* [PATCH RFC 00/11] LSM: Stacking for major security modules
@ 2017-08-29 20:52 Casey Schaufler
2017-08-29 20:55 ` [PATCH 01/11] procfs: add smack subdir to attrs Casey Schaufler
` (10 more replies)
0 siblings, 11 replies; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 20:52 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 00/11] LSM: Stacking for major security modules
I am again sending this as an RFC. There are significant differences
from the previous versions. These are in response to feedback on
the mechanisms for dealing with security contexts outside of the
security modules, including user space code.
This patch set implements stacking for "major" security modules
that use cred and file blobs. Management of security blobs is
moved from the security modules and into the LSM infrastructure.
This has been proposed in the past by Serge Hallyn and David Howells.
This implementation owes much to their work.
The bulk of the change is in abstracting use of blobs within the
security modules. This allows the modules to share a single blob
and hides the details from the code. Modules are required to
declare the amount of space they require for each blob they use.
Because modules deal with blobs during their initialization the
blob sizes must be declared prior to module initialization.
The module initialization becomes a two step process.
Security module stacking is optional. If stacking is not configured,
the CONFIG_DEFAULT_SECURITY value is used, just as before. If stacking
is configured using CONFIG_SECURITY_STACKING the modules desired for
the stack are selected individually. AppArmor would be selected by
specifying CONFIG_SECURITY_APPARMOR_STACKED. The CONFIG_DEFAULT_SECURITY
is ignored. The security= boot option is still respected and has the
same behavior as before, allowing a single module to be used instead of
the specified stack.
A prctl() interface is provided to direct the LSM interface as to
which module's information should be reported to user space. If
not specified, the first registered module will be presented.
Some filesystems, including kernfs, use security context strings
to represent the security attributes on a file. To accommodate
multiple active modules a security "context" is defined to use
a regular format:
lsmname='lsmvalue'[,lsmname='lsmvalue']...
This is not exposed to user space run time code except in the
/proc/.../attr/context interface.
I have tested these patches in various configurations of Ubuntu and
Fedora. Smack and SELinux together pass test suites with some exceptions.
Smack does not (yet) deal with overlayfs, so those tests are omitted.
There are conflicts with the way the modules treat network configurations.
These conflicts are under investigation, and changes to Smack (and
possibly SELinux) to reconcile the worst of the issues are in development.
Patch 01 Adds a smack subdirectory in /proc/.../attr
Patch 02 Move management of the cred blob to the LSM infrastructure.
Patch 03 Move management of the file blob to the LSM infrastructure.
Patch 04 Move management of the task blob to the LSM infrastructure.
Patch 05 Infrastructure blob management for IPC, keys, sockets.
Patch 06 Allow stacking of modules except for SELinux and Smack
Patch 07 Mapping from module secids to system secids (tokens)
Patch 08 Fix superblock blobs in Smack.
Patch 09 Mount options for multiple modules.
Patch 10 Allocate task blobs.
Patch 11 Allow stacking of all modules.
These patches can be found in git at:
https://github.com/cschaufler/smack-next.git#stacking-4.13-rc2
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/admin-guide/LSM/index.rst | 31 +-
fs/btrfs/super.c | 10 +-
fs/proc/base.c | 96 ++-
fs/proc/internal.h | 1 +
fs/xattr.c | 6 +-
include/linux/lsm_audit.h | 4 +
include/linux/lsm_hooks.h | 86 +-
include/linux/security.h | 69 +-
include/net/request_sock.h | 2 +
include/uapi/linux/prctl.h | 6 +
kernel/cred.c | 13 -
kernel/fork.c | 3 +
net/netlabel/netlabel_unlabeled.c | 2 +-
security/Kconfig | 90 +++
security/Makefile | 1 +
security/apparmor/context.c | 2 -
security/apparmor/include/context.h | 24 +-
security/apparmor/include/file.h | 2 +-
security/apparmor/lsm.c | 105 ++-
security/security.c | 1332 +++++++++++++++++++++++++++++--
security/selinux/hooks.c | 651 ++++++---------
security/selinux/include/objsec.h | 100 ++-
security/selinux/include/security.h | 3 +-
security/selinux/include/xfrm.h | 2 +-
security/selinux/netlabel.c | 20 +-
security/selinux/selinuxfs.c | 5 +-
security/selinux/ss/services.c | 7 +-
security/selinux/xfrm.c | 10 +-
security/smack/smack.h | 101 ++-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 655 ++++++---------
security/smack/smack_netfilter.c | 12 +-
security/smack/smackfs.c | 21 +-
security/stacking.c | 198 +++++
security/tomoyo/common.h | 30 +-
security/tomoyo/domain.c | 4 +-
security/tomoyo/securityfs_if.c | 13 +-
security/tomoyo/tomoyo.c | 52 +-
38 files changed, 2739 insertions(+), 1032 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
* [PATCH 01/11] procfs: add smack subdir to attrs
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
@ 2017-08-29 20:55 ` Casey Schaufler
2017-08-31 9:12 ` John Johansen
2017-08-29 20:56 ` Subject: [PATCH 02/11] LSM: manage credential security blobs Casey Schaufler
` (9 subsequent siblings)
10 siblings, 1 reply; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 20:55 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 01/11] procfs: add smack subdir to attrs
Back in 2007 I made what turned out to be a rather serious
mistake in the implementation of the Smack security module.
The SELinux module used an interface in /proc to manipulate
the security context on processes. Rather than use a similar
interface, I used the same interface. The AppArmor team did
likewise. Now /proc/.../attr/current will tell you the
security "context" of the process, but it will be different
depending on the security module you're using.
This patch provides a subdirectory in /proc/.../attr for
Smack. Smack user space can use the "current" file in
this subdirectory and never have to worry about getting
SELinux attributes by mistake. Programs that use the
old interface will continue to work (or fail, as the case
may be) as before.
This patch does not include subdirectories for SELinux
or AppArmor. I do have a patch that provides those, and
will happily make it available should anyone see value
in it.
The original implementation is by Kees Cook.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/admin-guide/LSM/index.rst | 13 +++++--
fs/proc/base.c | 63 ++++++++++++++++++++++++++++-----
fs/proc/internal.h | 1 +
include/linux/security.h | 15 +++++---
security/security.c | 30 +++++++++++++---
5 files changed, 101 insertions(+), 21 deletions(-)
diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
index c980dfe9abf1..9842e21afd4a 100644
--- a/Documentation/admin-guide/LSM/index.rst
+++ b/Documentation/admin-guide/LSM/index.rst
@@ -17,9 +17,8 @@ MAC extensions, other extensions can be built using the LSM to provide
specific changes to system operation when these tweaks are not available
in the core functionality of Linux itself.
-Without a specific LSM built into the kernel, the default LSM will be the
-Linux capabilities system. Most LSMs choose to extend the capabilities
-system, building their checks on top of the defined capability hooks.
+The Linux capabilities modules will always be included. This may be
+followed by any number of "minor" modules and at most one "major" module.
For more details on capabilities, see ``capabilities(7)`` in the Linux
man-pages project.
@@ -30,6 +29,14 @@ order in which checks are made. The capability module will always
be first, followed by any "minor" modules (e.g. Yama) and then
the one "major" module (e.g. SELinux) if there is one configured.
+Process attributes associated with "major" security modules should
+be accessed and maintained using the special files in ``/proc/.../attr``.
+A security module may maintain a module specific subdirectory there,
+named after the module. ``/proc/.../attr/smack`` is provided by the Smack
+security module and contains all its special files. The files directly
+in ``/proc/.../attr`` remain as legacy interfaces for modules that provide
+subdirectories.
+
.. toctree::
:maxdepth: 1
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 719c2e943ea1..6a25a4b1592a 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -139,9 +139,13 @@ struct pid_entry {
#define REG(NAME, MODE, fops) \
NOD(NAME, (S_IFREG|(MODE)), NULL, &fops, {})
#define ONE(NAME, MODE, show) \
- NOD(NAME, (S_IFREG|(MODE)), \
+ NOD(NAME, (S_IFREG|(MODE)), \
NULL, &proc_single_file_operations, \
{ .proc_show = show } )
+#define ATTR(LSM, NAME, MODE) \
+ NOD(NAME, (S_IFREG|(MODE)), \
+ NULL, &proc_pid_attr_operations, \
+ { .lsm = LSM })
/*
* Count the number of hardlinks for the pid_entry table, excluding the .
@@ -2495,7 +2499,7 @@ static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
if (!task)
return -ESRCH;
- length = security_getprocattr(task,
+ length = security_getprocattr(task, PROC_I(inode)->op.lsm,
(char*)file->f_path.dentry->d_name.name,
&p);
put_task_struct(task);
@@ -2541,7 +2545,8 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
if (length < 0)
goto out_free;
- length = security_setprocattr(file->f_path.dentry->d_name.name,
+ length = security_setprocattr(PROC_I(inode)->op.lsm,
+ file->f_path.dentry->d_name.name,
page, count);
mutex_unlock(¤t->signal->cred_guard_mutex);
out_free:
@@ -2558,13 +2563,53 @@ static const struct file_operations proc_pid_attr_operations = {
.llseek = generic_file_llseek,
};
+#define LSM_DIR_OPS(LSM) \
+static int proc_##LSM##_attr_dir_iterate(struct file *filp, \
+ struct dir_context *ctx) \
+{ \
+ return proc_pident_readdir(filp, ctx, \
+ LSM##_attr_dir_stuff, \
+ ARRAY_SIZE(LSM##_attr_dir_stuff)); \
+} \
+\
+static const struct file_operations proc_##LSM##_attr_dir_ops = { \
+ .read = generic_read_dir, \
+ .iterate = proc_##LSM##_attr_dir_iterate, \
+ .llseek = default_llseek, \
+}; \
+\
+static struct dentry *proc_##LSM##_attr_dir_lookup(struct inode *dir, \
+ struct dentry *dentry, unsigned int flags) \
+{ \
+ return proc_pident_lookup(dir, dentry, \
+ LSM##_attr_dir_stuff, \
+ ARRAY_SIZE(LSM##_attr_dir_stuff)); \
+} \
+\
+static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \
+ .lookup = proc_##LSM##_attr_dir_lookup, \
+ .getattr = pid_getattr, \
+ .setattr = proc_setattr, \
+}
+
+#ifdef CONFIG_SECURITY_SMACK
+static const struct pid_entry smack_attr_dir_stuff[] = {
+ ATTR("smack", "current", 0666),
+};
+LSM_DIR_OPS(smack);
+#endif
+
static const struct pid_entry attr_dir_stuff[] = {
- REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("prev", S_IRUGO, proc_pid_attr_operations),
- REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ ATTR(NULL, "current", 0666),
+ ATTR(NULL, "prev", 0444),
+ ATTR(NULL, "exec", 0666),
+ ATTR(NULL, "fscreate", 0666),
+ ATTR(NULL, "keycreate", 0666),
+ ATTR(NULL, "sockcreate", 0666),
+#ifdef CONFIG_SECURITY_SMACK
+ DIR("smack", 0555,
+ proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
+#endif
};
static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
index aa2b89071630..ba0a8a889ed5 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -58,6 +58,7 @@ union proc_op {
int (*proc_show)(struct seq_file *m,
struct pid_namespace *ns, struct pid *pid,
struct task_struct *task);
+ const char *lsm;
};
struct proc_inode {
diff --git a/include/linux/security.h b/include/linux/security.h
index 458e24bea2d4..8317ace3c30f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -375,8 +375,10 @@ int security_sem_semctl(struct sem_array *sma, int cmd);
int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
unsigned nsops, int alter);
void security_d_instantiate(struct dentry *dentry, struct inode *inode);
-int security_getprocattr(struct task_struct *p, char *name, char **value);
-int security_setprocattr(const char *name, void *value, size_t size);
+int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ char **value);
+int security_setprocattr(const char *lsm, const char *name, void *value,
+ size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
@@ -1133,15 +1135,18 @@ static inline int security_sem_semop(struct sem_array *sma,
return 0;
}
-static inline void security_d_instantiate(struct dentry *dentry, struct inode *inode)
+static inline void security_d_instantiate(struct dentry *dentry,
+ struct inode *inode)
{ }
-static inline int security_getprocattr(struct task_struct *p, char *name, char **value)
+static inline int security_getprocattr(struct task_struct *p, const char *lsm,
+ char *name, char **value)
{
return -EINVAL;
}
-static inline int security_setprocattr(char *name, void *value, size_t size)
+static inline int security_setprocattr(const char *lsm, char *name,
+ void *value, size_t size)
{
return -EINVAL;
}
diff --git a/security/security.c b/security/security.c
index 55b5997e4b72..1618798a5e29 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1258,14 +1258,36 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode)
}
EXPORT_SYMBOL(security_d_instantiate);
-int security_getprocattr(struct task_struct *p, char *name, char **value)
+int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ char **value)
{
- return call_int_hook(getprocattr, -EINVAL, p, name, value);
+ struct security_hook_list *hp;
+ int rc;
+
+ list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ rc = hp->hook.getprocattr(p, name, value);
+ if (rc != -ENOENT)
+ return rc;
+ }
+ return -EINVAL;
}
-int security_setprocattr(const char *name, void *value, size_t size)
+int security_setprocattr(const char *lsm, const char *name, void *value,
+ size_t size)
{
- return call_int_hook(setprocattr, -EINVAL, name, value, size);
+ struct security_hook_list *hp;
+ int rc;
+
+ list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ rc = hp->hook.setprocattr(name, value, size);
+ if (rc != -ENOENT)
+ return rc;
+ }
+ return -EINVAL;
}
int security_netlink_send(struct sock *sk, struct sk_buff *skb)
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* Subject: [PATCH 02/11] LSM: manage credential security blobs
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
2017-08-29 20:55 ` [PATCH 01/11] procfs: add smack subdir to attrs Casey Schaufler
@ 2017-08-29 20:56 ` Casey Schaufler
2017-08-29 20:57 ` [PATCH 03/11] LSM: Manage file " Casey Schaufler
` (8 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 20:56 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 02/11] LSM: manage credential security blobs
Move the management of credential security blobs from the
individual security modules to the security infrastructure.
