>
> I can spend time on patch presentation, and will if necessary.
I guess it can be divided this way:
1) Introduce lsm_get_cred(), etc. which unconditionally return
->security, ->i_security, etc.
2) Move all LSMs, procfs, etc. to the new API, a patch per LSM/subsystem.
3) Change structures along with new API.
The pro of the division is that if you have a bug in the series (and you
surely have! ;)) it is MUCH more simple to locate this bug (bisect, etc.).
Also it is more descriptive as you divide LSM changes and the core security
subsystem itself targeted on multiple LSMs which divides LSM
implementations (which might be not very important for someone) and the core
architecture (which is important for everybody).
Thanks,
--
Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 4:02 ` Casey Schaufler
(?)
@ 2013-01-08 6:38 ` Vasily Kulikov
-1 siblings, 0 replies; 67+ messages in thread
From: Vasily Kulikov @ 2013-01-08 6:38 UTC (permalink / raw)
To: Casey Schaufler
Cc: Stephen Rothwell, James Morris, LSM, LKLM, SE Linux,
John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Andrew Morton
On Mon, Jan 07, 2013 at 20:02 -0800, Casey Schaufler wrote:
> On 1/7/2013 7:01 PM, Stephen Rothwell wrote:
> > Let me ask Andrew's question: Why do you want to do this (what is the
> > use case)? What does this gain us?
>
> There has been an amazing amount of development in system security
> over the past three years. Almost none of it has been in the kernel.
> One important reason that it is not getting done in the kernel is
> that the current single LSM restriction requires an all or nothing
> approach to security. Either you address all your needs with a single
> LSM or you have to go with a user space solution, in which case you
> may as well do everything in user space.
[...]
You should also update Documentation/security/LSM.txt with new "security="
rules and rules of LSM stacking limitations. Motivation of stacking is
probably worth noting in Documentation/ too.
Thanks,
--
Vasily Kulikov
http://www.openwall.com - bringing security into open computing environments
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 4:02 ` Casey Schaufler
@ 2013-01-08 9:12 ` James Morris
-1 siblings, 0 replies; 67+ messages in thread
From: James Morris @ 2013-01-08 9:12 UTC (permalink / raw)
To: Casey Schaufler
Cc: Stephen Rothwell, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton
On Mon, 7 Jan 2013, Casey Schaufler wrote:
> There has been an amazing amount of development in system security
> over the past three years. Almost none of it has been in the kernel.
> One important reason that it is not getting done in the kernel is
> that the current single LSM restriction requires an all or nothing
> approach to security. Either you address all your needs with a single
> LSM or you have to go with a user space solution, in which case you
> may as well do everything in user space.
This sounds like a very spurious argument. If the development is better
done in userspace, then do it there.
There's no way to address all your security needs with an LSM in any case,
for any practical system. LSM is an API for making security decisions
about kernel flow, usually as part of implementing access control
mechanisms. It is not meant to provide any kind of total security
solution, and the argument that you can't do some security in userspace is
totally illogical.
Development should be done in userspace unless it must be done in the
kernel.
> Multiple concurrent LSMs allows a system to be developed incrementally
> and to combine a variety of approaches that meet new and interesting
> needs. It allows for systems that are based on an LSM that does not
> meet all of the requirements but that can be supplemented by another
> LSM that fills the gaps. It allows an LSM like Smack that implements
> label based access controls to remain true to its purpose even in the
> face of pressure to add controls based on other mechanisms.
>
> I have had requests for running Smack and AppArmor together Tetsuo has
> long had need to put SELinux and TOMOYO on the same box. Yama was
> recently special cased for stackability.
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at least one major distro committing to support
this.
Yama is special-cased and can stay that way.
SELinux and Tomoyo together makes no sense to me, and similarly, I would
like to see the specific use-case for it and distro commitment to support
it.
> We are looking at security from different directions than ever before.
> What good is a UID on a cell phone? I hear complaints about Android's
> "abuse" of the UID.
What is the UID issue and how does LSM stacking address it?
> With the option of independent groups creating smallish LSMs and
> integrating them by stacking we have the ability to make the security
> systems modern devices require using a architecturally clean model
> rather than hijacking existing mechanisms that work a little bit like
> what you want to do.
This is speculative.
>
> I used to believe in a single, integrated security module that addressed
> all the issues. Now that Linux is supporting everything from real time
> tire pressure gauges in tricycles to the global no-fly list that just
> doesn't seem reasonable. We need better turn around on supplemental
> mechanisms. That means collections of smaller, simpler LSMs instead of
> monoliths that only a few select individuals or organizations have any
> hope of configuring properly.
If you're trying to say that only a few select individuals or orgs can
configure things like SELinux and AppArmor properly, you're wrong, and the
evidence for that is overwhelming.
Also, are you saying that security mechanisms are inherently easier to
configure if they're composed from a variety of distinct modules vs. a
monolithic scheme?
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 9:12 ` James Morris
0 siblings, 0 replies; 67+ messages in thread
From: James Morris @ 2013-01-08 9:12 UTC (permalink / raw)
To: Casey Schaufler
Cc: Stephen Rothwell, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton
On Mon, 7 Jan 2013, Casey Schaufler wrote:
> There has been an amazing amount of development in system security
> over the past three years. Almost none of it has been in the kernel.
> One important reason that it is not getting done in the kernel is
> that the current single LSM restriction requires an all or nothing
> approach to security. Either you address all your needs with a single
> LSM or you have to go with a user space solution, in which case you
> may as well do everything in user space.
This sounds like a very spurious argument. If the development is better
done in userspace, then do it there.
There's no way to address all your security needs with an LSM in any case,
for any practical system. LSM is an API for making security decisions
about kernel flow, usually as part of implementing access control
mechanisms. It is not meant to provide any kind of total security
solution, and the argument that you can't do some security in userspace is
totally illogical.
Development should be done in userspace unless it must be done in the
kernel.
> Multiple concurrent LSMs allows a system to be developed incrementally
> and to combine a variety of approaches that meet new and interesting
> needs. It allows for systems that are based on an LSM that does not
> meet all of the requirements but that can be supplemented by another
> LSM that fills the gaps. It allows an LSM like Smack that implements
> label based access controls to remain true to its purpose even in the
> face of pressure to add controls based on other mechanisms.
>
> I have had requests for running Smack and AppArmor together Tetsuo has
> long had need to put SELinux and TOMOYO on the same box. Yama was
> recently special cased for stackability.
I'd say we need to see the actual use-case for Smack and Apparmor being
used together, along with at least one major distro committing to support
this.
Yama is special-cased and can stay that way.
SELinux and Tomoyo together makes no sense to me, and similarly, I would
like to see the specific use-case for it and distro commitment to support
it.
> We are looking at security from different directions than ever before.
> What good is a UID on a cell phone? I hear complaints about Android's
> "abuse" of the UID.
What is the UID issue and how does LSM stacking address it?
> With the option of independent groups creating smallish LSMs and
> integrating them by stacking we have the ability to make the security
> systems modern devices require using a architecturally clean model
> rather than hijacking existing mechanisms that work a little bit like
> what you want to do.
This is speculative.
>
> I used to believe in a single, integrated security module that addressed
> all the issues. Now that Linux is supporting everything from real time
> tire pressure gauges in tricycles to the global no-fly list that just
> doesn't seem reasonable. We need better turn around on supplemental
> mechanisms. That means collections of smaller, simpler LSMs instead of
> monoliths that only a few select individuals or organizations have any
> hope of configuring properly.
If you're trying to say that only a few select individuals or orgs can
configure things like SELinux and AppArmor properly, you're wrong, and the
evidence for that is overwhelming.
Also, are you saying that security mechanisms are inherently easier to
configure if they're composed from a variety of distinct modules vs. a
monolithic scheme?
--
James Morris
<jmorris@namei.org>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 9:12 ` James Morris
@ 2013-01-08 17:14 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 17:14 UTC (permalink / raw)
To: James Morris
Cc: Stephen Rothwell, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton, Casey Schaufler
On 1/8/2013 1:12 AM, James Morris wrote:
> On Mon, 7 Jan 2013, Casey Schaufler wrote:
>
>> There has been an amazing amount of development in system security
>> over the past three years. Almost none of it has been in the kernel.
>> One important reason that it is not getting done in the kernel is
>> that the current single LSM restriction requires an all or nothing
>> approach to security. Either you address all your needs with a single
>> LSM or you have to go with a user space solution, in which case you
>> may as well do everything in user space.
> This sounds like a very spurious argument. If the development is better
> done in userspace, then do it there.
When the security scheme is better implemented in user space
because it requires information available in user space I agree.
When the security scheme is implemented in user space because
the environment for building it in the kernel is not up to
modern development paradigms I disagree. If you can't work on
two aspects of your security independently you're not going
to keep up with the Jones'.
> There's no way to address all your security needs with an LSM in any case,
> for any practical system.
Please review the arguments made in support of dropping the
LSM entirely in favor of SELinux as *the* Linux security
infrastructure.
I certainly agree that no one LSM covers all need today.
I also agree that no single LSM will ever meet everyone's
needs. My solution is to allow multiple LSMs so that it is
easier to approach the goal.
> LSM is an API for making security decisions
> about kernel flow, usually as part of implementing access control
> mechanisms. It is not meant to provide any kind of total security
> solution, and the argument that you can't do some security in userspace is
> totally illogical.
What I was hoping to say, and apparently didn't, is that people
are developing "total" solutions in user space, when some of the
work ought to be done in an LSM. Work that is appropriate to the
kernel is being done in user space. Often badly, because the
kernel provides too many mechanisms to circumvent user space
based access controls.
> Development should be done in userspace unless it must be done in the
> kernel.
And we'll be arguing what "must" means long after penguins get the vote.
User space code does not have the opportunity to control the
objects that the kernel manages. Nor should it. Files, sockets,
network packets and signals all must be managed in the kernel.
Some of the user space attempts we're seeing are pretty scary.
>> Multiple concurrent LSMs allows a system to be developed incrementally
>> and to combine a variety of approaches that meet new and interesting
>> needs. It allows for systems that are based on an LSM that does not
>> meet all of the requirements but that can be supplemented by another
>> LSM that fills the gaps. It allows an LSM like Smack that implements
>> label based access controls to remain true to its purpose even in the
>> face of pressure to add controls based on other mechanisms.
>>
>> I have had requests for running Smack and AppArmor together Tetsuo has
>> long had need to put SELinux and TOMOYO on the same box. Yama was
>> recently special cased for stackability.
> I'd say we need to see the actual use-case for Smack and Apparmor being
> used together, along with at least one major distro committing to support
> this.
Or SELinux and TOMOYO. Or AppArmor and TOMOYO.
And before we get too far, distros are no longer the driving force
for Linux development. I suggest that "operating systems", including
ChromiumOS, Android and Tizen are every bit as important. I suggest
that if Android wants to use SELinux and AppArmor those wild and
crazy folks in Mountain View ought to be able to do so.
> Yama is special-cased and can stay that way.
Yama is *not* a special case, it is an example. It is the kind
of new thing that provides security that is not access control.
It was special cased at the request of distros because there was
no general mechanism for including it along with the primary
LSM.
> SELinux and Tomoyo together makes no sense to me, and similarly, I would
> like to see the specific use-case for it and distro commitment to support
> it.
I'm not the advocate for that particular combination.
The point is that there are advocates. And distros are not
the only drivers. I agree that some consumer (distro, "OS")
needs to step forward.
>> We are looking at security from different directions than ever before.
>> What good is a UID on a cell phone? I hear complaints about Android's
>> "abuse" of the UID.
> What is the UID issue and how does LSM stacking address it?
Android utilizes UIDs in a way that has often been referred to as
"hijacking". The UID mechanism supports much of what they want,
but clearly isn't complete. Now that Android is moving to multi-user
support they're hitting conflicts with their use of the UID
attribute. They really ought to be using an LSM that implements
the security policy they want rather than hacking around the
behavior of UID based controls.
>> With the option of independent groups creating smallish LSMs and
>> integrating them by stacking we have the ability to make the security
>> systems modern devices require using a architecturally clean model
>> rather than hijacking existing mechanisms that work a little bit like
>> what you want to do.
> This is speculative.
That multiple LSMs provides the tool is not speculation.
That new development would ensue is indeed speculative.
Or at least not yet public.
>> I used to believe in a single, integrated security module that addressed
>> all the issues. Now that Linux is supporting everything from real time
>> tire pressure gauges in tricycles to the global no-fly list that just
>> doesn't seem reasonable. We need better turn around on supplemental
>> mechanisms. That means collections of smaller, simpler LSMs instead of
>> monoliths that only a few select individuals or organizations have any
>> hope of configuring properly.
> If you're trying to say that only a few select individuals or orgs can
> configure things like SELinux and AppArmor properly, you're wrong, and the
> evidence for that is overwhelming.
Disto & OS vendors have the knowledge and tools to do this right.
> Also, are you saying that security mechanisms are inherently easier to
> configure if they're composed from a variety of distinct modules vs. a
> monolithic scheme?
Nope. I'm saying that for specific use cases including but not limited to
telephones, TVs and surveillance networks it is simpler and more appropriate
to create the access control and security schemes that directly address
the needs than to attempt to squeeze them into corsets designed in the
1990's.
