From: Paul Moore <paul@paul-moore.com> To: Kees Cook <keescook@chromium.org>, Stephen Smalley <sds@tycho.nsa.gov> Cc: Andrew Morton <akpm@linux-foundation.org>, David Howells <dhowells@redhat.com>, "Eric W. Biederman" <ebiederm@xmission.com>, John Johansen <john.johansen@canonical.com>, "Serge E. Hallyn" <serge@hallyn.com>, Casey Schaufler <casey@schaufler-ca.com>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, James Morris <james.l.morris@oracle.com>, Andy Lutomirski <luto@kernel.org>, Linus Torvalds <torvalds@linux-foundation.org>, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3 04/15] selinux: Refactor to remove bprm_secureexec hook Date: Wed, 19 Jul 2017 20:03:30 -0400 [thread overview] Message-ID: <CAHC9VhTLP7kpJW65y_csgnc9hvp8ouB36U2WPyHGYgGtq8M4hg@mail.gmail.com> (raw) In-Reply-To: <1500416736-49829-5-git-send-email-keescook@chromium.org> On Tue, Jul 18, 2017 at 6:25 PM, Kees Cook <keescook@chromium.org> wrote: > The SELinux bprm_secureexec hook can be merged with the bprm_set_creds > hook since it's dealing with the same information, and all of the details > are finalized during the first call to the bprm_set_creds hook via > prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored > via bprm->called_set_creds). > > Here, the test can just happen at the end of the bprm_set_creds hook, > and the bprm_secureexec hook can be dropped. > > Cc: Paul Moore <paul@paul-moore.com> > Cc: Stephen Smalley <sds@tycho.nsa.gov> > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > security/selinux/hooks.c | 24 +++++------------------- > 1 file changed, 5 insertions(+), 19 deletions(-) This seems reasonable in the context of the other changes. Stephen just posted an AT_SECURE test for the selinux-testsuite on the SELinux mailing list, it would be nice to ensure that this patchset doesn't run afoul of that. Acked-by: Paul Moore <paul@paul-moore.com> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0f1450a06b02..18038f73a2f7 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2413,30 +2413,17 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) > > /* Clear any possibly unsafe personality bits on exec: */ > bprm->per_clear |= PER_CLEAR_ON_SETID; > - } > - > - return 0; > -} > - > -static int selinux_bprm_secureexec(struct linux_binprm *bprm) > -{ > - const struct task_security_struct *tsec = current_security(); > - u32 sid, osid; > - int atsecure = 0; > - > - sid = tsec->sid; > - osid = tsec->osid; > > - if (osid != sid) { > /* Enable secure mode for SIDs transitions unless > the noatsecure permission is granted between > the two SIDs, i.e. ahp returns 0. */ > - atsecure = avc_has_perm(osid, sid, > - SECCLASS_PROCESS, > - PROCESS__NOATSECURE, NULL); > + rc = avc_has_perm(old_tsec->sid, new_tsec->sid, > + SECCLASS_PROCESS, PROCESS__NOATSECURE, > + NULL); > + bprm->secureexec |= !!rc; > } > > - return !!atsecure; > + return 0; > } > > static int match_file(const void *p, struct file *file, unsigned fd) > @@ -6151,7 +6138,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), > LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), > LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), > - LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec), > > LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), > LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), > -- > 2.7.4 -- paul moore www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: paul@paul-moore.com (Paul Moore) To: linux-security-module@vger.kernel.org Subject: [PATCH v3 04/15] selinux: Refactor to remove bprm_secureexec hook Date: Wed, 19 Jul 2017 20:03:30 -0400 [thread overview] Message-ID: <CAHC9VhTLP7kpJW65y_csgnc9hvp8ouB36U2WPyHGYgGtq8M4hg@mail.gmail.com> (raw) In-Reply-To: <1500416736-49829-5-git-send-email-keescook@chromium.org> On Tue, Jul 18, 2017 at 6:25 PM, Kees Cook <keescook@chromium.org> wrote: > The SELinux bprm_secureexec hook can be merged with the bprm_set_creds > hook since it's dealing with the same information, and all of the details > are finalized during the first call to the bprm_set_creds hook via > prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored > via bprm->called_set_creds). > > Here, the test can just happen at the end of the bprm_set_creds hook, > and the bprm_secureexec hook can be dropped. > > Cc: Paul Moore <paul@paul-moore.com> > Cc: Stephen Smalley <sds@tycho.nsa.gov> > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > security/selinux/hooks.c | 24 +++++------------------- > 1 file changed, 5 insertions(+), 19 deletions(-) This seems reasonable in the context of the other changes. Stephen just posted an AT_SECURE test for the selinux-testsuite on the SELinux mailing list, it would be nice to ensure that this patchset doesn't run afoul of that. Acked-by: Paul Moore <paul@paul-moore.com> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0f1450a06b02..18038f73a2f7 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2413,30 +2413,17 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) > > /* Clear any possibly unsafe personality bits on exec: */ > bprm->per_clear |= PER_CLEAR_ON_SETID; > - } > - > - return 0; > -} > - > -static int selinux_bprm_secureexec(struct linux_binprm *bprm) > -{ > - const struct task_security_struct *tsec = current_security(); > - u32 sid, osid; > - int atsecure = 0; > - > - sid = tsec->sid; > - osid = tsec->osid; > > - if (osid != sid) { > /* Enable secure mode for SIDs transitions unless > the noatsecure permission is granted between > the two SIDs, i.e. ahp returns 0. */ > - atsecure = avc_has_perm(osid, sid, > - SECCLASS_PROCESS, > - PROCESS__NOATSECURE, NULL); > + rc = avc_has_perm(old_tsec->sid, new_tsec->sid, > + SECCLASS_PROCESS, PROCESS__NOATSECURE, > + NULL); > + bprm->secureexec |= !!rc; > } > > - return !!atsecure; > + return 0; > } > > static int match_file(const void *p, struct file *file, unsigned fd) > @@ -6151,7 +6138,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), > LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), > LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), > - LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec), > > LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), > LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), > -- > 2.7.4 -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-07-20 0:03 UTC|newest] Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-07-18 22:25 [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-18 22:25 ` [PATCH v3 01/15] binfmt: Introduce secureexec flag Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:05 ` John Johansen 2017-07-19 0:05 ` John Johansen 2017-07-19 1:01 ` Andy Lutomirski 2017-07-19 1:01 ` Andy Lutomirski 2017-07-18 22:25 ` [PATCH v3 02/15] exec: Rename bprm->cred_prepared to called_set_creds Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:08 ` John Johansen 2017-07-19 0:08 ` John Johansen 2017-07-19 1:06 ` Andy Lutomirski 2017-07-19 1:06 ` Andy Lutomirski 2017-07-19 4:40 ` Kees Cook 2017-07-19 4:40 ` Kees Cook 2017-07-19 9:19 ` James Morris 2017-07-19 9:19 ` James Morris 2017-07-19 23:56 ` Paul Moore 2017-07-19 23:56 ` Paul Moore 2017-07-18 22:25 ` [PATCH v3 03/15] apparmor: Refactor to remove bprm_secureexec hook Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:00 ` John Johansen 2017-07-19 0:00 ` John Johansen 2017-07-19 9:21 ` James Morris 2017-07-19 9:21 ` James Morris 2017-07-18 