The security modules using credential blobs have been updated
accordingly. Modules are required to identify the space they
require at module initialization. In some cases a module no
longer needs to supply blob management hook, in which case
the hook has been removed.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 14 ++++
kernel/cred.c | 13 ----
security/Kconfig | 11 +++
security/apparmor/context.c | 2 -
security/apparmor/include/context.h | 9 ++-
security/apparmor/lsm.c | 44 ++++--------
security/security.c | 98 +++++++++++++++++++++++++-
security/selinux/hooks.c | 115 ++++++++++++-------------------
security/selinux/include/objsec.h | 9 +++
security/selinux/selinuxfs.c | 1 +
security/selinux/xfrm.c | 4 +-
security/smack/smack.h | 15 +++-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 134 +++++++++++++++---------------------
security/smack/smackfs.c | 18 ++---
security/tomoyo/common.h | 20 +++++-
security/tomoyo/domain.c | 4 +-
security/tomoyo/securityfs_if.c | 13 ++--
security/tomoyo/tomoyo.c | 49 ++++++++++---
19 files changed, 346 insertions(+), 229 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index ce02f76a6188..4ecb4ed572cf 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1919,6 +1919,13 @@ struct security_hook_list {
} __randomize_layout;
/*
+ * Security blob size or offset data.
+ */
+struct lsm_blob_sizes {
+ int lbs_cred;
+};
+
+/*
* Initializing a security_hook_list structure takes
* up a lot of space in a source file. This macro takes
* care of the common case and reduces the amount of
@@ -1930,6 +1937,7 @@ struct security_hook_list {
extern struct security_hook_heads security_hook_heads;
extern char *lsm_names;
+extern void security_add_blobs(struct lsm_blob_sizes *needed);
extern void security_add_hooks(struct security_hook_list *hooks, int count,
char *lsm);
@@ -1976,4 +1984,10 @@ void __init loadpin_add_hooks(void);
static inline void loadpin_add_hooks(void) { };
#endif
+extern int lsm_cred_alloc(struct cred *cred, gfp_t gfp);
+
+#ifdef CONFIG_SECURITY
+void lsm_early_cred(struct cred *cred);
+#endif
+
#endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/kernel/cred.c b/kernel/cred.c
index ecf03657e71c..fa2061ee4955 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -704,19 +704,6 @@ bool creds_are_invalid(const struct cred *cred)
{
if (cred->magic != CRED_MAGIC)
return true;
-#ifdef CONFIG_SECURITY_SELINUX
- /*
- * cred->security == NULL if security_cred_alloc_blank() or
- * security_prepare_creds() returned an error.
- */
- if (selinux_is_enabled() && cred->security) {
- if ((unsigned long) cred->security < PAGE_SIZE)
- return true;
- if ((*(u32 *)cred->security & 0xffffff00) ==
- (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
- return true;
- }
-#endif
return false;
}
EXPORT_SYMBOL(creds_are_invalid);
diff --git a/security/Kconfig b/security/Kconfig
index e8e449444e65..f3464fb5a8b0 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -36,6 +36,17 @@ config SECURITY_WRITABLE_HOOKS
bool
default n
+config SECURITY_LSM_DEBUG
+ bool "Enable debugging of the LSM infrastructure"
+ depends on SECURITY
+ help
+ This allows you to choose debug messages related to
+ security modules configured into your kernel. These
+ messages may be helpful in determining how a security
+ module is using security blobs.
+
+ If you are unsure how to answer this question, answer N.
+
config SECURITYFS
bool "Enable the securityfs filesystem"
help
diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index c95f1ac6190b..db203ee24db8 100644
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -50,8 +50,6 @@ void aa_free_task_context(struct aa_task_ctx *ctx)
aa_put_label(ctx->label);
aa_put_label(ctx->previous);
aa_put_label(ctx->onexec);
-
- kzfree(ctx);
}
}
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 6ae07e9aaa17..301ab3a0dd04 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -18,11 +18,12 @@
#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/sched.h>
+#include <linux/lsm_hooks.h>
#include "label.h"
#include "policy_ns.h"
-#define cred_ctx(X) ((X)->security)
+#define cred_ctx(X) apparmor_cred(X)
#define current_ctx() cred_ctx(current_cred())
/**
@@ -54,6 +55,10 @@ int aa_set_current_hat(struct aa_label *label, u64 token);
int aa_restore_previous_label(u64 cookie);
struct aa_label *aa_get_task_label(struct task_struct *task);
+static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
+{
+ return cred->security;
+}
/**
* aa_cred_raw_label - obtain cred's label
@@ -65,7 +70,7 @@ struct aa_label *aa_get_task_label(struct task_struct *task);
*/
static inline struct aa_label *aa_cred_raw_label(const struct cred *cred)
{
- struct aa_task_ctx *ctx = cred_ctx(cred);
+ struct aa_task_ctx *ctx = apparmor_cred(cred);
AA_BUG(!ctx || !ctx->label);
return ctx->label;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 867bcd154c7e..827df7012fe4 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -55,22 +55,6 @@ DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
static void apparmor_cred_free(struct cred *cred)
{
aa_free_task_context(cred_ctx(cred));
- cred_ctx(cred) = NULL;
-}
-
-/*
- * allocate the apparmor part of blank credentials
- */
-static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
-{
- /* freed by apparmor_cred_free */
- struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
-
- if (!ctx)
- return -ENOMEM;
-
- cred_ctx(cred) = ctx;
- return 0;
}
/*
@@ -79,14 +63,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- /* freed by apparmor_cred_free */
- struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
-
- if (!ctx)
- return -ENOMEM;
-
- aa_dup_task_context(ctx, cred_ctx(old));
- cred_ctx(new) = ctx;
+ aa_dup_task_context(cred_ctx(new), cred_ctx(old));
return 0;
}
@@ -656,6 +633,10 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
+struct lsm_blob_sizes apparmor_blob_sizes = {
+ .lbs_cred = sizeof(struct aa_task_ctx),
+};
+
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
@@ -686,7 +667,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
- LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
LSM_HOOK_INIT(cred_free, apparmor_cred_free),
LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
@@ -942,12 +922,10 @@ static int __init set_init_ctx(void)
struct cred *cred = (struct cred *)current->real_cred;
struct aa_task_ctx *ctx;
- ctx = aa_alloc_task_context(GFP_KERNEL);
- if (!ctx)
- return -ENOMEM;
+ lsm_early_cred(cred);
+ ctx = apparmor_cred(cred);
ctx->label = aa_get_label(ns_unconfined(root_ns));
- cred_ctx(cred) = ctx;
return 0;
}
@@ -1031,8 +1009,16 @@ static inline int apparmor_init_sysctl(void)
static int __init apparmor_init(void)
{
+ static int finish;
int error;
+ if (!finish) {
+ if (apparmor_enabled && security_module_enable("apparmor"))
+ security_add_blobs(&apparmor_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
if (!apparmor_enabled || !security_module_enable("apparmor")) {
aa_info_message("AppArmor disabled by boot time parameter");
apparmor_enabled = 0;
diff --git a/security/security.c b/security/security.c
index 1618798a5e29..89d43c65630c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -38,6 +38,8 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init;
static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
char *lsm_names;
+static struct lsm_blob_sizes blob_sizes;
+
/* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY;
@@ -75,10 +77,22 @@ int __init security_init(void)
loadpin_add_hooks();
/*
- * Load all the remaining security modules.
+ * The first call to a module specific init function
+ * updates the blob size requirements.
+ */
+ do_security_initcalls();
+
+ /*
+ * The second call to a module specific init function
+ * adds hooks to the hook lists and does any other early
+ * initializations required.
*/
do_security_initcalls();
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
+#endif
+
return 0;
}
@@ -186,6 +200,75 @@ int unregister_lsm_notifier(struct notifier_block *nb)
}
EXPORT_SYMBOL(unregister_lsm_notifier);
+/**
+ * lsm_cred_alloc - allocate a composite cred blob
+ * @cred: the cred that needs a blob
+ * @gfp: allocation type
+ *
+ * Allocate the cred blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (cred->security)
+ pr_info("%s: Inbound cred blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_cred == 0)
+ return 0;
+
+ cred->security = kzalloc(blob_sizes.lbs_cred, gfp);
+ if (cred->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_early_cred - during initialization allocate a composite cred blob
+ * @cred: the cred that needs a blob
+ *
+ * Allocate the cred blob for all the modules if it's not already there
+ */
+void lsm_early_cred(struct cred *cred)
+{
+ int rc;
+
+ if (cred == NULL)
+ panic("%s: NULL cred.\n", __func__);
+ if (cred->security != NULL)
+ return;
+ rc = lsm_cred_alloc(cred, GFP_KERNEL);
+ if (rc)
+ panic("%s: Early cred alloc failed.\n", __func__);
+}
+
+static void __init lsm_set_size(int *need, int *lbs)
+{
+ int offset;
+
+ if (*need > 0) {
+ offset = *lbs;
+ *lbs += *need;
+ *need = offset;
+ }
+}
+
+/**
+ * security_add_blobs - Report blob sizes
+ * @needed: the size of blobs needed by the module
+ *
+ * Each LSM has to register its blobs with the infrastructure.
+ * The "needed" data tells the infrastructure how much memory
+ * the module requires for each of its blobs. On return the
+ * structure is filled with the offset that module should use
+ * from the blob pointer.
+ */
+void __init security_add_blobs(struct lsm_blob_sizes *needed)
+{
+ lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
+}
+
/*
* Hook list operation macros.