And to top it off, Yama has no configuration. It's lots easier to configure.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 17:14 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 17:14 UTC (permalink / raw)
To: James Morris
Cc: Stephen Rothwell, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton, Casey Schaufler
On 1/8/2013 1:12 AM, James Morris wrote:
> On Mon, 7 Jan 2013, Casey Schaufler wrote:
>
>> There has been an amazing amount of development in system security
>> over the past three years. Almost none of it has been in the kernel.
>> One important reason that it is not getting done in the kernel is
>> that the current single LSM restriction requires an all or nothing
>> approach to security. Either you address all your needs with a single
>> LSM or you have to go with a user space solution, in which case you
>> may as well do everything in user space.
> This sounds like a very spurious argument. If the development is better
> done in userspace, then do it there.
When the security scheme is better implemented in user space
because it requires information available in user space I agree.
When the security scheme is implemented in user space because
the environment for building it in the kernel is not up to
modern development paradigms I disagree. If you can't work on
two aspects of your security independently you're not going
to keep up with the Jones'.
> There's no way to address all your security needs with an LSM in any case,
> for any practical system.
Please review the arguments made in support of dropping the
LSM entirely in favor of SELinux as *the* Linux security
infrastructure.
I certainly agree that no one LSM covers all need today.
I also agree that no single LSM will ever meet everyone's
needs. My solution is to allow multiple LSMs so that it is
easier to approach the goal.
> LSM is an API for making security decisions
> about kernel flow, usually as part of implementing access control
> mechanisms. It is not meant to provide any kind of total security
> solution, and the argument that you can't do some security in userspace is
> totally illogical.
What I was hoping to say, and apparently didn't, is that people
are developing "total" solutions in user space, when some of the
work ought to be done in an LSM. Work that is appropriate to the
kernel is being done in user space. Often badly, because the
kernel provides too many mechanisms to circumvent user space
based access controls.
> Development should be done in userspace unless it must be done in the
> kernel.
And we'll be arguing what "must" means long after penguins get the vote.
User space code does not have the opportunity to control the
objects that the kernel manages. Nor should it. Files, sockets,
network packets and signals all must be managed in the kernel.
Some of the user space attempts we're seeing are pretty scary.
>> Multiple concurrent LSMs allows a system to be developed incrementally
>> and to combine a variety of approaches that meet new and interesting
>> needs. It allows for systems that are based on an LSM that does not
>> meet all of the requirements but that can be supplemented by another
>> LSM that fills the gaps. It allows an LSM like Smack that implements
>> label based access controls to remain true to its purpose even in the
>> face of pressure to add controls based on other mechanisms.
>>
>> I have had requests for running Smack and AppArmor together Tetsuo has
>> long had need to put SELinux and TOMOYO on the same box. Yama was
>> recently special cased for stackability.
> I'd say we need to see the actual use-case for Smack and Apparmor being
> used together, along with at least one major distro committing to support
> this.
Or SELinux and TOMOYO. Or AppArmor and TOMOYO.
And before we get too far, distros are no longer the driving force
for Linux development. I suggest that "operating systems", including
ChromiumOS, Android and Tizen are every bit as important. I suggest
that if Android wants to use SELinux and AppArmor those wild and
crazy folks in Mountain View ought to be able to do so.
> Yama is special-cased and can stay that way.
Yama is *not* a special case, it is an example. It is the kind
of new thing that provides security that is not access control.
It was special cased at the request of distros because there was
no general mechanism for including it along with the primary
LSM.
> SELinux and Tomoyo together makes no sense to me, and similarly, I would
> like to see the specific use-case for it and distro commitment to support
> it.
I'm not the advocate for that particular combination.
The point is that there are advocates. And distros are not
the only drivers. I agree that some consumer (distro, "OS")
needs to step forward.
>> We are looking at security from different directions than ever before.
>> What good is a UID on a cell phone? I hear complaints about Android's
>> "abuse" of the UID.
> What is the UID issue and how does LSM stacking address it?
Android utilizes UIDs in a way that has often been referred to as
"hijacking". The UID mechanism supports much of what they want,
but clearly isn't complete. Now that Android is moving to multi-user
support they're hitting conflicts with their use of the UID
attribute. They really ought to be using an LSM that implements
the security policy they want rather than hacking around the
behavior of UID based controls.
>> With the option of independent groups creating smallish LSMs and
>> integrating them by stacking we have the ability to make the security
>> systems modern devices require using a architecturally clean model
>> rather than hijacking existing mechanisms that work a little bit like
>> what you want to do.
> This is speculative.
That multiple LSMs provides the tool is not speculation.
That new development would ensue is indeed speculative.
Or at least not yet public.
>> I used to believe in a single, integrated security module that addressed
>> all the issues. Now that Linux is supporting everything from real time
>> tire pressure gauges in tricycles to the global no-fly list that just
>> doesn't seem reasonable. We need better turn around on supplemental
>> mechanisms. That means collections of smaller, simpler LSMs instead of
>> monoliths that only a few select individuals or organizations have any
>> hope of configuring properly.
> If you're trying to say that only a few select individuals or orgs can
> configure things like SELinux and AppArmor properly, you're wrong, and the
> evidence for that is overwhelming.
Disto & OS vendors have the knowledge and tools to do this right.
> Also, are you saying that security mechanisms are inherently easier to
> configure if they're composed from a variety of distinct modules vs. a
> monolithic scheme?
Nope. I'm saying that for specific use cases including but not limited to
telephones, TVs and surveillance networks it is simpler and more appropriate
to create the access control and security schemes that directly address
the needs than to attempt to squeeze them into corsets designed in the
1990's.
And to top it off, Yama has no configuration. It's lots easier to configure.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
@ 2013-01-08 17:47 ` Stephen Smalley
-1 siblings, 0 replies; 67+ messages in thread
From: Stephen Smalley @ 2013-01-08 17:47 UTC (permalink / raw)
To: Casey Schaufler
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
On 01/07/2013 08:54 PM, Casey Schaufler wrote:
> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>
> Change the infrastructure for Linux Security Modules (LSM)s
> from a single vector of hook handlers to a list based method
> for handling multiple concurrent modules.
>
> A level of indirection has been introduced in the handling of
> security blobs. LSMs no longer access ->security fields directly,
> instead they use an abstraction provided by lsm_[gs]et field
> functions.
>
> The XFRM hooks are only used by SELinux and it is not clear
> that they can be shared. The First LSM that registers using
> those hooks gets to use them. Any subsequent LSM that uses
> those hooks is denied registration.
>
> Secids have not been made shareable. Only one LSM that uses
> secids (SELinux and Smack) can be used at a time. The first
> to register wins.
>
> The "security=" boot option takes a comma separated list of
> LSMs, registering them in the order presented. The LSM hooks
> will be executed in the order registered. Hooks that return
> errors are not short circuited. All hooks are called even
> if one of the LSM hooks fails. The result returned will be
> that of the last LSM hook that failed.
>
> Some hooks don't fit that model. setprocattr, getprocattr,
> and a few others are special cased. All behavior from
> security/capability.c has been moved into the hook handling.
> The security/commoncap functions used to get called from
> the LSM specific code. The handling of the capability
> functions has been moved out of the LSMs and into the
> hook handling.
>
> The /proc/*/attr interfaces are given to one LSM. This
> can be done by setting CONFIG_SECURITY_PRESENT. Additional
> interfaces have been created in /proc/*/attr so that
> each LSM has its own named interfaces.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Have you run any benchmarks, particularly to compare performance
overhead in the simple case of a single LSM?
IIRC, the AppArmor devs indicated that they plan to start using secids,
which would mean that it would not be possible to stack AppArmor with
Smack or SELinux using this mechanism. So eventually that would have to
be addressed in order for this to even support the AppArmor+Smack or
AppArmor+SELinux use cases.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 17:47 ` Stephen Smalley
0 siblings, 0 replies; 67+ messages in thread
From: Stephen Smalley @ 2013-01-08 17:47 UTC (permalink / raw)
To: Casey Schaufler
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
On 01/07/2013 08:54 PM, Casey Schaufler wrote:
> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>
> Change the infrastructure for Linux Security Modules (LSM)s
> from a single vector of hook handlers to a list based method
> for handling multiple concurrent modules.
>
> A level of indirection has been introduced in the handling of
> security blobs. LSMs no longer access ->security fields directly,
> instead they use an abstraction provided by lsm_[gs]et field
> functions.
>
> The XFRM hooks are only used by SELinux and it is not clear
> that they can be shared. The First LSM that registers using
> those hooks gets to use them. Any subsequent LSM that uses
> those hooks is denied registration.
>
> Secids have not been made shareable. Only one LSM that uses
> secids (SELinux and Smack) can be used at a time. The first
> to register wins.
>
> The "security=" boot option takes a comma separated list of
> LSMs, registering them in the order presented. The LSM hooks
> will be executed in the order registered. Hooks that return
> errors are not short circuited. All hooks are called even
> if one of the LSM hooks fails. The result returned will be
> that of the last LSM hook that failed.
>
> Some hooks don't fit that model. setprocattr, getprocattr,
> and a few others are special cased. All behavior from
> security/capability.c has been moved into the hook handling.
> The security/commoncap functions used to get called from
> the LSM specific code. The handling of the capability
> functions has been moved out of the LSMs and into the
> hook handling.
>
> The /proc/*/attr interfaces are given to one LSM. This
> can be done by setting CONFIG_SECURITY_PRESENT. Additional
> interfaces have been created in /proc/*/attr so that
> each LSM has its own named interfaces.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Have you run any benchmarks, particularly to compare performance
overhead in the simple case of a single LSM?
IIRC, the AppArmor devs indicated that they plan to start using secids,
which would mean that it would not be possible to stack AppArmor with
Smack or SELinux using this mechanism. So eventually that would have to
be addressed in order for this to even support the AppArmor+Smack or
AppArmor+SELinux use cases.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 17:47 ` Stephen Smalley
@ 2013-01-08 18:17 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 18:17 UTC (permalink / raw)
To: Stephen Smalley
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Casey Schaufler
On 1/8/2013 9:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list based method
>> for handling multiple concurrent modules.
>>
>> A level of indirection has been introduced in the handling of
>> security blobs. LSMs no longer access ->security fields directly,
>> instead they use an abstraction provided by lsm_[gs]et field
>> functions.
>>
>> The XFRM hooks are only used by SELinux and it is not clear
>> that they can be shared. The First LSM that registers using
>> those hooks gets to use them. Any subsequent LSM that uses
>> those hooks is denied registration.
>>
>> Secids have not been made shareable. Only one LSM that uses
>> secids (SELinux and Smack) can be used at a time. The first
>> to register wins.
>>
>> The "security=" boot option takes a comma separated list of
>> LSMs, registering them in the order presented. The LSM hooks
>> will be executed in the order registered. Hooks that return
>> errors are not short circuited. All hooks are called even
>> if one of the LSM hooks fails. The result returned will be
>> that of the last LSM hook that failed.
>>
>> Some hooks don't fit that model. setprocattr, getprocattr,
>> and a few others are special cased. All behavior from
>> security/capability.c has been moved into the hook handling.
>> The security/commoncap functions used to get called from
>> the LSM specific code. The handling of the capability
>> functions has been moved out of the LSMs and into the
>> hook handling.
>>
>> The /proc/*/attr interfaces are given to one LSM. This
>> can be done by setting CONFIG_SECURITY_PRESENT. Additional
>> interfaces have been created in /proc/*/attr so that
>> each LSM has its own named interfaces.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> Have you run any benchmarks, particularly to compare performance
> overhead in the simple case of a single LSM?
My benchmark work is in the early stages and frankly my
facilities are poorly suited to getting real numbers. One of
the things that someone in the community could do that would
be very helpful would be do some such comparisons. I am
working on getting numbers that are defensible, but it will
take a bit of time.
>
> IIRC, the AppArmor devs indicated that they plan to start using
> secids, which would mean that it would not be possible to stack
> AppArmor with Smack or SELinux using this mechanism. So eventually
> that would have to be addressed in order for this to even support the
> AppArmor+Smack or AppArmor+SELinux use cases.
>
That is my understanding as well. Having groveled around in the
realities of LSM hook usage for some time now I have developed ideas
around the problem. Unfortunately, no one change is going to address
all of the use models. Networking, audit and caching all use secids
in their own clever ways. This is another area where I would be
delighted to entertain suggested implementations.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-08 18:17 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-08 18:17 UTC (permalink / raw)
To: Stephen Smalley
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Casey Schaufler
On 1/8/2013 9:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list based method
>> for handling multiple concurrent modules.
>>
>> A level of indirection has been introduced in the handling of
>> security blobs. LSMs no longer access ->security fields directly,
>> instead they use an abstraction provided by lsm_[gs]et field
>> functions.
>>
>> The XFRM hooks are only used by SELinux and it is not clear
>> that they can be shared. The First LSM that registers using
>> those hooks gets to use them. Any subsequent LSM that uses
>> those hooks is denied registration.
>>
>> Secids have not been made shareable. Only one LSM that uses
>> secids (SELinux and Smack) can be used at a time. The first
>> to register wins.
>>
>> The "security=" boot option takes a comma separated list of
>> LSMs, registering them in the order presented. The LSM hooks
>> will be executed in the order registered. Hooks that return
>> errors are not short circuited. All hooks are called even
>> if one of the LSM hooks fails. The result returned will be
>> that of the last LSM hook that failed.
>>
>> Some hooks don't fit that model. setprocattr, getprocattr,
>> and a few others are special cased. All behavior from
>> security/capability.c has been moved into the hook handling.
>> The security/commoncap functions used to get called from
>> the LSM specific code. The handling of the capability
>> functions has been moved out of the LSMs and into the
>> hook handling.