22:25 ` [PATCH v3 04/15] selinux: " Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-20 0:03 ` Paul Moore [this message] 2017-07-20 0:03 ` Paul Moore 2017-07-20 0:19 ` Paul Moore 2017-07-20 0:19 ` Paul Moore 2017-07-20 1:37 ` Kees Cook 2017-07-20 1:37 ` Kees Cook 2017-07-20 13:42 ` Paul Moore 2017-07-20 13:42 ` Paul Moore 2017-07-20 17:06 ` Kees Cook 2017-07-20 17:06 ` Kees Cook 2017-07-20 20:42 ` Paul Moore 2017-07-20 20:42 ` Paul Moore 2017-07-21 15:40 ` Paul Moore 2017-07-21 15:40 ` Paul Moore 2017-07-21 17:37 ` Kees Cook 2017-07-21 17:37 ` Kees Cook 2017-07-21 19:16 ` Paul Moore 2017-07-21 19:16 ` Paul Moore 2017-07-18 22:25 ` [PATCH v3 05/15] smack: " Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-26 3:58 ` Kees Cook 2017-07-26 3:58 ` Kees Cook 2017-07-26 15:24 ` Casey Schaufler 2017-07-26 15:24 ` Casey Schaufler 2017-07-18 22:25 ` [PATCH v3 06/15] commoncap: " Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 1:10 ` Andy Lutomirski 2017-07-19 1:10 ` Andy Lutomirski 2017-07-19 4:41 ` Kees Cook 2017-07-19 4:41 ` Kees Cook 2017-07-20 4:53 ` Andy Lutomirski 2017-07-20 4:53 ` Andy Lutomirski 2017-07-31 22:43 ` Kees Cook 2017-07-31 22:43 ` Kees Cook 2017-08-01 13:12 ` Andy Lutomirski 2017-08-01 13:12 ` Andy Lutomirski 2017-07-19 9:26 ` James Morris 2017-07-19 9:26 ` James Morris 2017-07-18 22:25 ` [PATCH v3 07/15] commoncap: Move cap_elevated calculation into bprm_set_creds Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 1:52 ` Andy Lutomirski 2017-07-19 1:52 ` Andy Lutomirski 2017-07-19 9:28 ` James Morris 2017-07-19 9:28 ` James Morris 2017-07-18 22:25 ` [PATCH v3 08/15] LSM: drop bprm_secureexec hook Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:02 ` John Johansen 2017-07-19 0:02 ` John Johansen 2017-07-19 9:29 ` James Morris 2017-07-19 9:29 ` James Morris 2017-07-18 22:25 ` [PATCH v3 09/15] exec: Correct comments about "point of no return" Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:45 ` Eric W. Biederman 2017-07-19 0:45 ` Eric W. Biederman 2017-07-18 22:25 ` [PATCH v3 10/15] exec: Use secureexec for setting dumpability Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-26 3:59 ` Kees Cook 2017-07-26 3:59 ` Kees Cook 2017-07-18 22:25 ` [PATCH v3 11/15] exec: Use secureexec for clearing pdeath_signal Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-18 22:25 ` [PATCH v3 12/15] smack: Remove redundant pdeath_signal clearing Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-18 22:25 ` [PATCH v3 13/15] exec: Consolidate dumpability logic Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-18 22:25 ` [PATCH v3 14/15] exec: Use sane stack rlimit under secureexec Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 9:42 ` James Morris 2017-07-19 9:42 ` James Morris 2017-07-18 22:25 ` [PATCH v3 15/15] exec: Consolidate pdeath_signal clearing Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-18 23:03 ` [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Linus Torvalds 2017-07-18 23:03 ` Linus Torvalds 2017-07-19 3:22 ` Serge E. Hallyn 2017-07-19 3:22 ` Serge E. Hallyn 2017-07-19 5:23 ` Kees Cook 2017-07-19 5:23 ` Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAHC9VhTLP7kpJW65y_csgnc9hvp8ouB36U2WPyHGYgGtq8M4hg@mail.gmail.com \ --to=paul@paul-moore.com \ --cc=akpm@linux-foundation.org \ --cc=casey@schaufler-ca.com \ --cc=dhowells@redhat.com \ --cc=ebiederm@xmission.com \ --cc=james.l.morris@oracle.com \ --cc=john.johansen@canonical.com \ --cc=keescook@chromium.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@kernel.org \ --cc=penguin-kernel@i-love.sakura.ne.jp \ --cc=sds@tycho.nsa.gov \ --cc=serge@hallyn.com \ --cc=torvalds@linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.