*
@@ -991,16 +1074,29 @@ void security_task_free(struct task_struct *task)
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
+ int rc = lsm_cred_alloc(cred, gfp);
+
+ if (rc)
+ return rc;
+
return call_int_hook(cred_alloc_blank, 0, cred, gfp);
}
void security_cred_free(struct cred *cred)
{
call_void_hook(cred_free, cred);
+
+ kfree(cred->security);
+ cred->security = NULL;
}
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
{
+ int rc = lsm_cred_alloc(new, gfp);
+
+ if (rc)
+ return rc;
+
return call_int_hook(cred_prepare, 0, new, old, gfp);
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 33fd061305c4..3b2f028f1e86 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -191,12 +191,9 @@ static void cred_init_security(void)
struct cred *cred = (struct cred *) current->real_cred;
struct task_security_struct *tsec;
- tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
- if (!tsec)
- panic("SELinux: Failed to initialize initial task.\n");
-
+ lsm_early_cred(cred);
+ tsec = selinux_cred(cred);
tsec->osid = tsec->sid = SECINITSID_KERNEL;
- cred->security = tsec;
}
/*
@@ -206,7 +203,7 @@ static inline u32 cred_sid(const struct cred *cred)
{
const struct task_security_struct *tsec;
- tsec = cred->security;
+ tsec = selinux_cred(cred);
return tsec->sid;
}
@@ -442,7 +439,7 @@ static int may_context_mount_sb_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
@@ -459,7 +456,7 @@ static int may_context_mount_inode_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
@@ -1881,7 +1878,7 @@ static int may_create(struct inode *dir,
struct dentry *dentry,
u16 tclass)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
u32 sid, newsid;
@@ -1902,7 +1899,7 @@ static int may_create(struct inode *dir,
if (rc)
return rc;
- rc = selinux_determine_inode_label(current_security(), dir,
+ rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
&dentry->d_name, tclass, &newsid);
if (rc)
return rc;
@@ -2359,8 +2356,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->cred_prepared)
return 0;
- old_tsec = current_security();
- new_tsec = bprm->cred->security;
+ old_tsec = selinux_cred(current_cred());
+ new_tsec = selinux_cred(bprm->cred);
isec = inode_security(inode);
/* Default to the current task SID. */
@@ -2449,7 +2446,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
static int selinux_bprm_secureexec(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
u32 sid, osid;
int atsecure = 0;
@@ -2531,7 +2528,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
struct rlimit *rlim, *initrlim;
int rc, i;
- new_tsec = bprm->cred->security;
+ new_tsec = selinux_cred(bprm->cred);
if (new_tsec->sid == new_tsec->osid)
return;
@@ -2573,7 +2570,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
*/
static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct itimerval itimer;
u32 osid, sid;
int rc, i;
@@ -2873,7 +2870,7 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
u32 newsid;
int rc;
- rc = selinux_determine_inode_label(current_security(),
+ rc = selinux_determine_inode_label(selinux_cred(current_cred()),
d_inode(dentry->d_parent), name,
inode_mode_to_security_class(mode),
&newsid);
@@ -2892,14 +2889,14 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
int rc;
struct task_security_struct *tsec;
- rc = selinux_determine_inode_label(old->security,
+ rc = selinux_determine_inode_label(selinux_cred(old),
d_inode(dentry->d_parent), name,
inode_mode_to_security_class(mode),
&newsid);
if (rc)
return rc;
- tsec = new->security;
+ tsec = selinux_cred(new);
tsec->create_sid = newsid;
return 0;
}
@@ -2909,7 +2906,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
const char **name,
void **value, size_t *len)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct superblock_security_struct *sbsec;
u32 sid, newsid, clen;
int rc;
@@ -2920,7 +2917,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
sid = tsec->sid;
newsid = tsec->create_sid;
- rc = selinux_determine_inode_label(current_security(),
+ rc = selinux_determine_inode_label(selinux_cred(current_cred()),
dir, qstr,
inode_mode_to_security_class(inode->i_mode),
&newsid);
@@ -3376,7 +3373,7 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
return -ENOMEM;
}
- tsec = new_creds->security;
+ tsec = selinux_cred(new_creds);
/* Get label from overlay inode and set it in create_sid */
selinux_inode_getsecid(d_inode(src), &sid);
tsec->create_sid = sid;
@@ -3769,52 +3766,16 @@ static int selinux_task_alloc(struct task_struct *task,
}
/*
- * allocate the SELinux part of blank credentials
- */
-static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
-{
- struct task_security_struct *tsec;
-
- tsec = kzalloc(sizeof(struct task_security_struct), gfp);
- if (!tsec)
- return -ENOMEM;
-
- cred->security = tsec;
- return 0;
-}
-
-/*
- * detach and free the LSM part of a set of credentials
- */
-static void selinux_cred_free(struct cred *cred)
-{
- struct task_security_struct *tsec = cred->security;
-
- /*
- * cred->security == NULL if security_cred_alloc_blank() or
- * security_prepare_creds() returned an error.
- */
- BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
- cred->security = (void *) 0x7UL;
- kfree(tsec);
-}
-
-/*
* prepare a new set of credentials for modification
*/
static int selinux_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- const struct task_security_struct *old_tsec;
- struct task_security_struct *tsec;
+ const struct task_security_struct *old_tsec = selinux_cred(old);
+ struct task_security_struct *tsec = selinux_cred(new);
- old_tsec = old->security;
-
- tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
- if (!tsec)
- return -ENOMEM;
+ *tsec = *old_tsec;
- new->security = tsec;
return 0;
}
@@ -3823,8 +3784,8 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
*/
static void selinux_cred_transfer(struct cred *new, const struct cred *old)
{
- const struct task_security_struct *old_tsec = old->security;
- struct task_security_struct *tsec = new->security;
+ const struct task_security_struct *old_tsec = selinux_cred(old);
+ struct task_security_struct *tsec = selinux_cred(new);
*tsec = *old_tsec;
}
@@ -3835,7 +3796,7 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
*/
static int selinux_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_security_struct *tsec = new->security;
+ struct task_security_struct *tsec = selinux_cred(new);
u32 sid = current_sid();
int ret;
@@ -3859,7 +3820,7 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
{
struct inode_security_struct *isec = inode_security(inode);
- struct task_security_struct *tsec = new->security;
+ struct task_security_struct *tsec = selinux_cred(new);
u32 sid = current_sid();
int ret;
@@ -4341,7 +4302,7 @@ static int sock_has_perm(struct sock *sk, u32 perms)
static int selinux_socket_create(int family, int type,
int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
u32 newsid;
u16 secclass;
int rc;
@@ -4360,7 +4321,7 @@ static int selinux_socket_create(int family, int type,
static int selinux_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
struct sk_security_struct *sksec;
u16 sclass = socket_type_to_security_class(family, type, protocol);
@@ -4983,7 +4944,7 @@ static int selinux_secmark_relabel_packet(u32 sid)
const struct task_security_struct *__tsec;
u32 tsid;
- __tsec = current_security();
+ __tsec = selinux_cred(current_cred());
tsid = __tsec->sid;
return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
@@ -5890,7 +5851,7 @@ static int selinux_getprocattr(struct task_struct *p,
unsigned len;
rcu_read_lock();
- __tsec = __task_cred(p)->security;
+ __tsec = selinux_cred(__task_cred(p));
if (current != p) {
error = avc_has_perm(current_sid(), __tsec->sid,
@@ -6003,7 +5964,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
operation. See selinux_bprm_set_creds for the execve
checks and may_create for the file creation checks. The
operation will then fail if the context is not permitted. */
- tsec = new->security;
+ tsec = selinux_cred(new);
if (!strcmp(name, "exec")) {
tsec->exec_sid = sid;
} else if (!strcmp(name, "fscreate")) {
@@ -6126,7 +6087,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
if (!ksec)
return -ENOMEM;
- tsec = cred->security;
+ tsec = selinux_cred(cred);
if (tsec->keycreate_sid)
ksec->sid = tsec->keycreate_sid;
else
@@ -6245,6 +6206,10 @@ static void selinux_ib_free_security(void *ib_sec)
}
#endif
+struct lsm_blob_sizes selinux_blob_sizes = {
+ .lbs_cred = sizeof(struct task_security_struct),
+};
+
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
@@ -6328,8 +6293,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(file_open, selinux_file_open),
LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
- LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
- LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
@@ -6469,11 +6432,19 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
static __init int selinux_init(void)
{
+ static int finish;
+
if (!security_module_enable("selinux")) {
selinux_enabled = 0;
return 0;
}
+ if (!finish) {
+ security_add_blobs(&selinux_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
if (!selinux_enabled) {
printk(KERN_INFO "SELinux: Disabled at boot.\n");
return 0;
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 6ebc61e370ff..f447b21f6be0 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -25,6 +25,9 @@
#include <linux/binfmts.h>
#include <linux/in.h>
#include <linux/spinlock.h>
+#include <linux/lsm_hooks.h>
+#include <linux/msg.h>
+#include <net/sock.h>
#include <net/net_namespace.h>
#include "flask.h"
#include "avc.h"
@@ -151,5 +154,11 @@ struct pkey_security_struct {
};
extern unsigned int selinux_checkreqprot;
+extern struct lsm_blob_sizes selinux_blob_sizes;
+
+static inline struct task_security_struct *selinux_cred(const struct cred *cred)
+{
+ return cred->security;
+}
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 00eed842c491..855a13053a81 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -30,6 +30,7 @@
#include <linux/uaccess.h>
#include <linux/kobject.h>
#include <linux/ctype.h>
+#include <linux/lsm_hooks.h>
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs/nfsd/nfsctl.c code. */
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 56e354fcdfc6..789d07bd900f 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -79,7 +79,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
gfp_t gfp)
{
int rc;
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct xfrm_sec_ctx *ctx = NULL;
u32 str_len;
@@ -136,7 +136,7 @@ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
*/
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
if (!ctx)
return 0;
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 6a71fc7831ab..ab1d217800e2 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -24,6 +24,7 @@
#include <linux/list.h>
#include <linux/rculist.h>
#include <linux/lsm_audit.h>
+#include <linux/msg.h>
/*
* Use IPv6 port labeling if IPv6 is enabled and secmarks
@@ -355,6 +356,11 @@ extern struct list_head smack_onlycap_list;
#define SMACK_HASH_SLOTS 16
extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
+static inline struct task_smack *smack_cred(const struct cred *cred)
+{
+ return cred->security;
+}
+
/*
* Is the directory transmuting?
*/
@@ -381,13 +387,16 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
return tsp->smk_task;
}
-static inline struct smack_known *smk_of_task_struct(const struct task_struct *t)
+static inline struct smack_known *smk_of_task_struct(
+ const struct task_struct *t)
{
struct smack_known *skp;
+ const struct cred *cred;
rcu_read_lock();
- skp = smk_of_task(__task_cred(t)->security);
+ cred = __task_cred(t);
rcu_read_unlock();
+ skp = smk_of_task(smack_cred(cred));
return skp;
}
@@ -404,7 +413,7 @@ static inline struct smack_known *smk_of_forked(const struct task_smack *tsp)
*/
static inline struct smack_known *smk_of_current(void)
{
- return smk_of_task(current_security());
+ return smk_of_task(smack_cred(current_cred()));
}
/*
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 1a3004189447..e1d304c65fe3 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -275,7 +275,7 @@ int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known,
int smk_curacc(struct smack_known *obj_known,
u32 mode, struct smk_audit_info *a)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_tskacc(tsp, obj_known, mode, a);
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 463af86812c7..d67ba55f0123 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -121,7 +121,7 @@ static int smk_bu_note(char *note, struct smack_known *sskp,
static int smk_bu_current(char *note, struct smack_known *oskp,
int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (rc <= 0)
@@ -142,7 +142,7 @@ static int smk_bu_current(char *note, struct smack_known *oskp,
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_task(struct task_struct *otp, int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *smk_task = smk_of_task_struct(otp);
char acc[SMK_NUM_ACCESS_TYPE + 1];
@@ -164,7 +164,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc)
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_inode(struct inode *inode, int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct inode_smack *isp = inode->i_security;
char acc[SMK_NUM_ACCESS_TYPE + 1];
@@ -194,7 +194,7 @@ static int smk_bu_inode(struct inode *inode, int mode, int rc)
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_file(struct file *file, int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
struct inode_smack *isp = inode->i_security;
@@ -224,7 +224,7 @@ static int smk_bu_file(struct file *file, int mode, int rc)
static int smk_bu_credfile(const struct cred *cred, struct file *file,
int mode, int rc)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = smack_cred(cred);
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
struct inode_smack *isp = inode->i_security;
@@ -308,29 +308,20 @@ static struct inode_smack *new_inode_smack(struct smack_known *skp)
}
/**
- * new_task_smack - allocate a task security blob
+ * init_task_smack - initialize a task security blob
+ * @tsp: blob to initialize
* @task: a pointer to the Smack label for the running task
* @forked: a pointer to the Smack label for the forked task
- * @gfp: type of the memory for the allocation
*
- * Returns the new blob or NULL if there's no memory available
*/
-static struct task_smack *new_task_smack(struct smack_known *task,