>>
>> The /proc/*/attr interfaces are given to one LSM. This
>> can be done by setting CONFIG_SECURITY_PRESENT. Additional
>> interfaces have been created in /proc/*/attr so that
>> each LSM has its own named interfaces.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> Have you run any benchmarks, particularly to compare performance
> overhead in the simple case of a single LSM?
My benchmark work is in the early stages and frankly my
facilities are poorly suited to getting real numbers. One of
the things that someone in the community could do that would
be very helpful would be do some such comparisons. I am
working on getting numbers that are defensible, but it will
take a bit of time.
>
> IIRC, the AppArmor devs indicated that they plan to start using
> secids, which would mean that it would not be possible to stack
> AppArmor with Smack or SELinux using this mechanism. So eventually
> that would have to be addressed in order for this to even support the
> AppArmor+Smack or AppArmor+SELinux use cases.
>
That is my understanding as well. Having groveled around in the
realities of LSM hook usage for some time now I have developed ideas
around the problem. Unfortunately, no one change is going to address
all of the use models. Networking, audit and caching all use secids
in their own clever ways. This is another area where I would be
delighted to entertain suggested implementations.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 17:47 ` Stephen Smalley
(?)
(?)
@ 2013-01-08 20:01 ` John Johansen
-1 siblings, 0 replies; 67+ messages in thread
From: John Johansen @ 2013-01-08 20:01 UTC (permalink / raw)
To: Stephen Smalley
Cc: Casey Schaufler, James Morris, LSM, LKLM, SE Linux, Eric Paris,
Tetsuo Handa, Kees Cook
On 01/08/2013 09:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list based method
>> for handling multiple concurrent modules.
>>
>> A level of indirection has been introduced in the handling of
>> security blobs. LSMs no longer access ->security fields directly,
>> instead they use an abstraction provided by lsm_[gs]et field
>> functions.
>>
>> The XFRM hooks are only used by SELinux and it is not clear
>> that they can be shared. The First LSM that registers using
>> those hooks gets to use them. Any subsequent LSM that uses
>> those hooks is denied registration.
>>
>> Secids have not been made shareable. Only one LSM that uses
>> secids (SELinux and Smack) can be used at a time. The first
>> to register wins.
>>
>> The "security=" boot option takes a comma separated list of
>> LSMs, registering them in the order presented. The LSM hooks
>> will be executed in the order registered. Hooks that return
>> errors are not short circuited. All hooks are called even
>> if one of the LSM hooks fails. The result returned will be
>> that of the last LSM hook that failed.
>>
>> Some hooks don't fit that model. setprocattr, getprocattr,
>> and a few others are special cased. All behavior from
>> security/capability.c has been moved into the hook handling.
>> The security/commoncap functions used to get called from
>> the LSM specific code. The handling of the capability
>> functions has been moved out of the LSMs and into the
>> hook handling.
>>
>> The /proc/*/attr interfaces are given to one LSM. This
>> can be done by setting CONFIG_SECURITY_PRESENT. Additional
>> interfaces have been created in /proc/*/attr so that
>> each LSM has its own named interfaces.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> Have you run any benchmarks, particularly to compare performance overhead in the simple case of a single LSM?
>
I am very interested in this as well and have been meaning to
do some testing here but haven't had the time yet.
> IIRC, the AppArmor devs indicated that they plan to start using secids, which would mean that it would not be possible to stack AppArmor with Smack or SELinux using this mechanism. So eventually that would have to be addressed in order for this to even support the AppArmor+Smack or AppArmor+SELinux use cases.
>
>
We do intend to use secids, but it is being done so that its
configurable. Configuring it off means you loose apparmor
mediation for the bits that need secids. Solving the secids
issue is of interest but its not required atm.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 17:14 ` Casey Schaufler
(?)
@ 2013-01-08 20:19 ` Kees Cook
-1 siblings, 0 replies; 67+ messages in thread
From: Kees Cook @ 2013-01-08 20:19 UTC (permalink / raw)
To: Casey Schaufler
Cc: James Morris, Stephen Rothwell, LSM, LKLM, SE Linux,
John Johansen, Eric Paris, Tetsuo Handa, Andrew Morton
On Tue, Jan 8, 2013 at 9:14 AM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 1/8/2013 1:12 AM, James Morris wrote:
>> Yama is special-cased and can stay that way.
>
> Yama is *not* a special case, it is an example. It is the kind
> of new thing that provides security that is not access control.
> It was special cased at the request of distros because there was
> no general mechanism for including it along with the primary
> LSM.
I think he meant "there is a CONFIG to special-case Yama", but yes,
Yama is a good example. Now that finit_module has landed, I intend to
send another micro-LSM to provide logic for blocking modules when the
root devices is read-only.
It would be another example of an LSM that needs to be stacked with others.
-Kees
--
Kees Cook
Chrome OS Security
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 1:54 ` Casey Schaufler
` (11 preceding siblings ...)
(?)
@ 2013-01-08 20:22 ` Kees Cook
-1 siblings, 0 replies; 67+ messages in thread
From: Kees Cook @ 2013-01-08 20:22 UTC (permalink / raw)
To: Casey Schaufler
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa
On Mon, Jan 7, 2013 at 5:54 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
> [...]
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Feel free to carry my Acked-by on the Yama bits and the core bits.
Looks great. :)
-Kees
--
Kees Cook
Chrome OS Security
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 9:12 ` James Morris
(?)
(?)
@ 2013-01-08 20:40 ` John Johansen
2013-01-09 13:28 ` James Morris
-1 siblings, 1 reply; 67+ messages in thread
From: John Johansen @ 2013-01-08 20:40 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, Stephen Rothwell, LSM, LKLM, SE Linux,
Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
On 01/08/2013 01:12 AM, James Morris wrote:
> On Mon, 7 Jan 2013, Casey Schaufler wrote:
>
>> There has been an amazing amount of development in system security
>> over the past three years. Almost none of it has been in the kernel.
>> One important reason that it is not getting done in the kernel is
>> that the current single LSM restriction requires an all or nothing
>> approach to security. Either you address all your needs with a single
>> LSM or you have to go with a user space solution, in which case you
>> may as well do everything in user space.
>
> This sounds like a very spurious argument. If the development is better
> done in userspace, then do it there.
>
> There's no way to address all your security needs with an LSM in any case,
> for any practical system. LSM is an API for making security decisions
> about kernel flow, usually as part of implementing access control
> mechanisms. It is not meant to provide any kind of total security
> solution, and the argument that you can't do some security in userspace is
> totally illogical.
>
> Development should be done in userspace unless it must be done in the
> kernel.
>
>> Multiple concurrent LSMs allows a system to be developed incrementally
>> and to combine a variety of approaches that meet new and interesting
>> needs. It allows for systems that are based on an LSM that does not
>> meet all of the requirements but that can be supplemented by another
>> LSM that fills the gaps. It allows an LSM like Smack that implements
>> label based access controls to remain true to its purpose even in the
>> face of pressure to add controls based on other mechanisms.
>>
>> I have had requests for running Smack and AppArmor together Tetsuo has
>> long had need to put SELinux and TOMOYO on the same box. Yama was
>> recently special cased for stackability.
>
> I'd say we need to see the actual use-case for Smack and Apparmor being
> used together, along with at least one major distro committing to support
> this.
>
>
Ubuntu is very interested in stacking
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 20:40 ` John Johansen
@ 2013-01-09 13:28 ` James Morris
0 siblings, 0 replies; 67+ messages in thread
From: James Morris @ 2013-01-09 13:28 UTC (permalink / raw)
To: John Johansen
Cc: Casey Schaufler, Stephen Rothwell, LSM, LKLM, SE Linux,
Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
On Tue, 8 Jan 2013, John Johansen wrote:
> > I'd say we need to see the actual use-case for Smack and Apparmor being
> > used together, along with at least one major distro committing to support
> > this.
> >
> >
> Ubuntu is very interested in stacking
Which modules?
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-09 13:28 ` James Morris
0 siblings, 0 replies; 67+ messages in thread
From: James Morris @ 2013-01-09 13:28 UTC (permalink / raw)
To: John Johansen
Cc: Casey Schaufler, Stephen Rothwell, LSM, LKLM, SE Linux,
Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
On Tue, 8 Jan 2013, John Johansen wrote:
> > I'd say we need to see the actual use-case for Smack and Apparmor being
> > used together, along with at least one major distro committing to support
> > this.
> >
> >
> Ubuntu is very interested in stacking
Which modules?
--
James Morris
<jmorris@namei.org>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 17:14 ` Casey Schaufler
@ 2013-01-09 13:42 ` James Morris
-1 siblings, 0 replies; 67+ messages in thread
From: James Morris @ 2013-01-09 13:42 UTC (permalink / raw)
To: Casey Schaufler
Cc: Stephen Rothwell, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton
On Tue, 8 Jan 2013, Casey Schaufler wrote:
> What I was hoping to say, and apparently didn't, is that people
> are developing "total" solutions in user space, when some of the
> work ought to be done in an LSM. Work that is appropriate to the
> kernel is being done in user space. Often badly, because the
> kernel provides too many mechanisms to circumvent user space
> based access controls.
People do stupid things all the time. How is this particular case our
problem to fix? Do you have any concrete examples?
> And before we get too far, distros are no longer the driving force
> for Linux development. I suggest that "operating systems", including
> ChromiumOS, Android and Tizen are every bit as important.
Indeed. I was including these projects as "distros".
> > What is the UID issue and how does LSM stacking address it?
>
> Android utilizes UIDs in a way that has often been referred to as
> "hijacking". The UID mechanism supports much of what they want,
> but clearly isn't complete. Now that Android is moving to multi-user
> support they're hitting conflicts with their use of the UID
> attribute. They really ought to be using an LSM that implements
> the security policy they want rather than hacking around the
> behavior of UID based controls.
Right, so they implement an LSM to do what they need. What does this have
to do with stacking?
> > Also, are you saying that security mechanisms are inherently easier to
> > configure if they're composed from a variety of distinct modules vs. a
> > monolithic scheme?
>
> Nope. I'm saying that for specific use cases including but not limited to
> telephones, TVs and surveillance networks it is simpler and more appropriate
> to create the access control and security schemes that directly address
> the needs than to attempt to squeeze them into corsets designed in the
> 1990's.
That may be true, but we do need at least one significant user to step up
with concrete plans for deployment.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-09 13:42 ` James Morris
0 siblings, 0 replies; 67+ messages in thread
From: James Morris @ 2013-01-09 13:42 UTC (permalink / raw)
To: Casey Schaufler
Cc: Stephen Rothwell, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton
On Tue, 8 Jan 2013, Casey Schaufler wrote:
> What I was hoping to say, and apparently didn't, is that people
> are developing "total" solutions in user space, when some of the
> work ought to be done in an LSM. Work that is appropriate to the
> kernel is being done in user space. Often badly, because the
> kernel provides too many mechanisms to circumvent user space
> based access controls.
People do stupid things all the time. How is this particular case our
problem to fix? Do you have any concrete examples?
> And before we get too far, distros are no longer the driving force
> for Linux development. I suggest that "operating systems", including
> ChromiumOS, Android and Tizen are every bit as important.
Indeed. I was including these projects as "distros".
> > What is the UID issue and how does LSM stacking address it?
>
> Android utilizes UIDs in a way that has often been referred to as
> "hijacking". The UID mechanism supports much of what they want,
> but clearly isn't complete. Now that Android is moving to multi-user
> support they're hitting conflicts with their use of the UID
> attribute. They really ought to be using an LSM that implements
> the security policy they want rather than hacking around the
> behavior of UID based controls.
Right, so they implement an LSM to do what they need. What does this have
to do with stacking?
> > Also, are you saying that security mechanisms are inherently easier to
> > configure if they're composed from a variety of distinct modules vs. a
> > monolithic scheme?
>
> Nope. I'm saying that for specific use cases including but not limited to
> telephones, TVs and surveillance networks it is simpler and more appropriate
> to create the access control and security schemes that directly address
> the needs than to attempt to squeeze them into corsets designed in the
> 1990's.
That may be true, but we do need at least one significant user to step up
with concrete plans for deployment.
--
James Morris
<jmorris@namei.org>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 3/9] LSM: Multiple concurrent LSMs
[not found] ` <201301092211.CGF18746.LMOHJFOOFQtVSF@I-love.SAKURA.ne.jp>
@ 2013-01-09 16:26 ` Casey Schaufler
[not found] ` <50EE9BAE.5010101@canonical.com>
[not found] ` <201301212142.FGF86433.OVQJFMHFLtFSOO@I-love.SAKURA.ne.jp>
0 siblings, 2 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-09 16:26 UTC (permalink / raw)
To: Tetsuo Handa
Cc: jmorris, linux-security-module, selinux, john.johansen, eparis,
keescook, Casey Schaufler
On 1/9/2013 5:11 AM, Tetsuo Handa wrote:
> Casey Schaufler wrote:
>> +/* Save user chosen LSM(s) */
>> static int __init choose_lsm(char *str)
>> {
>> - strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
>> + char *cp;
>> + char *ep;
>> + int i;
>> +
>> + strncpy(allowed_lsms, str, COMPOSER_NAMES_MAX);
>> + cp = allowed_lsms;
>> +
>> + for (i = 0; i < COMPOSER_MAX; i++) {
>> + ep = strchr(cp, ',');
>> + if (ep != NULL)
>> + *ep = '\0';
>> + if (strlen(cp) > SECURITY_NAME_MAX)
>> + pr_warn("LSM \"%s\" is invalid and ignored.\n", cp);
> panic() might be OK for notifying the administrator of invalid module name.
I don't think panic is a good idea unless there is no alternative.
Even then it's a bad idea. It's just all you can do.
>> + else
>> + strncpy(specified_lsms[i], cp, SECURITY_NAME_MAX);
>> + if (ep == NULL)
>> + break;
>> + cp = ep + 1;
>> + }
>> +
>> return 1;
>> }
>> __setup("security=", choose_lsm);
>> @@ -94,74 +398,303 @@ __setup("security=", choose_lsm);
>> * to check if your LSM is currently loaded during kernel initialization.
>> *
>> * Return true if:
>> - * -The passed LSM is the one chosen by user at boot time,
>> - * -or the passed LSM is configured as the default and the user did not
>> - * choose an alternate LSM at boot time.
>> + * -The passed LSM is on the list of LSMs specified at boot time,
>> + * -or no boot list was specified.
>> * Otherwise, return false.
>> */
>> int __init security_module_enable(struct security_operations *ops)
>> {
>> - return !strcmp(ops->name, chosen_lsm);
>> -}
>> + struct security_operations *sop;
>> + int i;
>>
>> -/**
>> - * register_security - registers a security framework with the kernel
>> - * @ops: a pointer to the struct security_options that is to be registered
>> - *
>> - * This function allows a security module to register itself with the
>> - * kernel security subsystem. Some rudimentary checking is done on the @ops
>> - * value passed to this function. You'll need to check first if your LSM
>> - * is allowed to register its @ops by calling security_module_enable(@ops).
>> - *
>> - * If there is already a security module registered with the kernel,
>> - * an error will be returned. Otherwise %0 is returned on success.
>> - */
>> -int __init register_security(struct security_operations *ops)
>> -{
> This change makes security_module_enable() to imply register_security(), but
> do we want to continue booting (i.e. "return 0;" rather than "panic();" if
> security_module_enable() failed by "Too many" or "LSM conflict on ..." cases?
I'm personally sensitive to people screaming that "every time I try to
configure security the system breaks!" so I am disinclined to introduce
a hard failure.
> John Johansen wrote:
>> Stephen Smalley wrote:
>>> IIRC, the AppArmor devs indicated that they plan to start using secids,
>>> which would mean that it would not be possible to stack AppArmor with Smack
>>> or SELinux using this mechanism. So eventually that would have to be
>>> addressed in order for this to even support the AppArmor+Smack or
>>> AppArmor+SELinux use cases.
>>>
>> We do intend to use secids, but it is being done so that its
>> configurable. Configuring it off means you loose apparmor
>> mediation for the bits that need secids. Solving the secids
>> issue is of interest but its not required atm.
> If "configuration" means runtime degeneracy rather than compile time choice, we
> need to be able to distinguish "AppArmor should be enabled only when no
> conflict", "AppArmor should be enabled with degeneracy when conflict" and
> "AppArmor should not be enabled". How do we tell the administrator's choice to
> AppArmor, and how can security_module_enable() tell the situation to AppArmor?
>
> I guess security_module_enable() need to return something like
>
> -ENOENT if that module's name is not passed to security= argument,
> -EBUSY if that module's name is passed to security= argument but cannot be
> loaded due to conflicts,
> -ENOSPC if that module's name is passed to security= argument but cannot be
> loaded due to out of blob slot,
> 0 if that module's name is passed to security= argument and successfully
> loaded
>
> so that the caller of security_module_enable() can "panic();" for -ENOSPC case
> and "return 0;" for -ENOENT case and "continue initialization" for 0 case and
> optionally "retry security_module_enable() with degenerated security ops" for
> -EBUSY case.
>
> In this case, we want to specify default name of LSM modules (which will be
> used when security= argument is not specified) via kernel config.
I am not considering runtime degeneracy.
> Casey Schaufler wrote:
>> - if (verify(ops)) {
>> - printk(KERN_DEBUG "%s could not verify "
>> - "security_operations structure.\n", __func__);
>> - return -EINVAL;
>> + /*
>> + * Set up the operation vector early, but only once.
>> + * This allows LSM specific file systems to check to see if they
>> + * should come on line.
>> + */
>> + if (ops == NULL) {
>> + pr_debug("%s could not verify security_operations.\n",
>> + __func__);
>> + return 0;
>> }
>> + /*
>> + * Return success if the LSM is already resistered
>> + */
>> + for_each_hook(sop, name)
>> + if (sop == ops)
>> + return 1;
>>
>> - if (security_ops != &default_security_ops)
>> - return -EAGAIN;
>> + /*
>> + * This LSM has not yet been ordered.
>> + */
>> + ops->order = -1;
>>
>> - security_ops = ops;
>> + if (lsm_count >= COMPOSER_MAX) {
>> + pr_warn("Too many security modules. %s not loaded.\n",
>> + ops->name);
>> + return 0;
>> + }
>>
>> - return 0;
>> + if (specified_lsms[0][0] != '\0') {
> We can do "specified_lsms[0][0] = '\0';" after "do_security_initcalls();" so
> that LKM-based LSMs can be loaded without depending on security= argument?
You are going to have to introduce more mechanism if you want to
provide for LKM-based LSMs. How about we consider a change here until
you can propose that mechanism in its entirety.
>> + for (i = 0; specified_lsms[i][0] != '\0'; i++) {
>> + if (strcmp(ops->name, specified_lsms[i]) == 0) {
>> + ops->order = i;
>> + break;
>> + }
>> + }
>> + if (ops->order == -1) {
>> + pr_notice("LSM %s declined by boot options.\n",
>> + ops->name);
>> + return 0;
>> + }
>> + }
>> + /*
>> + * Check for conflicting LSMs.
>> + */
>> +#ifdef CONFIG_SECURITY_NETWORK_XFRM
>> + if (ops->xfrm_policy_alloc_security &&
>> + !list_empty(&lsm_hooks[lsm_xfrm_policy_alloc_security])) {
>> + pr_warn("LSM conflict on %s. %s not loaded.\n",
>> + "xfrm_policy_alloc_security", ops->name);
>> + return 0;
>> + }
>> +#endif
>> + if (ops->secid_to_secctx &&
>> + !list_empty(&lsm_hooks[lsm_secid_to_secctx])) {
>> + pr_warn("LSM conflict on %s. %s not loaded.\n",
>> + "secid_to_secctx", ops->name);
>> + return 0;
>> + }
>> +
>> + /*
>> + * The order will already be set if the command line
>> + * includes "security=".
>> + *
>> + * Do this before the enlisting. If there is an error
>> + * (Very unlikely!) that prevents the enlisting from
>> + * completing it is still necessary to have a blob slot
>> + * for it.
>> + */
> I think "If there is an error (Very unlikely!)" never happens after this point.
>
>> + if (ops->order == -1)
>> + ops->order = lsm_count;
>> + lsm_count++;
>> +
>> + /*
>> + * Use the LSM specified by CONFIG_SECURITY_PRESENT for
>> + * [gs]etprocattr. If the LSM specified is PRESENT_FIRST
>> + * use the first LSM to register that has the hooks.
>> + * If the specified LSM lacks the hooks treat it as if
>> + * there is no LSM registered that supplied them.
>> + */
>> + if (ops->getprocattr && ops->setprocattr &&
>> + (!strcmp(ops->name, present_lsm) ||
>> + (!lsm_present && !strcmp(PRESENT_FIRST, present_lsm)))) {
>> + lsm_present = ops;
>> + present_getprocattr = ops->getprocattr;
>> + present_setprocattr = ops->setprocattr;
>> + pr_info("Security Module %s is presented in /proc.\n",
>> + ops->name);
>> + }
>> + /*
>> + * Return success after registering the LSM.
>> + */
>> + lsm_enlist_ops(ops);
>> +
>> + return 1;
>> }
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-09 13:42 ` James Morris
@ 2013-01-09 17:07 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-09 17:07 UTC (permalink / raw)
To: James Morris
Cc: Stephen Rothwell, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton c, Casey Schaufler
On 1/9/2013 5:42 AM, James Morris wrote:
> On Tue, 8 Jan 2013, Casey Schaufler wrote:
>
>> What I was hoping to say, and apparently didn't, is that people
>> are developing "total" solutions in user space, when some of the
>> work ought to be done in an LSM. Work that is appropriate to the
>> kernel is being done in user space. Often badly, because the
>> kernel provides too many mechanisms to circumvent user space
>> based access controls.
> People do stupid things all the time.
No argument there.
But sometimes it's not a matter of doing a stupid thing so much
as doing what is pragmatic with the tools provided.
> How is this particular case our problem to fix?
Well, somebody ought to, and we're the experts.
> Do you have any concrete examples?
ChromiumOS. Android (OK, the binder driver is in the kernel, but it
isn't a proper driver, it should be an LSM). dbus. X11 security
mechanisms in various incarnations dating back to the UNIX days.
All are things that implement their own policies, and all of which
could have reduced exposure if they could depend on access controls
the kernel does not provide.
Those last two paragraphs represent an opinion, by the way.
An informed opinion, but it should not be considered a criticism
of any of those fine systems or system components.
>> And before we get too far, distros are no longer the driving force
>> for Linux development. I suggest that "operating systems", including
>> ChromiumOS, Android and Tizen are every bit as important.
> Indeed. I was including these projects as "distros".
>
>>> What is the UID issue and how does LSM stacking address it?
>> Android utilizes UIDs in a way that has often been referred to as
>> "hijacking". The UID mechanism supports much of what they want,
>> but clearly isn't complete. Now that Android is moving to multi-user
>> support they're hitting conflicts with their use of the UID
>> attribute. They really ought to be using an LSM that implements
>> the security policy they want rather than hacking around the
>> behavior of UID based controls.
> Right, so they implement an LSM to do what they need. What does this have
> to do with stacking?
SELinux has proven to be a useful debugging tool in the Android
environment. If Android implemented their own LSM today they would
no longer be able to use SELinux to help them track down bugs.
>>> Also, are you saying that security mechanisms are inherently easier to
>>> configure if they're composed from a variety of distinct modules vs. a
>>> monolithic scheme?
>> Nope. I'm saying that for specific use cases including but not limited to
>> telephones, TVs and surveillance networks it is simpler and more appropriate
>> to create the access control and security schemes that directly address
>> the needs than to attempt to squeeze them into corsets designed in the
>> 1990's.
> That may be true, but we do need at least one significant user to step up
> with concrete plans for deployment.
John Johansen has spoken up for Ubuntu.
I suggest that we already have stacking deployed for Yama,
it's just not a general solution.
Kees Cook has another small LSM he'd like to stack as he does Yama.
I don't see that lack of "concrete plans for deployment" is
going to be an issue.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-09 17:07 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-09 17:07 UTC (permalink / raw)
To: James Morris
Cc: Stephen Rothwell, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Andrew Morton c, Casey Schaufler
On 1/9/2013 5:42 AM, James Morris wrote:
> On Tue, 8 Jan 2013, Casey Schaufler wrote:
>
>> What I was hoping to say, and apparently didn't, is that people
>> are developing "total" solutions in user space, when some of the
>> work ought to be done in an LSM. Work that is appropriate to the
>> kernel is being done in user space. Often badly, because the
>> kernel provides too many mechanisms to circumvent user space
>> based access controls.
> People do stupid things all the time.
No argument there.
But sometimes it's not a matter of doing a stupid thing so much
as doing what is pragmatic with the tools provided.
> How is this particular case our problem to fix?
Well, somebody ought to, and we're the experts.
> Do you have any concrete examples?
ChromiumOS. Android (OK, the binder driver is in the kernel, but it
isn't a proper driver, it should be an LSM). dbus. X11 security
mechanisms in various incarnations dating back to the UNIX days.
All are things that implement their own policies, and all of which
could have reduced exposure if they could depend on access controls
the kernel does not provide.
Those last two paragraphs represent an opinion, by the way.
An informed opinion, but it should not be considered a criticism
of any of those fine systems or system components.
>> And before we get too far, distros are no longer the driving force
>> for Linux development. I suggest that "operating systems", including
>> ChromiumOS, Android and Tizen are every bit as important.
> Indeed. I was including these projects as "distros".
>
>>> What is the UID issue and how does LSM stacking address it?
>> Android utilizes UIDs in a way that has often been referred to as
>> "hijacking". The UID mechanism supports much of what they want,
>> but clearly isn't complete. Now that Android is moving to multi-user
>> support they're hitting conflicts with their use of the UID
>> attribute. They really ought to be using an LSM that implements
>> the security policy they want rather than hacking around the
>> behavior of UID based controls.
> Right, so they implement an LSM to do what they need. What does this have
> to do with stacking?
SELinux has proven to be a useful debugging tool in the Android
environment. If Android implemented their own LSM today they would
no longer be able to use SELinux to help them track down bugs.
>>> Also, are you saying that security mechanisms are inherently easier to
>>> configure if they're composed from a variety of distinct modules vs. a
>>> monolithic scheme?
>> Nope. I'm saying that for specific use cases including but not limited to
>> telephones, TVs and surveillance networks it is simpler and more appropriate
>> to create the access control and security schemes that directly address
>> the needs than to attempt to squeeze them into corsets designed in the
>> 1990's.
> That may be true, but we do need at least one significant user to step up
> with concrete plans for deployment.
John Johansen has spoken up for Ubuntu.
I suggest that we already have stacking deployed for Yama,
it's just not a general solution.