- struct smack_known *forked, gfp_t gfp)
+static void init_task_smack(struct task_smack *tsp, struct smack_known *task,
+ struct smack_known *forked)
{
- struct task_smack *tsp;
-
- tsp = kzalloc(sizeof(struct task_smack), gfp);
- if (tsp == NULL)
- return NULL;
-
tsp->smk_task = task;
tsp->smk_forked = forked;
INIT_LIST_HEAD(&tsp->smk_rules);
INIT_LIST_HEAD(&tsp->smk_relabel);
mutex_init(&tsp->smk_rules_lock);
-
- return tsp;
}
/**
@@ -428,7 +419,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
}
rcu_read_lock();
- tsp = __task_cred(tracer)->security;
+ tsp = smack_cred(__task_cred(tracer));
tracer_known = smk_of_task(tsp);
if ((mode & PTRACE_MODE_ATTACH) &&
@@ -495,7 +486,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
int rc;
struct smack_known *skp;
- skp = smk_of_task(current_security());
+ skp = smk_of_task(smack_cred(current_cred()));
rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
return rc;
@@ -912,7 +903,7 @@ static int smack_sb_statfs(struct dentry *dentry)
static int smack_bprm_set_creds(struct linux_binprm *bprm)
{
struct inode *inode = file_inode(bprm->file);
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = smack_cred(bprm->cred);
struct inode_smack *isp;
struct superblock_smack *sbsp;
int rc;
@@ -961,7 +952,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
*/
static void smack_bprm_committing_creds(struct linux_binprm *bprm)
{
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = smack_cred(bprm->cred);
if (bsp->smk_task != bsp->smk_forked)
current->pdeath_signal = 0;
@@ -975,7 +966,7 @@ static void smack_bprm_committing_creds(struct linux_binprm *bprm)
*/
static int smack_bprm_secureexec(struct linux_binprm *bprm)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
if (tsp->smk_task != tsp->smk_forked)
return 1;
@@ -1774,7 +1765,7 @@ static int smack_mmap_file(struct file *file,
return -EACCES;
mkp = isp->smk_mmap;
- tsp = current_security();
+ tsp = smack_cred(current_cred());
skp = smk_of_current();
rc = 0;
@@ -1870,7 +1861,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum)
{
struct smack_known *skp;
- struct smack_known *tkp = smk_of_task(tsk->cred->security);
+ struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
struct file *file;
int rc;
struct smk_audit_info ad;
@@ -1918,7 +1909,7 @@ static int smack_file_receive(struct file *file)
if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
sock = SOCKET_I(inode);
ssp = sock->sk->sk_security;
- tsp = current_security();
+ tsp = smack_cred(current_cred());
/*
* If the receiving process can't write to the
* passed socket or if the passed socket can't
@@ -1960,7 +1951,7 @@ static int smack_file_receive(struct file *file)
*/
static int smack_file_open(struct file *file, const struct cred *cred)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = smack_cred(cred);
struct inode *inode = file_inode(file);
struct smk_audit_info ad;
int rc;
@@ -1988,14 +1979,7 @@ static int smack_file_open(struct file *file, const struct cred *cred)
*/
static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
- struct task_smack *tsp;
-
- tsp = new_task_smack(NULL, NULL, gfp);
- if (tsp == NULL)
- return -ENOMEM;
-
- cred->security = tsp;
-
+ init_task_smack(smack_cred(cred), NULL, NULL);
return 0;
}
@@ -2007,15 +1991,11 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/
static void smack_cred_free(struct cred *cred)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = smack_cred(cred);
struct smack_rule *rp;
struct list_head *l;
struct list_head *n;
- if (tsp == NULL)
- return;
- cred->security = NULL;
-
smk_destroy_label_list(&tsp->smk_relabel);
list_for_each_safe(l, n, &tsp->smk_rules) {
@@ -2023,7 +2003,6 @@ static void smack_cred_free(struct cred *cred)
list_del(&rp->list);
kfree(rp);
}
- kfree(tsp);
}
/**
@@ -2037,15 +2016,11 @@ static void smack_cred_free(struct cred *cred)
static int smack_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct task_smack *old_tsp = old->security;
- struct task_smack *new_tsp;
+ struct task_smack *old_tsp = smack_cred(old);
+ struct task_smack *new_tsp = smack_cred(new);
int rc;
- new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp);
- if (new_tsp == NULL)
- return -ENOMEM;
-
- new->security = new_tsp;
+ init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task);
rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp);
if (rc != 0)
@@ -2053,10 +2028,7 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel,
gfp);
- if (rc != 0)
- return rc;
-
- return 0;
+ return rc;
}
/**
@@ -2068,15 +2040,14 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
*/
static void smack_cred_transfer(struct cred *new, const struct cred *old)
{
- struct task_smack *old_tsp = old->security;
- struct task_smack *new_tsp = new->security;
+ struct task_smack *old_tsp = smack_cred(old);
+ struct task_smack *new_tsp = smack_cred(new);
new_tsp->smk_task = old_tsp->smk_task;
new_tsp->smk_forked = old_tsp->smk_task;
mutex_init(&new_tsp->smk_rules_lock);
INIT_LIST_HEAD(&new_tsp->smk_rules);
-
/* cbs copy rule list */
}
@@ -2089,7 +2060,7 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
*/
static int smack_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_smack *new_tsp = new->security;
+ struct task_smack *new_tsp = smack_cred(new);
new_tsp->smk_task = smack_from_secid(secid);
return 0;
@@ -2107,7 +2078,7 @@ static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode)
{
struct inode_smack *isp = inode->i_security;
- struct task_smack *tsp = new->security;
+ struct task_smack *tsp = smack_cred(new);
tsp->smk_forked = isp->smk_inode;
tsp->smk_task = tsp->smk_forked;
@@ -3670,7 +3641,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
*/
static int smack_setprocattr(const char *name, void *value, size_t size)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct cred *new;
struct smack_known *skp;
struct smack_known_list_elem *sklep;
@@ -3711,7 +3682,7 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
if (new == NULL)
return -ENOMEM;
- tsp = new->security;
+ tsp = smack_cred(new);
tsp->smk_task = skp;
/*
* process can change its label only once
@@ -4347,7 +4318,7 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- struct smack_known *skp = smk_of_task(cred->security);
+ struct smack_known *skp = smk_of_task(smack_cred(cred));
key->security = skp;
return 0;
@@ -4378,7 +4349,7 @@ static int smack_key_permission(key_ref_t key_ref,
{
struct key *keyp;
struct smk_audit_info ad;
- struct smack_known *tkp = smk_of_task(cred->security);
+ struct smack_known *tkp = smk_of_task(smack_cred(cred));
int request = 0;
int rc;
@@ -4631,6 +4602,10 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
return 0;
}
+struct lsm_blob_sizes smack_blob_sizes = {
+ .lbs_cred = sizeof(struct task_smack),
+};
+
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
@@ -4806,23 +4781,35 @@ static __init void init_smack_known_list(void)
*/
static __init int smack_init(void)
{
- struct cred *cred;
+ static int finish;
+ struct cred *cred = (struct cred *) current->cred;
struct task_smack *tsp;
if (!security_module_enable("smack"))
return 0;
+ if (!finish) {
+ security_add_blobs(&smack_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
smack_inode_cache = KMEM_CACHE(inode_smack, 0);
if (!smack_inode_cache)
return -ENOMEM;
- tsp = new_task_smack(&smack_known_floor, &smack_known_floor,
- GFP_KERNEL);
- if (tsp == NULL) {
- kmem_cache_destroy(smack_inode_cache);
- return -ENOMEM;
- }
+ lsm_early_cred(cred);
+ /*
+ * Set the security state for the initial task.
+ */
+ tsp = smack_cred(cred);
+ init_task_smack(tsp, &smack_known_floor, &smack_known_floor);
+
+ /*
+ * Register with LSM
+ */
+ security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
smack_enabled = 1;
pr_info("Smack: Initializing.\n");
@@ -4836,20 +4823,9 @@ static __init int smack_init(void)
pr_info("Smack: IPv6 Netfilter enabled.\n");
#endif
- /*
- * Set the security state for the initial task.
- */
- cred = (struct cred *) current->cred;
- cred->security = tsp;
-
/* initialize the smack_known_list */
init_smack_known_list();
- /*
- * Register with LSM
- */
- security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
-
return 0;
}
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index f6482e53d55a..9d2dde608298 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -2208,14 +2208,14 @@ static const struct file_operations smk_logging_ops = {
static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -2262,7 +2262,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_FIXED24_FMT);
@@ -2414,14 +2414,14 @@ static const struct file_operations smk_load2_ops = {
static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -2467,7 +2467,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_LONG_FMT);
@@ -2681,14 +2681,14 @@ static const struct file_operations smk_syslog_ops = {
static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_relabel);
}
static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_relabel);
}
@@ -2736,7 +2736,7 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file)
static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
char *data;
int rc;
LIST_HEAD(list_tmp);
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 361e7a284699..cbcfccc84784 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -28,6 +28,7 @@
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/un.h>
+#include <linux/lsm_hooks.h>
#include <net/sock.h>
#include <net/af_unix.h>
#include <net/ip.h>
@@ -1196,13 +1197,26 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
}
/**
+ * tomoyo_cred - Get a pointer to the tomoyo cred security blob
+ * @cred - the relevant cred
+ *
+ * Returns pointer to the tomoyo cred blob.
+ */
+static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred)
+{
+ return cred->security;
+}
+
+/**
* tomoyo_domain - Get "struct tomoyo_domain_info" for current thread.
*
* Returns pointer to "struct tomoyo_domain_info" for current thread.
*/
static inline struct tomoyo_domain_info *tomoyo_domain(void)
{
- return current_cred()->security;
+ struct tomoyo_domain_info **blob = tomoyo_cred(current_cred());
+
+ return *blob;
}
/**
@@ -1215,7 +1229,9 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void)
static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
*task)
{
- return task_cred_xxx(task, security);
+ struct tomoyo_domain_info **blob = tomoyo_cred(get_task_cred(task));
+
+ return *blob;
}
/**
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 00d223e9fb37..80ebb422c02b 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -677,6 +677,7 @@ static int tomoyo_environ(struct tomoyo_execve *ee)
*/
int tomoyo_find_next_domain(struct linux_binprm *bprm)
{
+ struct tomoyo_domain_info **blob;
struct tomoyo_domain_info *old_domain = tomoyo_domain();
struct tomoyo_domain_info *domain = NULL;
const char *original_name = bprm->filename;
@@ -842,7 +843,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
domain = old_domain;
/* Update reference count on "struct tomoyo_domain_info". */
atomic_inc(&domain->users);
- bprm->cred->security = domain;
+ blob = tomoyo_cred(bprm->cred);
+ *blob = domain;
kfree(exename.name);
if (!retval) {
ee->r.domain = domain;
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 06ab41b1ff28..9289f2a16036 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -70,9 +70,12 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
if (!cred) {
error = -ENOMEM;
} else {
- struct tomoyo_domain_info *old_domain =
- cred->security;
- cred->security = new_domain;
+ struct tomoyo_domain_info **blob;
+ struct tomoyo_domain_info *old_domain;
+
+ blob = tomoyo_cred(cred);
+ old_domain = *blob;
+ *blob = new_domain;
atomic_inc(&new_domain->users);
atomic_dec(&old_domain->users);
commit_creds(cred);
@@ -233,10 +236,12 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode,
*/
static int __init tomoyo_initerface_init(void)
{
+ struct tomoyo_domain_info *domain;
struct dentry *tomoyo_dir;
+ domain = tomoyo_domain();
/* Don't create securityfs entries unless registered. */
- if (current_cred()->security != &tomoyo_kernel_domain)
+ if (domain != &tomoyo_kernel_domain)
return 0;
tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 130b4fa4f65f..901fa7835337 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -17,7 +17,9 @@
*/
static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
{
- new->security = NULL;
+ struct tomoyo_domain_info **blob = tomoyo_cred(new);
+
+ *blob = NULL;
return 0;
}
@@ -33,8 +35,13 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct tomoyo_domain_info *domain = old->security;
- new->security = domain;
+ struct tomoyo_domain_info **old_blob = tomoyo_cred(old);
+ struct tomoyo_domain_info **new_blob = tomoyo_cred(new);
+ struct tomoyo_domain_info *domain;
+
+ domain = *old_blob;
+ *new_blob = domain;
+
if (domain)
atomic_inc(&domain->users);
return 0;
@@ -58,7 +65,9 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
*/
static void tomoyo_cred_free(struct cred *cred)
{
- struct tomoyo_domain_info *domain = cred->security;
+ struct tomoyo_domain_info **blob = tomoyo_cred(cred);
+ struct tomoyo_domain_info *domain = *blob;
+
if (domain)
atomic_dec(&domain->users);
}
@@ -72,6 +81,9 @@ static void tomoyo_cred_free(struct cred *cred)
*/
static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
{
+ struct tomoyo_domain_info **blob;
+ struct tomoyo_domain_info *domain;
+
/*
* Do only if this function is called for the first time of an execve
* operation.
@@ -92,13 +104,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
* stored inside "bprm->cred->security" will be acquired later inside
* tomoyo_find_next_domain().
*/
- atomic_dec(&((struct tomoyo_domain_info *)
- bprm->cred->security)->users);
+ blob = tomoyo_cred(bprm->cred);
+ domain = *blob;
+ atomic_dec(&domain->users);
/*
* Tell tomoyo_bprm_check_security() is called for the first time of an
* execve operation.
*/
- bprm->cred->security = NULL;
+ *blob = NULL;
return 0;
}
@@ -111,8 +124,11 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
*/
static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
{
- struct tomoyo_domain_info *domain = bprm->cred->security;
+ struct tomoyo_domain_info **blob;
+ struct tomoyo_domain_info *domain;
+ blob = tomoyo_cred(bprm->cred);
+ domain = *blob;
/*
* Execute permission is checked against pathname passed to do_execve()
* using current domain.