Kees Cook has another small LSM he'd like to stack as he does Yama.
I don't see that lack of "concrete plans for deployment" is
going to be an issue.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-09 13:28 ` James Morris
(?)
@ 2013-01-10 10:25 ` John Johansen
2013-01-10 13:23 ` Tetsuo Handa
2013-01-11 0:46 ` Eric W. Biederman
-1 siblings, 2 replies; 67+ messages in thread
From: John Johansen @ 2013-01-10 10:25 UTC (permalink / raw)
To: James Morris
Cc: Casey Schaufler, Stephen Rothwell, LSM, LKLM, SE Linux,
Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
On 01/09/2013 05:28 AM, James Morris wrote:
> On Tue, 8 Jan 2013, John Johansen wrote:
>
>>> I'd say we need to see the actual use-case for Smack and Apparmor being
>>> used together, along with at least one major distro committing to support
>>> this.
>>>
>>>
>> Ubuntu is very interested in stacking
>
> Which modules?
>
Well Yama which has now been special cased, and in the past there has been
discussion about other special case LSMs like case is proposing for module
loading. There has been interest around both selinux + apparmor and
smack + apparmor. I am not sure of all of the use cases that have lead to
such question but some of them have been around containers, with say
selinux on the host and apparmor in the container, or visa versa.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-10 10:25 ` John Johansen
@ 2013-01-10 13:23 ` Tetsuo Handa
2013-01-11 0:46 ` Eric W. Biederman
1 sibling, 0 replies; 67+ messages in thread
From: Tetsuo Handa @ 2013-01-10 13:23 UTC (permalink / raw)
To: john.johansen, jmorris
Cc: casey, sfr, linux-security-module, linux-kernel, selinux, eparis,
keescook, akpm
John Johansen wrote:
> On 01/09/2013 05:28 AM, James Morris wrote:
> > On Tue, 8 Jan 2013, John Johansen wrote:
> >
> >>> I'd say we need to see the actual use-case for Smack and Apparmor being
> >>> used together, along with at least one major distro committing to support
> >>> this.
> >>>
> >>>
> >> Ubuntu is very interested in stacking
> >
> > Which modules?
> >
> Well Yama which has now been special cased, and in the past there has been
> discussion about other special case LSMs like case is proposing for module
> loading. There has been interest around both selinux + apparmor and
> smack + apparmor. I am not sure of all of the use cases that have lead to
> such question but some of them have been around containers, with say
> selinux on the host and apparmor in the container, or visa versa.
My case is I want to use SELinux (or SMACK or something else) for isolation
purpose (little user configuration required) and TOMOYO (or AppArmor or
something else) for behaviour restriction purpose (mostly user configurable
part). SELinux + TOMOYO is a placeholder for stacking.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 3/9] LSM: Multiple concurrent LSMs
[not found] ` <50EEBD8B.2090000@canonical.com>
@ 2013-01-10 16:20 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-10 16:20 UTC (permalink / raw)
To: John Johansen
Cc: Tetsuo Handa, jmorris, linux-security-module, selinux, eparis,
keescook, Casey Schaufler
On 1/10/2013 5:09 AM, John Johansen wrote:
> On 01/10/2013 04:59 AM, Tetsuo Handa wrote:
>> John Johansen wrote:
>>>>> In this case, we want to specify default name of LSM modules (which will be
>>>>> used when security= argument is not specified) via kernel config.
>>>> I am not considering runtime degeneracy.
>>>>
>>> I think that is fine at least for a first pass. Any run time degeneration support
>>> could come as a separate patch if needed.
>> Ubuntu anyway wants to specify CONFIG_DEFAULT_SECURITY via kernel config which
>> will be used when security= argument is not specified, doesn't it?
>>
> yes we will want to do something like that
>
>> Ubuntu's kernel config has
>>
>> CONFIG_SECURITY_SELINUX=y
>> CONFIG_SECURITY_SMACK=y
>> CONFIG_SECURITY_TOMOYO=y
>> CONFIG_SECURITY_APPARMOR=y
>> CONFIG_SECURITY_YAMA=y
>>
>> and current patchset (i.e. removing CONFIG_DEFAULT_SECURITY option) means
>> automatically register SELinux -> TOMOYO -> AppArmor -> Yama (SMACK is not
>> registered due to conflicting hooks) if security= argument is not specified.
>> I think this is different from what default LSM users want. They will suddenly
>> see that SELinux and TOMOYO are registered after upgrading the release.
>> For default LSM users, I think Ubuntu wants to specify
>>
>> static __initdata char chosen_lsm[COMPOSER_NAMES_MAX + 1] =
>> "apparmor,yama";
>>
>> or
>>
>> static __initdata char specified_lsms[COMPOSER_MAX][SECURITY_NAME_MAX + 1] =
>> { "apparmor", "yama" };
>>
>> via kernel config.
>>
> yeah
Grumble.
How about if I reintroduce CONFIG_DEFAULT_SECURITY and
treat it as security=CONFIG_DEFAULT_SECURITY if the
security= option is not specified on the command line?
How about a text line option? In the code choose_lsms
will get run on that string if there is no security=
specified. If it's left blank it gets treated as it is
today.
By using the same code to parse CONFIG_DEFAULT_SECURITY
as used to parse security=<foo> we get consistent
behavior.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-10 10:25 ` John Johansen
@ 2013-01-11 0:46 ` Eric W. Biederman
2013-01-11 0:46 ` Eric W. Biederman
1 sibling, 0 replies; 67+ messages in thread
From: Eric W. Biederman @ 2013-01-11 0:46 UTC (permalink / raw)
To: John Johansen
Cc: James Morris, Casey Schaufler, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
John Johansen <john.johansen@canonical.com> writes:
> On 01/09/2013 05:28 AM, James Morris wrote:
>> On Tue, 8 Jan 2013, John Johansen wrote:
>>
>>>> I'd say we need to see the actual use-case for Smack and Apparmor being
>>>> used together, along with at least one major distro committing to support
>>>> this.
>>>>
>>>>
>>> Ubuntu is very interested in stacking
>>
>> Which modules?
>>
> Well Yama which has now been special cased, and in the past there has been
> discussion about other special case LSMs like case is proposing for module
> loading. There has been interest around both selinux + apparmor and
> smack + apparmor. I am not sure of all of the use cases that have lead to
> such question but some of them have been around containers, with say
> selinux on the host and apparmor in the container, or visa versa.
When a distro is run in a container it is desirable to be able to run
the distro's security policy in that container. Ideally this will get
addressed by being able to do some level of per user namespace stacking.
Say selinux outside and apparmor inside a container.
I think this would take a little more work than what Casey has currently
devised but I am hopeful an additional layer of stacking can be added
after Casey has merged the basic layer of stacking.
Eric
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-11 0:46 ` Eric W. Biederman
0 siblings, 0 replies; 67+ messages in thread
From: Eric W. Biederman @ 2013-01-11 0:46 UTC (permalink / raw)
To: John Johansen
Cc: James Morris, Casey Schaufler, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
John Johansen <john.johansen@canonical.com> writes:
> On 01/09/2013 05:28 AM, James Morris wrote:
>> On Tue, 8 Jan 2013, John Johansen wrote:
>>
>>>> I'd say we need to see the actual use-case for Smack and Apparmor being
>>>> used together, along with at least one major distro committing to support
>>>> this.
>>>>
>>>>
>>> Ubuntu is very interested in stacking
>>
>> Which modules?
>>
> Well Yama which has now been special cased, and in the past there has been
> discussion about other special case LSMs like case is proposing for module
> loading. There has been interest around both selinux + apparmor and
> smack + apparmor. I am not sure of all of the use cases that have lead to
> such question but some of them have been around containers, with say
> selinux on the host and apparmor in the container, or visa versa.
When a distro is run in a container it is desirable to be able to run
the distro's security policy in that container. Ideally this will get
addressed by being able to do some level of per user namespace stacking.
Say selinux outside and apparmor inside a container.
I think this would take a little more work than what Casey has currently
devised but I am hopeful an additional layer of stacking can be added
after Casey has merged the basic layer of stacking.
Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-11 0:46 ` Eric W. Biederman
(?)
@ 2013-01-11 0:57 ` John Johansen
2013-01-11 1:13 ` Eric W. Biederman
-1 siblings, 1 reply; 67+ messages in thread
From: John Johansen @ 2013-01-11 0:57 UTC (permalink / raw)
To: Eric W. Biederman
Cc: James Morris, Casey Schaufler, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
On 01/10/2013 04:46 PM, Eric W. Biederman wrote:
> John Johansen <john.johansen@canonical.com> writes:
>
>> On 01/09/2013 05:28 AM, James Morris wrote:
>>> On Tue, 8 Jan 2013, John Johansen wrote:
>>>
>>>>> I'd say we need to see the actual use-case for Smack and Apparmor being
>>>>> used together, along with at least one major distro committing to support
>>>>> this.
>>>>>
>>>>>
>>>> Ubuntu is very interested in stacking
>>>
>>> Which modules?
>>>
>> Well Yama which has now been special cased, and in the past there has been
>> discussion about other special case LSMs like case is proposing for module
>> loading. There has been interest around both selinux + apparmor and
>> smack + apparmor. I am not sure of all of the use cases that have lead to
>> such question but some of them have been around containers, with say
>> selinux on the host and apparmor in the container, or visa versa.
>
> When a distro is run in a container it is desirable to be able to run
> the distro's security policy in that container. Ideally this will get
> addressed by being able to do some level of per user namespace stacking.
> Say selinux outside and apparmor inside a container.
>
> I think this would take a little more work than what Casey has currently
> devised but I am hopeful an additional layer of stacking can be added
> after Casey has merged the basic layer of stacking.
>
Right the general case will take more, but doing things like selinux on
the outside and apparmor inside are doable right now. And we are working
on supporting stacked apparmor policy right now so apparmor outside and
a different apparmor policy inside will be doable soon.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-11 0:57 ` John Johansen
@ 2013-01-11 1:13 ` Eric W. Biederman
0 siblings, 0 replies; 67+ messages in thread
From: Eric W. Biederman @ 2013-01-11 1:13 UTC (permalink / raw)
To: John Johansen
Cc: James Morris, Casey Schaufler, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
John Johansen <john.johansen@canonical.com> writes:
>> When a distro is run in a container it is desirable to be able to run
>> the distro's security policy in that container. Ideally this will get
>> addressed by being able to do some level of per user namespace stacking.
>> Say selinux outside and apparmor inside a container.
>>
>> I think this would take a little more work than what Casey has currently
>> devised but I am hopeful an additional layer of stacking can be added
>> after Casey has merged the basic layer of stacking.
>>
> Right the general case will take more, but doing things like selinux on
> the outside and apparmor inside are doable right now. And we are working
> on supporting stacked apparmor policy right now so apparmor outside and
> a different apparmor policy inside will be doable soon.
Cool. For stacked apparmor how are you deciding which tasks get which
policy? Is this based on user namespaces or something else?
Eric
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-11 1:13 ` Eric W. Biederman
0 siblings, 0 replies; 67+ messages in thread
From: Eric W. Biederman @ 2013-01-11 1:13 UTC (permalink / raw)
To: John Johansen
Cc: James Morris, Casey Schaufler, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
John Johansen <john.johansen@canonical.com> writes:
>> When a distro is run in a container it is desirable to be able to run
>> the distro's security policy in that container. Ideally this will get
>> addressed by being able to do some level of per user namespace stacking.
>> Say selinux outside and apparmor inside a container.
>>
>> I think this would take a little more work than what Casey has currently
>> devised but I am hopeful an additional layer of stacking can be added
>> after Casey has merged the basic layer of stacking.
>>
> Right the general case will take more, but doing things like selinux on
> the outside and apparmor inside are doable right now. And we are working
> on supporting stacked apparmor policy right now so apparmor outside and
> a different apparmor policy inside will be doable soon.
Cool. For stacked apparmor how are you deciding which tasks get which
policy? Is this based on user namespaces or something else?
Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-11 1:13 ` Eric W. Biederman
(?)
@ 2013-01-11 1:15 ` John Johansen
-1 siblings, 0 replies; 67+ messages in thread
From: John Johansen @ 2013-01-11 1:15 UTC (permalink / raw)
To: Eric W. Biederman
Cc: James Morris, Casey Schaufler, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
On 01/10/2013 05:13 PM, Eric W. Biederman wrote:
> John Johansen <john.johansen@canonical.com> writes:
>
>>> When a distro is run in a container it is desirable to be able to run
>>> the distro's security policy in that container. Ideally this will get
>>> addressed by being able to do some level of per user namespace stacking.
>>> Say selinux outside and apparmor inside a container.
>>>
>>> I think this would take a little more work than what Casey has currently
>>> devised but I am hopeful an additional layer of stacking can be added
>>> after Casey has merged the basic layer of stacking.
>>>
>> Right the general case will take more, but doing things like selinux on
>> the outside and apparmor inside are doable right now. And we are working
>> on supporting stacked apparmor policy right now so apparmor outside and
>> a different apparmor policy inside will be doable soon.
>
> Cool. For stacked apparmor how are you deciding which tasks get which
> policy? Is this based on user namespaces or something else?