@@ -492,6 +508,10 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
return tomoyo_socket_sendmsg_permission(sock, msg, size);
}
+struct lsm_blob_sizes tomoyo_blob_sizes = {
+ .lbs_cred = sizeof(struct tomoyo_domain_info *),
+};
+
/*
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
@@ -537,14 +557,25 @@ DEFINE_SRCU(tomoyo_ss);
*/
static int __init tomoyo_init(void)
{
+ static int finish;
struct cred *cred = (struct cred *) current_cred();
+ struct tomoyo_domain_info **blob;
if (!security_module_enable("tomoyo"))
return 0;
+
+ if (!finish) {
+ security_add_blobs(&tomoyo_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
/* register ourselves with the security framework */
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
printk(KERN_INFO "TOMOYO Linux initialized\n");
- cred->security = &tomoyo_kernel_domain;
+ lsm_early_cred(cred);
+ blob = tomoyo_cred(cred);
+ *blob = &tomoyo_kernel_domain;
tomoyo_mm_init();
return 0;
}
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 03/11] LSM: Manage file security blobs
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
2017-08-29 20:55 ` [PATCH 01/11] procfs: add smack subdir to attrs Casey Schaufler
2017-08-29 20:56 ` Subject: [PATCH 02/11] LSM: manage credential security blobs Casey Schaufler
@ 2017-08-29 20:57 ` Casey Schaufler
2017-08-31 15:47 ` [Non-DoD Source] " Stephen Smalley
2017-08-29 20:58 ` [PATCH 04/11] LSM: manage task " Casey Schaufler
` (7 subsequent siblings)
10 siblings, 1 reply; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 20:57 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 03/11] LSM: Manage file security blobs
Move the management of file security blobs from the individual
security modules to the security infrastructure. The security modules
using file blobs have been updated accordingly. Modules are required
to identify the space they need at module initialization. In some
cases a module no longer needs to supply a blob management hook, in
which case the hook has been removed.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/apparmor/include/context.h | 5 +++++
security/apparmor/include/file.h | 2 +-
security/apparmor/lsm.c | 19 +++++++++--------
security/security.c | 32 +++++++++++++++++++++++++++++
security/selinux/hooks.c | 41 +++++++++----------------------------
security/selinux/include/objsec.h | 5 +++++
security/smack/smack.h | 5 +++++
security/smack/smack_lsm.c | 26 ++++++++---------------
9 files changed, 78 insertions(+), 58 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 4ecb4ed572cf..0603c57726e4 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1923,6 +1923,7 @@ struct security_hook_list {
*/
struct lsm_blob_sizes {
int lbs_cred;
+ int lbs_file;
};
/*
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 301ab3a0dd04..c6e106a533e8 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -87,6 +87,11 @@ static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
return aa_get_newest_label(aa_cred_raw_label(cred));
}
+static inline struct aa_file_ctx *apparmor_file(const struct file *file)
+{
+ return file->f_security;
+}
+
/**
* __aa_task_raw_label - retrieve another task's label
* @task: task to query (NOT NULL)
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 001e40073ff9..af87b23700d7 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -32,7 +32,7 @@ struct path;
AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_LOCK | \
AA_EXEC_MMAP | AA_MAY_LINK)
-#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security)
+#define file_ctx(X) apparmor_file(X)
/* struct aa_file_ctx - the AppArmor context the file was opened in
* @lock: lock to update the ctx
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 827df7012fe4..fb317cc94510 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -400,21 +400,21 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
static int apparmor_file_alloc_security(struct file *file)
{
- int error = 0;
-
- /* freed by apparmor_file_free_security */
+ struct aa_file_ctx *ctx = file_ctx(file);
struct aa_label *label = begin_current_label_crit_section();
- file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
- if (!file_ctx(file))
- error = -ENOMEM;
- end_current_label_crit_section(label);
- return error;
+ spin_lock_init(&ctx->lock);
+ rcu_assign_pointer(ctx->label, aa_get_label(label));
+ end_current_label_crit_section(label);
+ return 0;
}
static void apparmor_file_free_security(struct file *file)
{
- aa_free_file_ctx(file_ctx(file));
+ struct aa_file_ctx *ctx = file_ctx(file);
+
+ if (ctx)
+ aa_put_label(rcu_access_pointer(ctx->label));
}
static int common_file_perm(const char *op, struct file *file, u32 mask)
@@ -635,6 +635,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
struct lsm_blob_sizes apparmor_blob_sizes = {
.lbs_cred = sizeof(struct aa_task_ctx),
+ .lbs_file = sizeof(struct aa_file_ctx),
};
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
diff --git a/security/security.c b/security/security.c
index 89d43c65630c..b9346db8a2d4 100644
--- a/security/security.c
+++ b/security/security.c
@@ -91,6 +91,7 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
+ pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
#endif
return 0;
@@ -267,6 +268,30 @@ static void __init lsm_set_size(int *need, int *lbs)
void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
+ lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+}
+
+/**
+ * lsm_file_alloc - allocate a composite file blob
+ * @file: the file that needs a blob
+ *
+ * Allocate the file blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_file_alloc(struct file *file)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (file->f_security)
+ pr_info("%s: Inbound file blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_file == 0)
+ return 0;
+
+ file->f_security = kzalloc(blob_sizes.lbs_file, GFP_KERNEL);
+ if (file->f_security == NULL)
+ return -ENOMEM;
+ return 0;
}
/*
@@ -957,12 +982,19 @@ int security_file_permission(struct file *file, int mask)
int security_file_alloc(struct file *file)
{
+ int rc = lsm_file_alloc(file);
+
+ if (rc)
+ return rc;
return call_int_hook(file_alloc_security, 0, file);
}
void security_file_free(struct file *file)
{
call_void_hook(file_free_security, file);
+
+ kfree(file->f_security);
+ file->f_security = NULL;
}
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3b2f028f1e86..b7909d710368 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -129,7 +129,6 @@ int selinux_enabled = 1;
#endif
static struct kmem_cache *sel_inode_cache;
-static struct kmem_cache *file_security_cache;
/**
* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
@@ -359,27 +358,15 @@ static void inode_free_security(struct inode *inode)
static int file_alloc_security(struct file *file)
{
- struct file_security_struct *fsec;
+ struct file_security_struct *fsec = selinux_file(file);
u32 sid = current_sid();
- fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
- if (!fsec)
- return -ENOMEM;
-
fsec->sid = sid;
fsec->fown_sid = sid;
- file->f_security = fsec;
return 0;
}
-static void file_free_security(struct file *file)
-{
- struct file_security_struct *fsec = file->f_security;
- file->f_security = NULL;
- kmem_cache_free(file_security_cache, fsec);
-}
-
static int superblock_alloc_security(struct super_block *sb)
{
struct superblock_security_struct *sbsec;
@@ -1820,7 +1807,7 @@ static int file_has_perm(const struct cred *cred,
struct file *file,
u32 av)
{
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct inode *inode = file_inode(file);
struct common_audit_data ad;
u32 sid = cred_sid(cred);
@@ -2140,7 +2127,7 @@ static int selinux_binder_transfer_file(struct task_struct *from,
struct file *file)
{
u32 sid = task_sid(to);
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct dentry *dentry = file->f_path.dentry;
struct inode_security_struct *isec;
struct common_audit_data ad;
@@ -3414,7 +3401,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
static int selinux_file_permission(struct file *file, int mask)
{
struct inode *inode = file_inode(file);
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct inode_security_struct *isec;
u32 sid = current_sid();
@@ -3436,11 +3423,6 @@ static int selinux_file_alloc_security(struct file *file)
return file_alloc_security(file);
}
-static void selinux_file_free_security(struct file *file)
-{
- file_free_security(file);
-}
-
/*
* Check whether a task has the ioctl permission and cmd
* operation to an inode.
@@ -3449,7 +3431,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
u32 requested, u16 cmd)
{
struct common_audit_data ad;
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct inode *inode = file_inode(file);
struct inode_security_struct *isec;
struct lsm_ioctlop_audit ioctl;
@@ -3695,7 +3677,7 @@ static void selinux_file_set_fowner(struct file *file)
{
struct file_security_struct *fsec;
- fsec = file->f_security;
+ fsec = selinux_file(file);
fsec->fown_sid = current_sid();
}
@@ -3710,7 +3692,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
/* struct fown_struct is never outside the context of a struct file */
file = container_of(fown, struct file, f_owner);
- fsec = file->f_security;
+ fsec = selinux_file(file);
if (!signum)
perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
@@ -3733,7 +3715,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
struct file_security_struct *fsec;
struct inode_security_struct *isec;
- fsec = file->f_security;
+ fsec = selinux_file(file);
isec = inode_security(file_inode(file));
/*
* Save inode label and policy sequence number
@@ -3863,7 +3845,7 @@ static int selinux_kernel_module_from_file(struct file *file)
ad.type = LSM_AUDIT_DATA_FILE;
ad.u.file = file;
- fsec = file->f_security;
+ fsec = selinux_file(file);
if (sid != fsec->sid) {
rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
if (rc)
@@ -6208,6 +6190,7 @@ static void selinux_ib_free_security(void *ib_sec)
struct lsm_blob_sizes selinux_blob_sizes = {
.lbs_cred = sizeof(struct task_security_struct),
+ .lbs_file = sizeof(struct file_security_struct),
};
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
@@ -6279,7 +6262,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
- LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
@@ -6460,9 +6442,6 @@ static __init int selinux_init(void)
sel_inode_cache = kmem_cache_create("selinux_inode_security",
sizeof(struct inode_security_struct),
0, SLAB_PANIC, NULL);
- file_security_cache = kmem_cache_create("selinux_file_security",
- sizeof(struct file_security_struct),
- 0, SLAB_PANIC, NULL);
avc_init();
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index f447b21f6be0..1f39105731ee 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -161,4 +161,9 @@ static inline struct task_security_struct *selinux_cred(const struct cred *cred)
return cred->security;
}
+static inline struct file_security_struct *selinux_file(const struct file *file)
+{
+ return file->f_security;
+}
+
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/smack/smack.h b/security/smack/smack.h
index ab1d217800e2..d14e8d17eea0 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -361,6 +361,11 @@ static inline struct task_smack *smack_cred(const struct cred *cred)
return cred->security;
}
+static inline struct smack_known **smack_file(const struct file *file)
+{
+ return file->f_security;
+}
+
/*
* Is the directory transmuting?
*/
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index d67ba55f0123..c2a585cfef98 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1601,25 +1601,13 @@ static void smack_inode_getsecid(struct inode *inode, u32 *secid)
*/
static int smack_file_alloc_security(struct file *file)
{
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_file(file);
- file->f_security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_file_free_security - clear a file security blob
- * @file: the object
- *
- * The security blob for a file is a pointer to the master
- * label list, so no memory is freed.
- */
-static void smack_file_free_security(struct file *file)
-{
- file->f_security = NULL;
-}
-
-/**
* smack_file_ioctl - Smack check on ioctls
* @file: the object
* @cmd: what to do
@@ -1843,7 +1831,9 @@ static int smack_mmap_file(struct file *file,
*/
static void smack_file_set_fowner(struct file *file)
{
- file->f_security = smk_of_current();
+ struct smack_known **blob = smack_file(file);
+
+ *blob = smk_of_current();
}
/**
@@ -1860,6 +1850,7 @@ static void smack_file_set_fowner(struct file *file)
static int smack_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum)
{
+ struct smack_known **blob;
struct smack_known *skp;
struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
struct file *file;
@@ -1872,7 +1863,8 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
file = container_of(fown, struct file, f_owner);
/* we don't log here as rc can be overriden */
- skp = file->f_security;
+ blob = smack_file(file);
+ skp = *blob;
rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
@@ -4604,6 +4596,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
struct lsm_blob_sizes smack_blob_sizes = {
.lbs_cred = sizeof(struct task_smack),
+ .lbs_file = sizeof(struct smack_known *),
};
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
@@ -4643,7 +4636,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
- LSM_HOOK_INIT(file_free_security, smack_file_free_security),
LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
LSM_HOOK_INIT(file_lock, smack_file_lock),
LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 04/11] LSM: manage task security blobs
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (2 preceding siblings ...)
2017-08-29 20:57 ` [PATCH 03/11] LSM: Manage file " Casey Schaufler
@ 2017-08-29 20:58 ` Casey Schaufler
2017-08-29 20:59 ` [PATCH 05/11] LSM: Infrastructure management of the remaining blobs Casey Schaufler
` (6 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 20:58 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 04/11] LSM: manage task security blobs
Move management of task security blobs into the security
infrastructure. Modules are required to identify the space
they require. At this time there are no modules that use
task blobs.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/security.c | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 0603c57726e4..8d6e757e78dc 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1924,6 +1924,7 @@ struct security_hook_list {
struct lsm_blob_sizes {
int lbs_cred;
int lbs_file;
+ int lbs_task;
};
/*
diff --git a/security/security.c b/security/security.c
index b9346db8a2d4..3ab260b6ae96 100644
--- a/security/security.c
+++ b/security/security.c
@@ -92,6 +92,7 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
+ pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task);
#endif
return 0;
@@ -269,6 +270,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+ lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task);
}
/**
@@ -294,6 +296,29 @@ int lsm_file_alloc(struct file *file)
return 0;
}
+/**
+ * lsm_task_alloc - allocate a composite task blob
+ * @task: the task that needs a blob
+ *
+ * Allocate the task blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_task_alloc(struct task_struct *task)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (task->security)
+ pr_info("%s: Inbound task blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_task == 0)
+ return 0;
+
+ task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
+ if (task->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
/*
* Hook list operation macros.