>
its based on the apparmor policy namespace, which is inherited from the
parent task.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-11 0:46 ` Eric W. Biederman
@ 2013-01-11 18:13 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-11 18:13 UTC (permalink / raw)
To: Eric W. Biederman
Cc: John Johansen, James Morris, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton,
Casey Schaufler
On 1/10/2013 4:46 PM, Eric W. Biederman wrote:
> John Johansen <john.johansen@canonical.com> writes:
>
>> On 01/09/2013 05:28 AM, James Morris wrote:
>>> On Tue, 8 Jan 2013, John Johansen wrote:
>>>
>>>>> I'd say we need to see the actual use-case for Smack and Apparmor being
>>>>> used together, along with at least one major distro committing to support
>>>>> this.
>>>>>
>>>>>
>>>> Ubuntu is very interested in stacking
>>> Which modules?
>>>
>> Well Yama which has now been special cased, and in the past there has been
>> discussion about other special case LSMs like case is proposing for module
>> loading. There has been interest around both selinux + apparmor and
>> smack + apparmor. I am not sure of all of the use cases that have lead to
>> such question but some of them have been around containers, with say
>> selinux on the host and apparmor in the container, or visa versa.
> When a distro is run in a container it is desirable to be able to run
> the distro's security policy in that container. Ideally this will get
> addressed by being able to do some level of per user namespace stacking.
> Say selinux outside and apparmor inside a container.
>
> I think this would take a little more work than what Casey has currently
> devised but I am hopeful an additional layer of stacking can be added
> after Casey has merged the basic layer of stacking.
Would that be per-container LSM lists? I hadn't thought about
doing that, and don't know how you might implement it, but I
suppose it could work.
>
> Eric
>
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-11 18:13 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-11 18:13 UTC (permalink / raw)
To: Eric W. Biederman
Cc: John Johansen, James Morris, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton,
Casey Schaufler
On 1/10/2013 4:46 PM, Eric W. Biederman wrote:
> John Johansen <john.johansen@canonical.com> writes:
>
>> On 01/09/2013 05:28 AM, James Morris wrote:
>>> On Tue, 8 Jan 2013, John Johansen wrote:
>>>
>>>>> I'd say we need to see the actual use-case for Smack and Apparmor being
>>>>> used together, along with at least one major distro committing to support
>>>>> this.
>>>>>
>>>>>
>>>> Ubuntu is very interested in stacking
>>> Which modules?
>>>
>> Well Yama which has now been special cased, and in the past there has been
>> discussion about other special case LSMs like case is proposing for module
>> loading. There has been interest around both selinux + apparmor and
>> smack + apparmor. I am not sure of all of the use cases that have lead to
>> such question but some of them have been around containers, with say
>> selinux on the host and apparmor in the container, or visa versa.
> When a distro is run in a container it is desirable to be able to run
> the distro's security policy in that container. Ideally this will get
> addressed by being able to do some level of per user namespace stacking.
> Say selinux outside and apparmor inside a container.
>
> I think this would take a little more work than what Casey has currently
> devised but I am hopeful an additional layer of stacking can be added
> after Casey has merged the basic layer of stacking.
Would that be per-container LSM lists? I hadn't thought about
doing that, and don't know how you might implement it, but I
suppose it could work.
>
> Eric
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-11 18:13 ` Casey Schaufler
@ 2013-01-11 19:35 ` Eric W. Biederman
-1 siblings, 0 replies; 67+ messages in thread
From: Eric W. Biederman @ 2013-01-11 19:35 UTC (permalink / raw)
To: Casey Schaufler
Cc: John Johansen, James Morris, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
Casey Schaufler <casey@schaufler-ca.com> writes:
>> When a distro is run in a container it is desirable to be able to run
>> the distro's security policy in that container. Ideally this will get
>> addressed by being able to do some level of per user namespace stacking.
>> Say selinux outside and apparmor inside a container.
>>
>> I think this would take a little more work than what Casey has currently
>> devised but I am hopeful an additional layer of stacking can be added
>> after Casey has merged the basic layer of stacking.
>
> Would that be per-container LSM lists? I hadn't thought about
> doing that, and don't know how you might implement it, but I
> suppose it could work.
Essentially per-container LSM lists. The semantics would be that
first you perform the global LSM list checks, and then you perform
the container LSM list checks (with additional layers if containers are
nested). For LSM modules that depend on security labels I think there
would be a conflict that would prevent nesting.
This is already implemented for capabilities. Something is already
happening with apparmor.
In practice it may just be a matter of getting the LSMs to be aware of
the containers rather than having per container LSM lists. Especially
as all of the hooks are called every time for every LSM.
The important part is that the effect be nested policy. Having nested calls
is likely to be unnecessary and inefficient if there is much nesting of
containers going on.
Eric
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-11 19:35 ` Eric W. Biederman
0 siblings, 0 replies; 67+ messages in thread
From: Eric W. Biederman @ 2013-01-11 19:35 UTC (permalink / raw)
To: Casey Schaufler
Cc: John Johansen, James Morris, Stephen Rothwell, LSM, LKLM,
SE Linux, Eric Paris, Tetsuo Handa, Kees Cook, Andrew Morton
Casey Schaufler <casey@schaufler-ca.com> writes:
>> When a distro is run in a container it is desirable to be able to run
>> the distro's security policy in that container. Ideally this will get
>> addressed by being able to do some level of per user namespace stacking.
>> Say selinux outside and apparmor inside a container.
>>
>> I think this would take a little more work than what Casey has currently
>> devised but I am hopeful an additional layer of stacking can be added
>> after Casey has merged the basic layer of stacking.
>
> Would that be per-container LSM lists? I hadn't thought about
> doing that, and don't know how you might implement it, but I
> suppose it could work.
Essentially per-container LSM lists. The semantics would be that
first you perform the global LSM list checks, and then you perform
the container LSM list checks (with additional layers if containers are
nested). For LSM modules that depend on security labels I think there
would be a conflict that would prevent nesting.
This is already implemented for capabilities. Something is already
happening with apparmor.
In practice it may just be a matter of getting the LSMs to be aware of
the containers rather than having per container LSM lists. Especially
as all of the hooks are called every time for every LSM.
The important part is that the effect be nested policy. Having nested calls
is likely to be unnecessary and inefficient if there is much nesting of
containers going on.
Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
2013-01-08 17:47 ` Stephen Smalley
@ 2013-01-15 4:17 ` Casey Schaufler
-1 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-15 4:17 UTC (permalink / raw)
To: Stephen Smalley
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Casey Schaufler
On 1/8/2013 9:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list based method
>> for handling multiple concurrent modules.
>>
>> A level of indirection has been introduced in the handling of
>> security blobs. LSMs no longer access ->security fields directly,
>> instead they use an abstraction provided by lsm_[gs]et field
>> functions.
>>
>> The XFRM hooks are only used by SELinux and it is not clear
>> that they can be shared. The First LSM that registers using
>> those hooks gets to use them. Any subsequent LSM that uses
>> those hooks is denied registration.
>>
>> Secids have not been made shareable. Only one LSM that uses
>> secids (SELinux and Smack) can be used at a time. The first
>> to register wins.
>>
>> The "security=" boot option takes a comma separated list of
>> LSMs, registering them in the order presented. The LSM hooks
>> will be executed in the order registered. Hooks that return
>> errors are not short circuited. All hooks are called even
>> if one of the LSM hooks fails. The result returned will be
>> that of the last LSM hook that failed.
>>
>> Some hooks don't fit that model. setprocattr, getprocattr,
>> and a few others are special cased. All behavior from
>> security/capability.c has been moved into the hook handling.
>> The security/commoncap functions used to get called from
>> the LSM specific code. The handling of the capability
>> functions has been moved out of the LSMs and into the
>> hook handling.
>>
>> The /proc/*/attr interfaces are given to one LSM. This
>> can be done by setting CONFIG_SECURITY_PRESENT. Additional
>> interfaces have been created in /proc/*/attr so that
>> each LSM has its own named interfaces.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> Have you run any benchmarks, particularly to compare performance
> overhead in the simple case of a single LSM?
>
Yes. Finally.
I ran a series of micro-benchmarks on the assumption that
we're most concerned with system call performance. I used
lmbench, not because it's the world's greatest benchmark
but because it targets some of the things I care about.
I am perfectly happy to accept suggestions of other benchmarks,
but I make no guarantees that I'll be able to run them.
I ran sets of three runs for each configuration and tossed
any benchmark where I had too great a deviation. I ran one
set on Fedora 17 and another on Ubuntu 12.04. I ran what I
consider some interesting configurations, with both the old
LSM infrastructure and the stacking infrastructure.
I compared the performance for these configurations:
CONFIG_SECURITY disabled
CONFIG_SECURITY enabled, no LSM specified
CONFIG_SECURITY enabled, SELinux enabled
CONFIG_SECURITY enabled, SELinux and Yama enabled
CONFIG_SECURITY enabled, Smack enabled
CONFIG_SECURITY enabled, Smack and Yama enabled
I also ran SELinux + AppArmor + Yama, Smack + AppArmor + Yama
and Smack + AppArmor + TOMOYO + Yama under the stacking
framework, but as I can't run them without it I can't do
comparisons.
I found that with security disabled I got 0.79% worse
overall performance with Fedora but a 0.81% better overall
performance with Ubuntu. The combined was 0.01% better,
so I figure that the methodology looks OK.
On Fedora I found that for all comparable configurations
stacking added 1.23%. For Ubuntu, it was 0.61%.
I am no statistician, and I do not aspire to becoming one.
I know that my methods were nowhere near clean and were
in fact very noisy. I had to disqualify a good number of
my results because the deviation between runs was too large.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
@ 2013-01-15 4:17 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-15 4:17 UTC (permalink / raw)
To: Stephen Smalley
Cc: James Morris, LSM, LKLM, SE Linux, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Casey Schaufler
On 1/8/2013 9:47 AM, Stephen Smalley wrote:
> On 01/07/2013 08:54 PM, Casey Schaufler wrote:
>> Subject: [PATCH v12 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s
>> from a single vector of hook handlers to a list based method
>> for handling multiple concurrent modules.
>>
>> A level of indirection has been introduced in the handling of
>> security blobs. LSMs no longer access ->security fields directly,
>> instead they use an abstraction provided by lsm_[gs]et field
>> functions.
>>
>> The XFRM hooks are only used by SELinux and it is not clear
>> that they can be shared. The First LSM that registers using
>> those hooks gets to use them. Any subsequent LSM that uses
>> those hooks is denied registration.
>>
>> Secids have not been made shareable. Only one LSM that uses
>> secids (SELinux and Smack) can be used at a time. The first
>> to register wins.
>>
>> The "security=" boot option takes a comma separated list of
>> LSMs, registering them in the order presented. The LSM hooks
>> will be executed in the order registered. Hooks that return
>> errors are not short circuited. All hooks are called even
>> if one of the LSM hooks fails. The result returned will be
>> that of the last LSM hook that failed.
>>
>> Some hooks don't fit that model. setprocattr, getprocattr,
>> and a few others are special cased. All behavior from
>> security/capability.c has been moved into the hook handling.
>> The security/commoncap functions used to get called from
>> the LSM specific code. The handling of the capability
>> functions has been moved out of the LSMs and into the
>> hook handling.
>>
>> The /proc/*/attr interfaces are given to one LSM. This
>> can be done by setting CONFIG_SECURITY_PRESENT. Additional
>> interfaces have been created in /proc/*/attr so that
>> each LSM has its own named interfaces.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> Have you run any benchmarks, particularly to compare performance
> overhead in the simple case of a single LSM?
>
Yes. Finally.
I ran a series of micro-benchmarks on the assumption that
we're most concerned with system call performance. I used
lmbench, not because it's the world's greatest benchmark
but because it targets some of the things I care about.
I am perfectly happy to accept suggestions of other benchmarks,
but I make no guarantees that I'll be able to run them.
I ran sets of three runs for each configuration and tossed
any benchmark where I had too great a deviation. I ran one
set on Fedora 17 and another on Ubuntu 12.04. I ran what I
consider some interesting configurations, with both the old
LSM infrastructure and the stacking infrastructure.
I compared the performance for these configurations:
CONFIG_SECURITY disabled
CONFIG_SECURITY enabled, no LSM specified
CONFIG_SECURITY enabled, SELinux enabled
CONFIG_SECURITY enabled, SELinux and Yama enabled
CONFIG_SECURITY enabled, Smack enabled
CONFIG_SECURITY enabled, Smack and Yama enabled
I also ran SELinux + AppArmor + Yama, Smack + AppArmor + Yama
and Smack + AppArmor + TOMOYO + Yama under the stacking
framework, but as I can't run them without it I can't do
comparisons.
I found that with security disabled I got 0.79% worse
overall performance with Fedora but a 0.81% better overall
performance with Ubuntu. The combined was 0.01% better,
so I figure that the methodology looks OK.
On Fedora I found that for all comparable configurations
stacking added 1.23%. For Ubuntu, it was 0.61%.
I am no statistician, and I do not aspire to becoming one.
I know that my methods were nowhere near clean and were
in fact very noisy. I had to disqualify a good number of
my results because the deviation between runs was too large.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 3/9] LSM: Multiple concurrent LSMs
[not found] ` <201301212142.FGF86433.OVQJFMHFLtFSOO@I-love.SAKURA.ne.jp>
@ 2013-01-21 22:31 ` Casey Schaufler
[not found] ` <201301220819.AFB21360.OFOQHJFSFVtLMO@I-love.SAKURA.ne.jp>
0 siblings, 1 reply; 67+ messages in thread
From: Casey Schaufler @ 2013-01-21 22:31 UTC (permalink / raw)
To: Tetsuo Handa
Cc: jmorris, linux-security-module, selinux, john.johansen, eparis,
keescook, Casey Schaufler
On 1/21/2013 4:42 AM, Tetsuo Handa wrote:
> Casey Schaufler wrote:
>>> Casey Schaufler wrote:
>>>> - security_ops = ops;
>>>> + if (lsm_count >= COMPOSER_MAX) {
>>>> + pr_warn("Too many security modules. %s not loaded.\n",
>>>> + ops->name);
>>>> + return 0;
>>>> + }
>>>>
>>>> - return 0;
>>>> + if (specified_lsms[0][0] != '\0') {
>>> We can do "specified_lsms[0][0] = '\0';" after "do_security_initcalls();" so
>>> that LKM-based LSMs can be loaded without depending on security= argument?
>> You are going to have to introduce more mechanism if you want to
>> provide for LKM-based LSMs. How about we consider a change here until
>> you can propose that mechanism in its entirety.
>>
> Below is what I think we need for "current v12 patchset" + "LKM-based LSM
> support" + "Require a valid ->order value to all LSM" approach.
> What other mechanism we are missing?
The big trouble is cleaning up blobs that an LSM has allocated
at the time an LSM is unloaded. I am only including the ability
to unregister via reset_security_ops (which I plan to rename,
more on that later) because SELinux depends on it.
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 535a967..615c957 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1876,10 +1876,7 @@ extern struct security_operations *lsm_present;
> /* prototypes */
> extern int security_init(void);
> extern int security_module_enable(struct security_operations *ops);
> -
> -#ifdef CONFIG_SECURITY_SELINUX_DISABLE
> -extern int reset_security_ops(struct security_operations *ops);
> -#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
> +extern void reset_security_ops(struct security_operations *ops);
Making this a void is the right thing to do. At one point in the
development of this patch this function could fail, but that's
no longer the case.
I'm renaming reset_security_ops to security_module_disable to match
up with security_module_enable. I know it's unnecessary, but I think
it's the right thing to do.
>
> /* Security operations */
> int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
> diff --git a/security/security.c b/security/security.c
> index 72bf9dc..9ec72a8 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -34,11 +34,11 @@
>
> /* Boot-time LSM user choice */
>
> -static __initdata char specified_lsms[COMPOSER_MAX][SECURITY_NAME_MAX + 1];
> +static char specified_lsms[COMPOSER_MAX][SECURITY_NAME_MAX + 1];
> static __initdata char allowed_lsms[COMPOSER_NAMES_MAX];
> -static __initdata char present_lsm[SECURITY_NAME_MAX + 1] =
> - CONFIG_PRESENT_SECURITY;
> +static char present_lsm[SECURITY_NAME_MAX + 1] = CONFIG_PRESENT_SECURITY;
>
> +static DEFINE_SPINLOCK(lsm_registration_lock);
> struct list_head lsm_hooks[LSM_MAX_HOOKS];
> struct security_operations *lsm_present;
>
> @@ -57,9 +57,8 @@ static int lsm_count;
> * The "interesting" logic is included here rather than in the
> * caller to reduce the volume of the calling code.
> */
> -static void __init lsm_enlist(struct security_operations *ops,
> - const enum lsm_hooks_index index,
> - void *interesting)
> +static void lsm_enlist(struct security_operations *ops,
> + const enum lsm_hooks_index index, void *interesting)
> {
> struct security_operations *sop;
>
> @@ -85,7 +84,7 @@ static void __init lsm_enlist(struct security_operations *ops,
> }
> }
>
> -static void __init lsm_enlist_ops(struct security_operations *sop)
> +static void lsm_enlist_ops(struct security_operations *sop)
> {
> lsm_enlist(sop, lsm_ptrace_access_check, sop->ptrace_access_check);
> lsm_enlist(sop, lsm_ptrace_traceme, sop->ptrace_traceme);
> @@ -328,15 +327,12 @@ int __init security_init(void)
> pr_info("Security Framework initialized\n");
>
> do_security_initcalls();
> + /* LKM-based LSM modules do not depend on security= argument. */
> + specified_lsms[0][0] = '\0';
>
> return 0;
> }
>
> -/*
> - * Only SELinux calls reset_security_ops.
> - */
> -#ifdef CONFIG_SECURITY_SELINUX_DISABLE
> -
> static void lsm_delist_ops(struct security_operations *sop)
> {
> enum lsm_hooks_index i;
> @@ -347,7 +343,16 @@ static void lsm_delist_ops(struct security_operations *sop)
> return;
> }
>
> -int reset_security_ops(struct security_operations *ops)
> +/**
> + * reset_security_ops - Unregister given security module.
> + *
> + * @ops: a pointer to the struct security_operations.
> + *
> + * Note that this is for unregistering but not for unloading, for LSM
> + * infrastracture does not provide a mechanism for determining whether it is
> + * safe to unload the given module.
> + */
> +void reset_security_ops(struct security_operations *ops)
> {
> /*
> * This LSM is configured to own /proc/.../attr.
> @@ -355,12 +360,11 @@ int reset_security_ops(struct security_operations *ops)
> if (lsm_present == ops)
> lsm_present = NULL;
>
> + spin_lock(&lsm_registration_lock);
> lsm_delist_ops(ops);
> -
> - return 0;
> + spin_unlock(&lsm_registration_lock);
> }
> -
> -#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
> +EXPORT_SYMBOL_GPL(reset_security_ops);
>
> /* Save user chosen LSM(s) */
> static int __init choose_lsm(char *str)
> @@ -402,11 +406,12 @@ __setup("security=", choose_lsm);
> * -or no boot list was specified.
> * Otherwise, return false.
> */
> -int __init security_module_enable(struct security_operations *ops)
> +int security_module_enable(struct security_operations *ops)
> {
> struct security_operations *sop;
> int i;
>
> + spin_lock(&lsm_registration_lock);
> /*
> * Set up the operation vector early, but only once.
> * This allows LSM specific file systems to check to see if they
> @@ -415,14 +420,14 @@ int __init security_module_enable(struct security_operations *ops)
> if (ops == NULL) {
> pr_debug("%s could not verify security_operations.\n",
> __func__);
> - return 0;
> + goto fail;
> }
> /*
> * Return success if the LSM is already resistered
> */
> for_each_hook(sop, name)
> if (sop == ops)
> - return 1;
> + goto ok;
>
> /*
> * This LSM has not yet been ordered.
> @@ -432,7 +437,7 @@ int __init security_module_enable(struct security_operations *ops)
> if (lsm_count >= COMPOSER_MAX) {
> pr_warn("Too many security modules. %s not loaded.\n",
> ops->name);
> - return 0;
> + goto fail;
> }
>
> if (specified_lsms[0][0] != '\0') {
> @@ -445,7 +450,7 @@ int __init security_module_enable(struct security_operations *ops)
> if (ops->order == -1) {
> pr_notice("LSM %s declined by boot options.\n",
> ops->name);
> - return 0;
> + goto fail;
> }
> }
> /*
> @@ -456,14 +461,14 @@ int __init security_module_enable(struct security_operations *ops)
> !list_empty(&lsm_hooks[lsm_xfrm_policy_alloc_security])) {
> pr_warn("LSM conflict on %s. %s not loaded.\n",
> "xfrm_policy_alloc_security", ops->name);
> - return 0;
> + goto fail;
> }
> #endif
> if (ops->secid_to_secctx &&
> !list_empty(&lsm_hooks[lsm_secid_to_secctx])) {
> pr_warn("LSM conflict on %s. %s not loaded.\n",
> "secid_to_secctx", ops->name);
> - return 0;
> + goto fail;
> }
>
> /*
> @@ -499,9 +504,14 @@ int __init security_module_enable(struct security_operations *ops)
> * Return success after registering the LSM.
> */
> lsm_enlist_ops(ops);
> -
> +ok:
> + spin_unlock(&lsm_registration_lock);
> return 1;
> +fail:
> + spin_unlock(&lsm_registration_lock);
> + return 0;
> }
> +EXPORT_SYMBOL_GPL(security_module_enable);
I am disinclined to put in what might appear to be support
for dynamic security modules when I'm not yet willing to
sign up for that.
>
> /* Security operations */
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 8ec7ea0..9bdea1e 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5814,8 +5814,6 @@ static int selinux_disabled;
>
> int selinux_disable(void)
> {
> - int rc;
> -
> if (ss_initialized) {
> /* Not permitted after initial policy load. */
> return -EINVAL;
> @@ -5826,11 +5824,7 @@ int selinux_disable(void)
> return -EINVAL;
> }
>
> - rc = reset_security_ops(&selinux_ops);
> - if (rc) {
> - pr_info("SELinux: Runtime disable disallowed.\n");
> - return rc;
> - }
> + reset_security_ops(&selinux_ops);
>
> printk(KERN_INFO "SELinux: Disabled at runtime.\n");
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 3/9] LSM: Multiple concurrent LSMs
[not found] ` <201301220819.AFB21360.OFOQHJFSFVtLMO@I-love.SAKURA.ne.jp>
@ 2013-01-21 23:45 ` Casey Schaufler
[not found] ` <201301221009.JDB30838.tFFMVFLOQJSOOH@I-love.SAKURA.ne.jp>
0 siblings, 1 reply; 67+ messages in thread
From: Casey Schaufler @ 2013-01-21 23:45 UTC (permalink / raw)
To: Tetsuo Handa
Cc: jmorris, linux-security-module, selinux, john.johansen, eparis,
keescook, Casey Schaufler
On 1/21/2013 3:19 PM, Tetsuo Handa wrote:
> Casey Schaufler wrote:
>> On 1/21/2013 4:42 AM, Tetsuo Handa wrote:
>>> Below is what I think we need for "current v12 patchset" + "LKM-based LSM
>>> support" + "Require a valid ->order value to all LSM" approach.
>>> What other mechanism we are missing?
>> The big trouble is cleaning up blobs that an LSM has allocated
>> at the time an LSM is unloaded. I am only including the ability
>> to unregister via reset_security_ops (which I plan to rename,
>> more on that later) because SELinux depends on it.
> Right. I agree that it is difficult to clean up blobs that an LSM has allocated
> at the time an LSM is unloaded. But not all LSM modules want to allocate blobs.
True enough, but the one example we have of LSM unloading is going
to leave droppings. I don't want to go anywhere near module unloading,
even for LSMs that don't use the official mechanisms, without a story
on how they're going to get cleaned up.
>> I'm renaming reset_security_ops to security_module_disable to match
>> up with security_module_enable. I know it's unnecessary, but I think
>> it's the right thing to do.
> I think that unregister_security() is better named, for we want both
> security_module_enable() and register_security() (since built-in LSM modules in
> Ubuntu kernels need to be able to distinguish whether to try to load or not).
I'm addressing this is v13 without introducing unregister_security.
Patch coming later this week most likely.
> I'm OK to rename reset_security_ops() to security_module_disable() if
> security_module_enable() is changed to return "0 or -ve" so that
> security_module_enable() can return the caller the reason of registration
> failure.
I'm doing that in v13 as well.
>>> +EXPORT_SYMBOL_GPL(security_module_enable);
>> I am disinclined to put in what might appear to be support
>> for dynamic security modules when I'm not yet willing to
>> sign up for that.
> I'm ready to convert TOMOYO into LKM-based LSM and TOMOYO-like modules as well.
> Sorry, I still have not understood what other mechanism we are missing...
I'm not sure that we're missing anything beyond locking
(as you have pointed out) and cleaning up, which you're
less concerned about than I. What I am *not* ready to do
is stand up and say that I believe all the bases are covered.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 3/9] LSM: Multiple concurrent LSMs
[not found] ` <201301221009.JDB30838.tFFMVFLOQJSOOH@I-love.SAKURA.ne.jp>
@ 2013-01-22 2:10 ` Casey Schaufler
[not found] ` <201301221623.JIH35408.LFSJQFOFOOHVMt@I-love.SAKURA.ne.jp>
0 siblings, 1 reply; 67+ messages in thread
From: Casey Schaufler @ 2013-01-22 2:10 UTC (permalink / raw)
To: Tetsuo Handa
Cc: jmorris, linux-security-module, selinux, john.johansen, eparis,
keescook, Casey Schaufler
On 1/21/2013 5:09 PM, Tetsuo Handa wrote:
> Casey Schaufler wrote:
>> True enough, but the one example we have of LSM unloading is going
>> to leave droppings. I don't want to go anywhere near module unloading,
>> even for LSMs that don't use the official mechanisms, without a story
>> on how they're going to get cleaned up.
>> I'm not sure that we're missing anything beyond locking
>> (as you have pointed out) and cleaning up, which you're
>> less concerned about than I. What I am *not* ready to do
>> is stand up and say that I believe all the bases are covered.
> You want to make sure that all blobs used by a LSM module are cleaned up before
> unloading that module, don't you?
That is necessary, but not sufficient. The lsm_blob needs to
be cleaned up as well. And the rub is that you need to use the
LSM provided free functions, but you can't count on them
working once the LSM is disabled because the LSM is, after
all, disabled.
> I think "clean unloading" (i.e. cleaning up blobs used by that module) makes
> sense only after "safe unloading" (i.e. making sure that that module is no
> longer referenced) is implemented.
>
> And if we want to implement "safe unloading", I think we need to add
> "struct module *owner;" to "struct security_operations" and use refcounter like
>
> #define call_void_hook(FUNC, ...) \
> do { \
> struct security_operations *sop; \
> struct module *module; \
> \
> list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
> list[lsm_##FUNC]) { \
> if (!try_module_get(sop->owner)) \
> continue; \
> sop->FUNC(__VA_ARGS__); \
> module_put(sop->owner); \
> } while (0)
I'm not familiar with try_module_get(), but unless it is trivial,
and maybe even then, I have no interest in adding its overhead
in that loop.