*
@@ -1102,6 +1127,9 @@ int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
void security_task_free(struct task_struct *task)
{
call_void_hook(task_free, task);
+
+ kfree(task->security);
+ task->security = NULL;
}
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 05/11] LSM: Infrastructure management of the remaining blobs
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (3 preceding siblings ...)
2017-08-29 20:58 ` [PATCH 04/11] LSM: manage task " Casey Schaufler
@ 2017-08-29 20:59 ` Casey Schaufler
2017-08-31 16:09 ` [Non-DoD Source] " Stephen Smalley
2017-08-29 21:00 ` [PATCH 06/11] LSM: general but not extreme module stacking Casey Schaufler
` (5 subsequent siblings)
10 siblings, 1 reply; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 20:59 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 05/11] LSM: Infrastructure management of the remaining blobs
Move management of the inode, ipc, key, msg_msg, sock and superblock
security blobs from the security modules to the infrastructure.
Use of the blob pointers is abstracted in the security modules.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 8 +
security/security.c | 259 +++++++++++++++++++++++++++-
security/selinux/hooks.c | 333 ++++++++++++------------------------
security/selinux/include/objsec.h | 65 +++++++-
security/selinux/netlabel.c | 15 +-
security/selinux/selinuxfs.c | 4 +-
security/selinux/ss/services.c | 3 +-
security/smack/smack.h | 61 ++++++-
security/smack/smack_lsm.c | 343 +++++++++++---------------------------
security/smack/smack_netfilter.c | 8 +-
10 files changed, 599 insertions(+), 500 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 8d6e757e78dc..36e848e51782 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1924,6 +1924,12 @@ struct security_hook_list {
struct lsm_blob_sizes {
int lbs_cred;
int lbs_file;
+ int lbs_inode;
+ int lbs_ipc;
+ int lbs_key;
+ int lbs_msg_msg;
+ int lbs_sock;
+ int lbs_superblock;
int lbs_task;
};
@@ -1987,9 +1993,11 @@ static inline void loadpin_add_hooks(void) { };
#endif
extern int lsm_cred_alloc(struct cred *cred, gfp_t gfp);
+extern int lsm_inode_alloc(struct inode *inode);
#ifdef CONFIG_SECURITY
void lsm_early_cred(struct cred *cred);
+void lsm_early_inode(struct inode *inode);
#endif
#endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/security/security.c b/security/security.c
index 3ab260b6ae96..9780bf655a10 100644
--- a/security/security.c
+++ b/security/security.c
@@ -27,7 +27,9 @@
#include <linux/personality.h>
#include <linux/backing-dev.h>
#include <linux/string.h>
+#include <linux/msg.h>
#include <net/flow.h>
+#include <net/sock.h>
#define MAX_LSM_EVM_XATTR 2
@@ -92,8 +94,16 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
+ pr_info("LSM: inode blob size = %d\n", blob_sizes.lbs_inode);
+ pr_info("LSM: ipc blob size = %d\n", blob_sizes.lbs_ipc);
+#ifdef CONFIG_KEYS
+ pr_info("LSM: key blob size = %d\n", blob_sizes.lbs_key);
+#endif /* CONFIG_KEYS */
+ pr_info("LSM: msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
+ pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock);
+ pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock);
pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task);
-#endif
+#endif /* CONFIG_SECURITY_LSM_DEBUG */
return 0;
}
@@ -270,7 +280,19 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+ lsm_set_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
+ lsm_set_size(&needed->lbs_key, &blob_sizes.lbs_key);
+ lsm_set_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
+ lsm_set_size(&needed->lbs_sock, &blob_sizes.lbs_sock);
+ lsm_set_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task);
+ /*
+ * The inode blob gets an rcu_head in addition to
+ * what the modules might need.
+ */
+ if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
+ blob_sizes.lbs_inode = sizeof(struct rcu_head);
+ lsm_set_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
}
/**
@@ -319,6 +341,166 @@ int lsm_task_alloc(struct task_struct *task)
return 0;
}
+/**
+ * lsm_inode_alloc - allocate a composite inode blob
+ * @inode: the inode that needs a blob
+ *
+ * Allocate the inode blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_inode_alloc(struct inode *inode)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (inode->i_security)
+ pr_info("%s: Inbound inode blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_inode == 0)
+ return 0;
+
+ inode->i_security = kzalloc(blob_sizes.lbs_inode, GFP_KERNEL);
+ if (inode->i_security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_early_inode - during initialization allocate a composite inode blob
+ * @inode: the inode that needs a blob
+ *
+ * Allocate the inode blob for all the modules if it's not already there
+ */
+void lsm_early_inode(struct inode *inode)
+{
+ int rc;
+
+ if (inode == NULL)
+ panic("%s: NULL inode.\n", __func__);
+ if (inode->i_security != NULL)
+ return;
+ rc = lsm_inode_alloc(inode);
+ if (rc)
+ panic("%s: Early inode alloc failed.\n", __func__);
+}
+
+/**
+ * lsm_ipc_alloc - allocate a composite ipc blob
+ * @kip: the ipc that needs a blob
+ *
+ * Allocate the ipc blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_ipc_alloc(struct kern_ipc_perm *kip)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (kip->security)
+ pr_info("%s: Inbound ipc blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_ipc == 0)
+ return 0;
+
+ kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
+ if (kip->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+#ifdef CONFIG_KEYS
+/**
+ * lsm_key_alloc - allocate a composite key blob
+ * @key: the key that needs a blob
+ *
+ * Allocate the key blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_key_alloc(struct key *key)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (key->security)
+ pr_info("%s: Inbound key blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_key == 0)
+ return 0;
+
+ key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
+ if (key->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+#endif /* CONFIG_KEYS */
+
+/**
+ * lsm_msg_msg_alloc - allocate a composite msg_msg blob
+ * @mp: the msg_msg that needs a blob
+ *
+ * Allocate the ipc blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_msg_msg_alloc(struct msg_msg *mp)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (mp->security)
+ pr_info("%s: Inbound msg_msg blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_msg_msg == 0)
+ return 0;
+
+ mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
+ if (mp->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_sock_alloc - allocate a composite sock blob
+ * @sock: the sock that needs a blob
+ * @priority: allocation mode
+ *
+ * Allocate the sock blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_sock_alloc(struct sock *sock, gfp_t priority)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (sock->sk_security)
+ pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_sock == 0)
+ return 0;
+
+ sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
+ if (sock->sk_security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_superblock_alloc - allocate a composite superblock blob
+ * @sb: the superblock that needs a blob
+ *
+ * Allocate the superblock blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_superblock_alloc(struct super_block *sb)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (sb->s_security)
+ pr_info("%s: Inbound superblock blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_superblock == 0)
+ return 0;
+
+ sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL);
+ if (sb->s_security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
/*
* Hook list operation macros.
*
@@ -491,12 +673,18 @@ int security_bprm_secureexec(struct linux_binprm *bprm)
int security_sb_alloc(struct super_block *sb)
{
+ int rc = lsm_superblock_alloc(sb);
+
+ if (rc)
+ return rc;
return call_int_hook(sb_alloc_security, 0, sb);
}
void security_sb_free(struct super_block *sb)
{
call_void_hook(sb_free_security, sb);
+ kfree(sb->s_security);
+ sb->s_security = NULL;
}
int security_sb_copy_data(char *orig, char *copy)
@@ -570,14 +758,39 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
int security_inode_alloc(struct inode *inode)
{
- inode->i_security = NULL;
+ int rc = lsm_inode_alloc(inode);
+
+ if (rc)
+ return rc;
return call_int_hook(inode_alloc_security, 0, inode);
}
+static void inode_free_by_rcu(struct rcu_head *head)
+{
+ /*
+ * The rcu head is at the start of the inode blob
+ */
+ kfree(head);
+}
+
void security_inode_free(struct inode *inode)
{
integrity_inode_free(inode);
call_void_hook(inode_free_security, inode);
+ /*
+ * The inode may still be referenced in a path walk and
+ * a call to security_inode_permission() can be made
+ * after inode_free_security() is called. Ideally, the VFS
+ * wouldn't do this, but fixing that is a much harder
+ * job. For now, simply free the i_security via RCU, and
+ * leave the current inode->i_security pointer intact.
+ * The inode will be freed after the RCU grace period too.
+ */
+ if (inode->i_security != NULL) {
+ call_rcu((struct rcu_head *)inode->i_security,
+ inode_free_by_rcu);
+ inode->i_security = NULL;
+ }
}
int security_dentry_init_security(struct dentry *dentry, int mode,
@@ -1315,22 +1528,36 @@ void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
int security_msg_msg_alloc(struct msg_msg *msg)
{
+ int rc = lsm_msg_msg_alloc(msg);
+
+ if (rc)
+ return rc;
return call_int_hook(msg_msg_alloc_security, 0, msg);
}
void security_msg_msg_free(struct msg_msg *msg)
{
call_void_hook(msg_msg_free_security, msg);
+ kfree(msg->security);
+ msg->security = NULL;
}
int security_msg_queue_alloc(struct msg_queue *msq)
{
+ int rc = lsm_ipc_alloc(&msq->q_perm);
+
+ if (rc)
+ return rc;
return call_int_hook(msg_queue_alloc_security, 0, msq);
}
void security_msg_queue_free(struct msg_queue *msq)
{
+ struct kern_ipc_perm *kip = &msq->q_perm;
+
call_void_hook(msg_queue_free_security, msq);
+ kfree(kip->security);
+ kip->security = NULL;
}
int security_msg_queue_associate(struct msg_queue *msq, int msqflg)
@@ -1357,12 +1584,20 @@ int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
int security_shm_alloc(struct shmid_kernel *shp)
{
+ int rc = lsm_ipc_alloc(&shp->shm_perm);
+
+ if (rc)
+ return rc;
return call_int_hook(shm_alloc_security, 0, shp);
}
void security_shm_free(struct shmid_kernel *shp)
{
+ struct kern_ipc_perm *kip = &shp->shm_perm;
+
call_void_hook(shm_free_security, shp);
+ kfree(kip->security);
+ kip->security = NULL;
}
int security_shm_associate(struct shmid_kernel *shp, int shmflg)
@@ -1382,12 +1617,20 @@ int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmfl
int security_sem_alloc(struct sem_array *sma)
{
+ int rc = lsm_ipc_alloc(&sma->sem_perm);
+
+ if (rc)
+ return rc;
return call_int_hook(sem_alloc_security, 0, sma);
}
void security_sem_free(struct sem_array *sma)
{
+ struct kern_ipc_perm *kip = &sma->sem_perm;
+
call_void_hook(sem_free_security, sma);
+ kfree(kip->security);
+ kip->security = NULL;
}
int security_sem_associate(struct sem_array *sma, int semflg)
@@ -1605,12 +1848,18 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
{
+ int rc = lsm_sock_alloc(sk, priority);
+
+ if (rc)
+ return rc;
return call_int_hook(sk_alloc_security, 0, sk, family, priority);
}
void security_sk_free(struct sock *sk)
{
call_void_hook(sk_free_security, sk);
+ kfree(sk->sk_security);
+ sk->sk_security = NULL;
}
void security_sk_clone(const struct sock *sk, struct sock *newsk)
@@ -1840,12 +2089,18 @@ EXPORT_SYMBOL(security_skb_classify_flow);
int security_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
+ int rc = lsm_key_alloc(key);
+
+ if (rc)
+ return rc;
return call_int_hook(key_alloc, 0, key, cred, flags);
}
void security_key_free(struct key *key)
{
call_void_hook(key_free, key);
+ kfree(key->security);
+ key->security = NULL;
}
int security_key_permission(key_ref_t key_ref,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b7909d710368..4c022182bb21 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -128,8 +128,6 @@ __setup("selinux=", selinux_enabled_setup);
int selinux_enabled = 1;
#endif
-static struct kmem_cache *sel_inode_cache;
-
/**
* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
*
@@ -223,13 +221,9 @@ static inline u32 task_sid(const struct task_struct *task)
static int inode_alloc_security(struct inode *inode)
{
- struct inode_security_struct *isec;
+ struct inode_security_struct *isec = selinux_inode(inode);
u32 sid = current_sid();
- isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
- if (!isec)
- return -ENOMEM;
-
spin_lock_init(&isec->lock);
INIT_LIST_HEAD(&isec->list);
isec->inode = inode;
@@ -237,7 +231,6 @@ static int inode_alloc_security(struct inode *inode)
isec->sclass = SECCLASS_FILE;
isec->task_sid = sid;
isec->initialized = LABEL_INVALID;
- inode->i_security = isec;
return 0;
}
@@ -255,7 +248,7 @@ static int __inode_security_revalidate(struct inode *inode,
struct dentry *opt_dentry,
bool may_sleep)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
might_sleep_if(may_sleep);
@@ -275,7 +268,7 @@ static int __inode_security_revalidate(struct inode *inode,
static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
{
- return inode->i_security;
+ return selinux_inode(inode);
}
static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
@@ -285,7 +278,7 @@ static struct inode_security_struct *inode_security_rcu(struct inode *inode, boo
error = __inode_security_revalidate(inode, NULL, !rcu);
if (error)
return ERR_PTR(error);
- return inode->i_security;
+ return selinux_inode(inode);
}
/*
@@ -294,14 +287,14 @@ static struct inode_security_struct *inode_security_rcu(struct inode *inode, boo
static struct inode_security_struct *inode_security(struct inode *inode)
{
__inode_security_revalidate(inode, NULL, true);
- return inode->i_security;
+ return selinux_inode(inode);
}
static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
{
struct inode *inode = d_backing_inode(dentry);
- return inode->i_security;
+ return selinux_inode(inode);
}
/*
@@ -312,21 +305,14 @@ static struct inode_security_struct *backing_inode_security(struct dentry *dentr
struct inode *inode = d_backing_inode(dentry);
__inode_security_revalidate(inode, dentry, true);
- return inode->i_security;
-}
-
-static void inode_free_rcu(struct rcu_head *head)
-{
- struct inode_security_struct *isec;
-
- isec = container_of(head, struct inode_security_struct, rcu);
- kmem_cache_free(sel_inode_cache, isec);
+ return selinux_inode(inode);
}
static void inode_free_security(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
+ struct superblock_security_struct *sbsec =
+ selinux_superblock(inode->i_sb);
/*
* As not all inode security structures are in a list, we check for
@@ -343,17 +329,6 @@ static void inode_free_security(struct inode *inode)
list_del_init(&isec->list);
spin_unlock(&sbsec->isec_lock);
}
-
- /*
- * The inode may still be referenced in a path walk and
- * a call to selinux_inode_permission() can be made
- * after inode_free_security() is called. Ideally, the VFS
- * wouldn't do this, but fixing that is a much harder
- * job. For now, simply free the i_security via RCU, and
- * leave the current inode->i_security pointer intact.