> Given that a mechanism for "safe unloading" is implemented, below is my answer
> for "clean unloading".
>
> TOMOYO can manage blobs without using "void *security;" embedded into various
> objects. In other words, TOMOYO can manage blobs using linked lists (which
> are fully reachable from module unloading function) embedded into TOMOYO.
> Thus, it is trivially easy to release blobs used by TOMOYO upon unloading.
> Ditto for TOMOYO-like LKM-based LSM modules.
I'm willing to look at this later.
> I haven't added module_exit() function because "safe unloading" mechanism is
> missing. If "safe unloading" mechanism is implemented, TOMOYO can support both
> runtime loading/registration and unregistration/unloading.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 3/9] LSM: Multiple concurrent LSMs
[not found] ` <201301221623.JIH35408.LFSJQFOFOOHVMt@I-love.SAKURA.ne.jp>
@ 2013-01-22 19:43 ` Casey Schaufler
[not found] ` <201301232030.HAH52121.VFtOSLHQFJOOMF@I-love.SAKURA.ne.jp>
0 siblings, 1 reply; 67+ messages in thread
From: Casey Schaufler @ 2013-01-22 19:43 UTC (permalink / raw)
To: Tetsuo Handa
Cc: jmorris, linux-security-module, selinux, john.johansen, eparis,
keescook, Casey Schaufler
On 1/21/2013 11:23 PM, Tetsuo Handa wrote:
> Casey Schaufler wrote:
>> I'm not familiar with try_module_get(), but unless it is trivial,
>> and maybe even then, I have no interest in adding its overhead
>> in that loop.
> I noticed that try_module_get() is not sufficient, for it may race with
> preemption. Please see srcu lock version submitted 4 minutes before your post.
>
>>> You want to make sure that all blobs used by a LSM module are cleaned up before
>>> unloading that module, don't you?
>> That is necessary, but not sufficient. The lsm_blob needs to
>> be cleaned up as well. And the rub is that you need to use the
>> LSM provided free functions, but you can't count on them
>> working once the LSM is disabled because the LSM is, after
>> all, disabled.
> Yes, cleaning up lsm_blob is necessary if that module used lsm_blobs.
> My answer is I can convert TOMOYO not to use lsm_blob, which means cleaning up
> lsm_blob is unnecessary.
All you're doing is moving the problem into the LSM.
> I wonder why do we need to use the LSM provided free functions and we can't
> count on them?
You need to use the LSM free functions because only the LSM knows
how the data was allocated.
You can't count on them once the LSM is unregistered because the
LSM is out of the hook lists and you can't find the hooks anymore.
> Unloading function which is specified using module_exit() tag (e.g.
>
> static void __exit foo_exit(void)
> {
> /* Do cleanup stuff here. */
> }
> module_exit(foo_exit);
Yes, you'd need something like that. I am not ready to write
one for each of the existing LSMs. I am not signing up to do
dynamic security modules. Not at this point, anyway.
>
> ) is called from delete_module().
>
> SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
> unsigned int, flags)
> (...snipped...)
> if (mod->exit != NULL)
> mod->exit();
> (...snipped...)
> }
>
> foo_exit() is called from delete_module(), and delete_module() is triggered by
> a request from user space. Thus, foo_exit() is reachable even after foo LSM
> module was unregistered by reset_security_ops().
>
> /**
> * reset_security_ops - Unregister given security module.
> *
> * @ops: a pointer to the struct security_operations.
> *
> * This function must be called before unloading LKM-based LSM module.
> * Caller can safely release blobs after returning from this function.
> */
> void reset_security_ops(struct security_operations *ops)
> {
> /*
> * This LSM is configured to own /proc/.../attr.
> */
> if (lsm_present == ops)
> lsm_present = NULL;
>
> spin_lock(&lsm_registration_lock);
> lsm_delist_ops(ops);
> spin_unlock(&lsm_registration_lock);
> /* Wait for currently running hooks to complete. */
> synchronize_srcu(&lsm_unregistration_lock);
> }
>
> Thus, foo LSM module can clean up resources using foo_exit().
>
> The only problem is that foo module cannot traverse and clean up lsm_blobs
> associated with various objects from foo_exit() function, for we don't want to
> manage locks and linked list of various objects only for making it possible to
> traverse and clean up lsm_blobs from module exit function.
>
> But the problem does not apply LSM modules which do not use lsm_blobs.
Rubbish. You're masking the problem, not eliminating it.
> My proposal is to allow unloading of LSM modules which do not use lsm_blobs
> (and I'm ready to convert TOMOYO a LKM-based LSM which do not use lsm_blobs).
>
> LKM-based LSM modules which do not use lsm_blobs need only "safe unloading"
> mechanism. LKM-based LSM modules which uses lsm_blobs need both
> "safe unloading" mechanism and "safe cleaning up" mechanism.
>
> I think that implementing "safe cleaning up" mechanism is difficult and
> therefore I'm not expecting LSM infrastructure to support unloading of LSM
> modules which use lsm_blobs.
>
>
>
> My suggestion of getting rid of "Require a valid ->order value to all LSM" for
> making it easier for users to add LKM-based LSM modules which do not use
> lsm_blobs comes from backgrounds explained above.
No! I am yelling at you now! Encouraging LSMs to duplicate the LSM
infrastructure is a bad thing. This is the kind of philosophy that
leads to horrid kludges.
>
> If we cannot accept overhead of srcu locks for "safe unloading" mechanism,
> I'm still happy with "LKM-based LSM support without unloading support"
> implementation.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
* Re: [PATCH v12 3/9] LSM: Multiple concurrent LSMs
[not found] ` <201301232030.HAH52121.VFtOSLHQFJOOMF@I-love.SAKURA.ne.jp>
@ 2013-01-23 16:18 ` Casey Schaufler
0 siblings, 0 replies; 67+ messages in thread
From: Casey Schaufler @ 2013-01-23 16:18 UTC (permalink / raw)
To: Tetsuo Handa
Cc: jmorris, linux-security-module, selinux, john.johansen, eparis,
keescook, Casey Schaufler
On 1/23/2013 3:30 AM, Tetsuo Handa wrote:
> Casey, let me confirm what your requirements are.
>
> Confirm 1:
>
> You can tolerate writing LSM modules as loadable kernel modules. Right?
In the future, hypothetically, yes. Not now. I have exactly
zero interest in fighting the battles that resulted in a static
LSM scheme all over again. I can't even remember which side I
was on last time around. I want to keep the issues of multiple
and loadable LSMs separate and distinct.
> Confirm 2:
>
> You don't want to allow loading of LKM-based LSM modules which cannot be
> unloaded safely/cleanly. Right?
That is strictly an issue for loadable modules. The only case I
care about at present is SELinux and reset_security_ops().
> Confirm 3:
>
> When unloading a LKM-based LSM module, you want to make sure that all
> resources used by that module are cleaned up. Right?
That is strictly an issues for LKM-based modules, and I have no interest
in encumbering multiple LSM support with the issues of LKM-based modules.
> Confirm 4:
>
> You consider that requisite mechanisms for LSM framework for supporting
> LKM-based LSMs are
>
> (a) "safe unloading" : LKM-based LSM modules can be unloaded safely.
>
> (b) "clean unloading" : All resources used by LKM-based LSM module can be
> cleaned up upon unload.
>
> . Right?
I consider support for LKM-based security modules to be outside the scope
of the work at hand. I have no intention of doing things to make LKM-based
modules more difficult in the future. I also have no intention of going
out of my way to make them easier.
> Confirm 5:
>
> You want any LSM modules (including LKM-based LSM modules) to manage security
> blobs using "struct lsm_blob" provided by LSM framework. Right?
I would need to look at a proposal on how LKM-based are supposed to
work before I would answer a question at that depth. I am regrettably
not available for that work presently.
> Confirm 6:
>
> You want to implement a mechanism which makes it possible to allow LKM-based
> LSM module to clean up all resources upon unloading. Right?
I am uninterested in LKM-based LSMs at present. I have none of the time, energy
or inclination required to tackle that project. I believe that including LKM-based
LSMs in the multiple concurrent LSM project would significantly increases resistance
to the project's acceptance.
Arguments around, about or including LKM-based LSM support are not
relevant to the task at hand and impede its progress. Please, can
we hold them for later?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 67+ messages in thread
end of thread, other threads:[~2013-01-23 16:18 UTC | newest]
Thread overview: 67+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-01-08 1:54 [PATCH v12 0/9] LSM: Multiple concurrent LSMs Casey Schaufler
2013-01-08 1:54 ` Casey Schaufler
2013-01-08 2:09 ` [PATCH v12 1/9] " Casey Schaufler
2013-01-08 2:09 ` Casey Schaufler
2013-01-08 2:09 ` [PATCH v12 2/9] " Casey Schaufler
2013-01-08 2:09 ` Casey Schaufler
2013-01-08 2:09 ` [PATCH v12 3/9] " Casey Schaufler
2013-01-08 2:09 ` Casey Schaufler
[not found] ` <201301092211.CGF18746.LMOHJFOOFQtVSF@I-love.SAKURA.ne.jp>
2013-01-09 16:26 ` Casey Schaufler
[not found] ` <50EE9BAE.5010101@canonical.com>
[not found] ` <201301102159.JAE81243.tOFLQVOMHSJOFF@I-love.SAKURA.ne.jp>
[not found] ` <50EEBD8B.2090000@canonical.com>
2013-01-10 16:20 ` Casey Schaufler
[not found] ` <201301212142.FGF86433.OVQJFMHFLtFSOO@I-love.SAKURA.ne.jp>
2013-01-21 22:31 ` Casey Schaufler
[not found] ` <201301220819.AFB21360.OFOQHJFSFVtLMO@I-love.SAKURA.ne.jp>
2013-01-21 23:45 ` Casey Schaufler
[not found] ` <201301221009.JDB30838.tFFMVFLOQJSOOH@I-love.SAKURA.ne.jp>
2013-01-22 2:10 ` Casey Schaufler
[not found] ` <201301221623.JIH35408.LFSJQFOFOOHVMt@I-love.SAKURA.ne.jp>
2013-01-22 19:43 ` Casey Schaufler
[not found] ` <201301232030.HAH52121.VFtOSLHQFJOOMF@I-love.SAKURA.ne.jp>
2013-01-23 16:18 ` Casey Schaufler
2013-01-08 2:09 ` [PATCH v12 4/9] " Casey Schaufler
2013-01-08 2:09 ` Casey Schaufler
2013-01-08 2:09 ` [PATCH v12 5/9] " Casey Schaufler
2013-01-08 2:09 ` Casey Schaufler
2013-01-08 2:09 ` [PATCH v12 6/9] " Casey Schaufler
2013-01-08 2:09 ` Casey Schaufler
2013-01-08 2:09 ` [PATCH v12 7/9] " Casey Schaufler
2013-01-08 2:09 ` Casey Schaufler
2013-01-08 2:09 ` [PATCH v12 8/9] " Casey Schaufler
2013-01-08 2:09 ` Casey Schaufler
2013-01-08 2:09 ` [PATCH v12 9/9] " Casey Schaufler
2013-01-08 2:09 ` Casey Schaufler
2013-01-08 3:01 ` [PATCH v12 0/9] " Stephen Rothwell
2013-01-08 3:59 ` Stephen Rothwell
2013-01-08 4:11 ` Casey Schaufler
2013-01-08 4:11 ` Casey Schaufler
2013-01-08 6:34 ` Vasily Kulikov
2013-01-08 4:02 ` Casey Schaufler
2013-01-08 4:02 ` Casey Schaufler
2013-01-08 6:38 ` Vasily Kulikov
2013-01-08 9:12 ` James Morris
2013-01-08 9:12 ` James Morris
2013-01-08 17:14 ` Casey Schaufler
2013-01-08 17:14 ` Casey Schaufler
2013-01-08 20:19 ` Kees Cook
2013-01-09 13:42 ` James Morris
2013-01-09 13:42 ` James Morris
2013-01-09 17:07 ` Casey Schaufler
2013-01-09 17:07 ` Casey Schaufler
2013-01-08 20:40 ` John Johansen
2013-01-09 13:28 ` James Morris
2013-01-09 13:28 ` James Morris
2013-01-10 10:25 ` John Johansen
2013-01-10 13:23 ` Tetsuo Handa
2013-01-11 0:46 ` Eric W. Biederman
2013-01-11 0:46 ` Eric W. Biederman
2013-01-11 0:57 ` John Johansen
2013-01-11 1:13 ` Eric W. Biederman
2013-01-11 1:13 ` Eric W. Biederman
2013-01-11 1:15 ` John Johansen
2013-01-11 18:13 ` Casey Schaufler
2013-01-11 18:13 ` Casey Schaufler
2013-01-11 19:35 ` Eric W. Biederman
2013-01-11 19:35 ` Eric W. Biederman
2013-01-08 17:47 ` Stephen Smalley
2013-01-08 17:47 ` Stephen Smalley
2013-01-08 18:17 ` Casey Schaufler
2013-01-08 18:17 ` Casey Schaufler
2013-01-08 20:01 ` John Johansen
2013-01-15 4:17 ` Casey Schaufler
2013-01-15 4:17 ` Casey Schaufler
2013-01-08 20:22 ` Kees Cook
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.