- * The inode will be freed after the RCU grace period too.
- */
- call_rcu(&isec->rcu, inode_free_rcu);
}
static int file_alloc_security(struct file *file)
@@ -369,11 +344,7 @@ static int file_alloc_security(struct file *file)
static int superblock_alloc_security(struct super_block *sb)
{
- struct superblock_security_struct *sbsec;
-
- sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
- if (!sbsec)
- return -ENOMEM;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
mutex_init(&sbsec->lock);
INIT_LIST_HEAD(&sbsec->isec_head);
@@ -382,18 +353,10 @@ static int superblock_alloc_security(struct super_block *sb)
sbsec->sid = SECINITSID_UNLABELED;
sbsec->def_sid = SECINITSID_FILE;
sbsec->mntpoint_sid = SECINITSID_UNLABELED;
- sb->s_security = sbsec;
return 0;
}
-static void superblock_free_security(struct super_block *sb)
-{
- struct superblock_security_struct *sbsec = sb->s_security;
- sb->s_security = NULL;
- kfree(sbsec);
-}
-
static inline int inode_doinit(struct inode *inode)
{
return inode_doinit_with_dentry(inode, NULL);
@@ -457,7 +420,7 @@ static int may_context_mount_inode_relabel(u32 sid,
static int selinux_is_sblabel_mnt(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
return sbsec->behavior == SECURITY_FS_USE_XATTR ||
sbsec->behavior == SECURITY_FS_USE_TRANS ||
@@ -476,7 +439,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
static int sb_finish_set_opts(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
struct dentry *root = sb->s_root;
struct inode *root_inode = d_backing_inode(root);
int rc = 0;
@@ -559,7 +522,7 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
struct security_mnt_opts *opts)
{
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
char *context = NULL;
u32 len;
char tmp;
@@ -622,7 +585,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct dentry *root = sbsec->sb->s_root;
- struct inode_security_struct *isec = backing_inode_security(root);
+ struct inode_security_struct *isec =
+ backing_inode_security(root);
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
@@ -675,7 +639,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
{
const struct cred *cred = current_cred();
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
const char *name = sb->s_type->name;
struct dentry *root = sbsec->sb->s_root;
struct inode_security_struct *root_isec;
@@ -924,8 +888,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
static int selinux_cmp_sb_context(const struct super_block *oldsb,
const struct super_block *newsb)
{
- struct superblock_security_struct *old = oldsb->s_security;
- struct superblock_security_struct *new = newsb->s_security;
+ struct superblock_security_struct *old = selinux_superblock(oldsb);
+ struct superblock_security_struct *new = selinux_superblock(newsb);
char oldflags = old->flags & SE_MNTMASK;
char newflags = new->flags & SE_MNTMASK;
@@ -957,8 +921,9 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
unsigned long *set_kern_flags)
{
int rc = 0;
- const struct superblock_security_struct *oldsbsec = oldsb->s_security;
- struct superblock_security_struct *newsbsec = newsb->s_security;
+ const struct superblock_security_struct *oldsbsec =
+ selinux_superblock(oldsb);
+ struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
int set_context = (oldsbsec->flags & CONTEXT_MNT);
@@ -1011,14 +976,17 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
if (!set_fscontext)
newsbsec->sid = sid;
if (!set_rootcontext) {
- struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
+ struct inode_security_struct *newisec =
+ backing_inode_security(newsb->s_root);
newisec->sid = sid;
}
newsbsec->mntpoint_sid = sid;
}
if (set_rootcontext) {
- const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
- struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
+ const struct inode_security_struct *oldisec =
+ backing_inode_security(oldsb->s_root);
+ struct inode_security_struct *newisec =
+ backing_inode_security(newsb->s_root);
newisec->sid = oldisec->sid;
}
@@ -1461,7 +1429,7 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
{
struct superblock_security_struct *sbsec = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
u32 task_sid, sid = 0;
u16 sclass;
struct dentry *dentry;
@@ -1480,7 +1448,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
if (isec->sclass == SECCLASS_FILE)
isec->sclass = inode_mode_to_security_class(inode->i_mode);
- sbsec = inode->i_sb->s_security;
+ sbsec = selinux_superblock(inode->i_sb);
if (!(sbsec->flags & SE_SBINITIALIZED)) {
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
@@ -1746,7 +1714,7 @@ static int inode_has_perm(const struct cred *cred,
return 0;
sid = cred_sid(cred);
- isec = inode->i_security;
+ isec = selinux_inode(inode);
return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
}
@@ -1843,7 +1811,8 @@ selinux_determine_inode_label(const struct task_security_struct *tsec,
const struct qstr *name, u16 tclass,
u32 *_new_isid)
{
- const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
+ const struct superblock_security_struct *sbsec =
+ selinux_superblock(dir->i_sb);
if ((sbsec->flags & SE_SBINITIALIZED) &&
(sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
@@ -1873,7 +1842,7 @@ static int may_create(struct inode *dir,
int rc;
dsec = inode_security(dir);
- sbsec = dir->i_sb->s_security;
+ sbsec = selinux_superblock(dir->i_sb);
sid = tsec->sid;
@@ -2012,7 +1981,7 @@ static int superblock_has_perm(const struct cred *cred,
struct superblock_security_struct *sbsec;
u32 sid = cred_sid(cred);
- sbsec = sb->s_security;
+ sbsec = selinux_superblock(sb);
return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
}
@@ -2607,11 +2576,6 @@ static int selinux_sb_alloc_security(struct super_block *sb)
return superblock_alloc_security(sb);
}
-static void selinux_sb_free_security(struct super_block *sb)
-{
- superblock_free_security(sb);
-}
-
static inline int match_prefix(char *prefix, int plen, char *option, int olen)
{
if (plen > olen)
@@ -2708,7 +2672,7 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
int rc, i, *flags;
struct security_mnt_opts opts;
char *secdata, **mount_options;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
if (!(sbsec->flags & SE_SBINITIALIZED))
return 0;
@@ -2899,7 +2863,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
int rc;
char *context;
- sbsec = dir->i_sb->s_security;
+ sbsec = selinux_superblock(dir->i_sb);
sid = tsec->sid;
newsid = tsec->create_sid;
@@ -2913,7 +2877,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
/* Possibly defer initialization to selinux_complete_init. */
if (sbsec->flags & SE_SBINITIALIZED) {
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
isec->sclass = inode_mode_to_security_class(inode->i_mode);
isec->sid = newsid;
isec->initialized = LABEL_INITIALIZED;
@@ -3011,7 +2975,7 @@ static noinline int audit_inode_permission(struct inode *inode,
unsigned flags)
{
struct common_audit_data ad;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
int rc;
ad.type = LSM_AUDIT_DATA_INODE;
@@ -3147,7 +3111,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
- sbsec = inode->i_sb->s_security;
+ sbsec = selinux_superblock(inode->i_sb);
if (!(sbsec->flags & SBLABEL_MNT))
return -EOPNOTSUPP;
@@ -3980,7 +3944,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
static void selinux_task_to_inode(struct task_struct *p,
struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
u32 sid = task_sid(p);
spin_lock(&isec->lock);
@@ -4266,7 +4230,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
static int sock_has_perm(struct sock *sk, u32 perms)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4321,7 +4285,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
isec->initialized = LABEL_INITIALIZED;
if (sock->sk) {
- sksec = sock->sk->sk_security;
+ sksec = selinux_sock(sock->sk);
sksec->sclass = sclass;
sksec->sid = sid;
err = selinux_netlbl_socket_post_create(sock->sk, family);
@@ -4352,7 +4316,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
family = sk->sk_family;
if (family == PF_INET || family == PF_INET6) {
char *addrp;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
struct sockaddr_in *addr4 = NULL;
@@ -4445,7 +4409,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
int err;
err = sock_has_perm(sk, SOCKET__CONNECT);
@@ -4577,9 +4541,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
struct sock *other,
struct sock *newsk)
{
- struct sk_security_struct *sksec_sock = sock->sk_security;
- struct sk_security_struct *sksec_other = other->sk_security;
- struct sk_security_struct *sksec_new = newsk->sk_security;
+ struct sk_security_struct *sksec_sock = selinux_sock(sock);
+ struct sk_security_struct *sksec_other = selinux_sock(other);
+ struct sk_security_struct *sksec_new = selinux_sock(newsk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
int err;
@@ -4610,8 +4574,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
static int selinux_socket_unix_may_send(struct socket *sock,
struct socket *other)
{
- struct sk_security_struct *ssec = sock->sk->sk_security;
- struct sk_security_struct *osec = other->sk->sk_security;
+ struct sk_security_struct *ssec = selinux_sock(sock->sk);
+ struct sk_security_struct *osec = selinux_sock(other->sk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4650,7 +4614,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
u16 family)
{
int err = 0;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4682,7 +4646,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
int err;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
@@ -4748,13 +4712,15 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
return err;
}
-static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
- int __user *optlen, unsigned len)
+static int selinux_socket_getpeersec_stream(struct socket *sock,
+ __user char *optval,
+ __user int *optlen,
+ unsigned int len)
{
int err = 0;
char *scontext;
u32 scontext_len;
- struct sk_security_struct *sksec = sock->sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sock->sk);
u32 peer_sid = SECSID_NULL;
if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
@@ -4812,34 +4778,27 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
{
- struct sk_security_struct *sksec;
-
- sksec = kzalloc(sizeof(*sksec), priority);
- if (!sksec)
- return -ENOMEM;
+ struct sk_security_struct *sksec = selinux_sock(sk);
sksec->peer_sid = SECINITSID_UNLABELED;
sksec->sid = SECINITSID_UNLABELED;
sksec->sclass = SECCLASS_SOCKET;
selinux_netlbl_sk_security_reset(sksec);
- sk->sk_security = sksec;
return 0;
}
static void selinux_sk_free_security(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
- sk->sk_security = NULL;
selinux_netlbl_sk_security_free(sksec);
- kfree(sksec);
}
static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
{
- struct sk_security_struct *sksec = sk->sk_security;
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
+ struct sk_security_struct *newsksec = selinux_sock(newsk);
newsksec->sid = sksec->sid;
newsksec->peer_sid = sksec->peer_sid;
@@ -4853,7 +4812,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
if (!sk)
*secid = SECINITSID_ANY_SOCKET;
else {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
*secid = sksec->sid;
}
@@ -4863,7 +4822,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{
struct inode_security_struct *isec =
inode_security_novalidate(SOCK_INODE(parent));
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
sk->sk_family == PF_UNIX)
@@ -4874,7 +4833,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
struct request_sock *req)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
int err;
u16 family = req->rsk_ops->family;
u32 connsid;
@@ -4895,7 +4854,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void selinux_inet_csk_clone(struct sock *newsk,
const struct request_sock *req)
{
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *newsksec = selinux_sock(newsk);
newsksec->sid = req->secid;
newsksec->peer_sid = req->peer_secid;
@@ -4912,7 +4871,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
{
u16 family = sk->sk_family;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
/* handle mapped IPv4 packets arriving via IPv6 sockets */
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -4992,7 +4951,7 @@ static int selinux_tun_dev_attach_queue(void *security)
static int selinux_tun_dev_attach(struct sock *sk, void *security)
{
struct tun_security_struct *tunsec = security;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
/* we don't currently perform any NetLabel based labeling here and it
* isn't clear that we would want to do so anyway; while we could apply
@@ -5031,7 +4990,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
int err = 0;
u32 perm;
struct nlmsghdr *nlh;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (skb->len < NLMSG_HDRLEN) {
err = -EINVAL;
@@ -5170,7 +5129,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
return NF_ACCEPT;
/* standard practice, label using the parent socket */
- sksec = sk->sk_security;
+ sksec = selinux_sock(sk);
sid = sksec->sid;
} else
sid = SECINITSID_KERNEL;
@@ -5209,7 +5168,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
if (sk == NULL)
return NF_ACCEPT;
- sksec = sk->sk_security;
+ sksec = selinux_sock(sk);
ad.type = LSM_AUDIT_DATA_NET;
ad.u.net = &net;
@@ -5300,7 +5259,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
u32 skb_sid;
struct sk_security_struct *sksec;
- sksec = sk->sk_security;
+ sksec = selinux_sock(sk);
if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
return NF_DROP;
/* At this point, if the returned skb peerlbl is SECSID_NULL
@@ -5329,7 +5288,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
} else {
/* Locally generated packet, fetch the security label from the
* associated socket. */
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
peer_sid = sksec->sid;
secmark_perm = PACKET__SEND;
}
@@ -5389,51 +5348,22 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
return selinux_nlmsg_perm(sk, skb);
}
-static int ipc_alloc_security(struct kern_ipc_perm *perm,
- u16 sclass)
+static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
{
- struct ipc_security_struct *isec;
-
- isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
- if (!isec)
- return -ENOMEM;
-
isec->sclass = sclass;
isec->sid = current_sid();
- perm->security = isec;
-
- return 0;
-}
-
-static void ipc_free_security(struct kern_ipc_perm *perm)
-{
- struct ipc_security_struct *isec = perm->security;
- perm->security = NULL;
- kfree(isec);
}
static int msg_msg_alloc_security(struct msg_msg *msg)
{
struct msg_security_struct *msec;
- msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
- if (!msec)
- return -ENOMEM;
-
+ msec = selinux_msg_msg(msg);
msec->sid = SECINITSID_UNLABELED;
- msg->security = msec;
return 0;
}
-static void msg_msg_free_security(struct msg_msg *msg)
-{
- struct msg_security_struct *msec = msg->security;
-
- msg->security = NULL;
- kfree(msec);
-}
-
static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
u32 perms)
{
@@ -5441,7 +5371,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
struct common_audit_data ad;
u32 sid = current_sid();
- isec = ipc_perms->security;
+ isec = selinux_ipc(ipc_perms);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = ipc_perms->key;
@@ -5454,11 +5384,6 @@ static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
return msg_msg_alloc_security(msg);
}
-static void selinux_msg_msg_free_security(struct msg_msg *msg)
-{
- msg_msg_free_security(msg);
-}
-
/* message queue security operations */
static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
{
@@ -5467,27 +5392,15 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
u32 sid = current_sid();
int rc;
- rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
- if (rc)
- return rc;
-
- isec = msq->q_perm.security;
+ isec = selinux_ipc(&msq->q_perm);
+ ipc_init_security(isec, SECCLASS_MSGQ);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
MSGQ__CREATE, &ad);
- if (rc) {
- ipc_free_security(&msq->q_perm);
- return rc;
- }
- return 0;
-}
-
-static void selinux_msg_queue_free_security(struct msg_queue *msq)
-{
- ipc_free_security(&msq->q_perm);
+ return rc;
}
static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
@@ -5496,7 +5409,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = msq->q_perm.security;
+ isec = selinux_ipc(&msq->q_perm);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -5542,8 +5455,8 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = current_sid();
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = selinux_ipc(&msq->q_perm);
+ msec = selinux_msg_msg(msg);
/*
* First time through, need to assign label to the message
@@ -5587,8 +5500,8 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = task_sid(target);
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = selinux_ipc(&msq->q_perm);
+ msec = selinux_msg_msg(msg);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -5609,27 +5522,15 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
u32 sid = current_sid();
int rc;
- rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
- if (rc)
- return rc;
-
- isec = shp->shm_perm.security;
+ isec = selinux_ipc(&shp->shm_perm);
+ ipc_init_security(isec, SECCLASS_SHM);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
SHM__CREATE, &ad);
- if (rc) {
- ipc_free_security(&shp->shm_perm);
- return rc;
- }
- return 0;
-}
-
-static void selinux_shm_free_security(struct shmid_kernel *shp)
-{
- ipc_free_security(&shp->shm_perm);
+ return rc;
}
static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
@@ -5638,7 +5539,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = shp->shm_perm.security;
+ isec = selinux_ipc(&shp->shm_perm);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
@@ -5702,27 +5603,15 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
u32 sid = current_sid();
int rc;
- rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
- if (rc)
- return rc;
-
- isec = sma->sem_perm.security;
+ isec = selinux_ipc(&sma->sem_perm);
+ ipc_init_security(isec, SECCLASS_SEM);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
SEM__CREATE, &ad);
- if (rc) {
- ipc_free_security(&sma->sem_perm);
- return rc;
- }
- return 0;
-}
-
-static void selinux_sem_free_security(struct sem_array *sma)
-{
- ipc_free_security(&sma->sem_perm);
+ return rc;
}
static int selinux_sem_associate(struct sem_array *sma, int semflg)
@@ -5731,7 +5620,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = sma->sem_perm.security;
+ isec = selinux_ipc(&sma->sem_perm);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
@@ -5814,7 +5703,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- struct ipc_security_struct *isec = ipcp->security;
+ struct ipc_security_struct *isec = selinux_ipc(ipcp);
*secid = isec->sid;
}
@@ -6024,7 +5913,7 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
static void selinux_inode_invalidate_secctx(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
spin_lock(&isec->lock);
isec->initialized = LABEL_INVALID;
@@ -6063,11 +5952,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
unsigned long flags)
{
const struct task_security_struct *tsec;
- struct key_security_struct *ksec;
-
- ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
- if (!ksec)
- return -ENOMEM;
+ struct key_security_struct *ksec = selinux_key(k);
tsec = selinux_cred(cred);
if (tsec->keycreate_sid)
@@ -6075,18 +5960,9 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
else
ksec->sid = tsec->sid;
- k->security = ksec;
return 0;
}
-static void selinux_key_free(struct key *k)
-{
- struct key_security_struct *ksec = k->security;
-
- k->security = NULL;
- kfree(ksec);
-}
-
static int selinux_key_permission(key_ref_t key_ref,
const struct cred *cred,
unsigned perm)
@@ -6104,14 +5980,14 @@ static int selinux_key_permission(key_ref_t key_ref,
sid = cred_sid(cred);
key = key_ref_to_ptr(key_ref);
- ksec = key->security;
+ ksec = selinux_key(key);
return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
}
static int selinux_key_getsecurity(struct key *key, char **_buffer)
{
- struct key_security_struct *ksec = key->security;
+ struct key_security_struct *ksec = selinux_key(key);
char *context = NULL;
unsigned len;
int rc;
@@ -6191,6 +6067,14 @@ static void selinux_ib_free_security(void *ib_sec)
struct lsm_blob_sizes selinux_blob_sizes = {
.lbs_cred = sizeof(struct task_security_struct),
.lbs_file = sizeof(struct file_security_struct),
+ .lbs_inode = sizeof(struct inode_security_struct),
+ .lbs_ipc = sizeof(struct ipc_security_struct),
+#ifdef CONFIG_KEYS
+ .lbs_key = sizeof(struct key_security_struct),
+#endif /* CONFIG_KEYS */
+ .lbs_msg_msg = sizeof(struct msg_security_struct),
+ .lbs_sock = sizeof(struct sk_security_struct),
+ .lbs_superblock = sizeof(struct superblock_security_struct),
};
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
@@ -6217,7 +6101,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
- LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
@@ -6300,24 +6183,20 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
- LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
LSM_HOOK_INIT(msg_queue_alloc_security,
selinux_msg_queue_alloc_security),
- LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
- LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
- LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
@@ -6399,7 +6278,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
#ifdef CONFIG_KEYS
LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
- LSM_HOOK_INIT(key_free, selinux_key_free),
LSM_HOOK_INIT(key_permission, selinux_key_permission),
LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
#endif
@@ -6439,9 +6317,6 @@ static __init int selinux_init(void)
default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
- sel_inode_cache = kmem_cache_create("selinux_inode_security",
- sizeof(struct inode_security_struct),
- 0, SLAB_PANIC, NULL);
avc_init();
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 1f39105731ee..11a372c0e919 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -59,10 +59,7 @@ enum label_initialized {
struct inode_security_struct {
struct inode *inode; /* back pointer to inode object */
- union {
- struct list_head list; /* list of inode_security_struct */
- struct rcu_head rcu; /* for freeing the inode_security_struct */
- };
+ struct list_head list; /* list of inode_security_struct */
u32 task_sid; /* SID of creating task */
u32 sid; /* SID of this object */
u16 sclass; /* security class of this object */
@@ -166,4 +163,64 @@ static inline struct file_security_struct *selinux_file(const struct file *file)
return file->f_security;
}
+static inline struct inode_security_struct *selinux_inode(
+ const struct inode *inode)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return inode->i_security + selinux_blob_sizes.lbs_inode;
+#else
+ return inode->i_security;
+#endif
+}
+
+static inline struct superblock_security_struct *selinux_superblock(
+ const struct super_block *superblock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return superblock->s_security + selinux_blob_sizes.lbs_superblock;
+#else
+ return superblock->s_security;
+#endif
+}
+
+static inline struct msg_security_struct *selinux_msg_msg(
+ const struct msg_msg *msg_msg)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return msg_msg->security + selinux_blob_sizes.lbs_msg_msg;
+#else
+ return msg_msg->security;
+#endif
+}
+
+static inline struct ipc_security_struct *selinux_ipc(
+ const struct kern_ipc_perm *ipc)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return ipc->security + selinux_blob_sizes.lbs_ipc;
+#else
+ return ipc->security;
+#endif
+}
+
+#ifdef CONFIG_KEYS
+static inline struct key_security_struct *selinux_key(const struct key *key)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return key->security + selinux_blob_sizes.lbs_key;
+#else
+ return key->security;
+#endif
+}
+#endif /* CONFIG_KEYS */
+
+static inline struct sk_security_struct *selinux_sock(const struct sock *sock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return sock->sk_security + selinux_blob_sizes.lbs_sock;
+#else
+ return sock->sk_security;
+#endif
+}
+
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index aaba6677ee2e..0b0091c04688 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -32,6 +32,7 @@
#include <linux/gfp.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
+#include <linux/lsm_hooks.h>
#include <net/sock.h>
#include <net/netlabel.h>
#include <net/ip.h>
@@ -82,7 +83,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_secattr != NULL)
@@ -114,7 +115,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
const struct sock *sk,
u32 sid)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr;
if (secattr == NULL)
@@ -249,7 +250,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
* being labeled by it's parent socket, if it is just exit */
sk = skb_to_full_sk(skb);
if (sk != NULL) {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (sksec->nlbl_state != NLBL_REQSKB)
return 0;
secattr = selinux_netlbl_sock_getattr(sk, sid);
@@ -311,7 +312,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
*/
void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (family == PF_INET)
sksec->nlbl_state = NLBL_LABELED;
@@ -332,7 +333,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr;
if (family != PF_INET && family != PF_INET6)
@@ -446,7 +447,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
{
int rc = 0;
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr secattr;
if (selinux_netlbl_option(level, optname) &&
@@ -482,7 +483,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_state != NLBL_REQSKB &&
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 855a13053a81..1b4bed79101e 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1300,7 +1300,7 @@ static int sel_make_bools(void)
if (len >= PAGE_SIZE)
goto out;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = (struct inode_security_struct *)selinux_inode(inode);
ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
if (ret) {
pr_warn_ratelimited("SELinux: no sid found, defaulting to security isid for %s\n",
@@ -1841,7 +1841,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
goto err;
inode->i_ino = ++sel_last_ino;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = (struct inode_security_struct *)selinux_inode(inode);
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = LABEL_INITIALIZED;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 2f02fa67ec2e..4558a23d160e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -52,6 +52,7 @@
#include <linux/selinux.h>
#include <linux/flex_array.h>
#include <linux/vmalloc.h>
+#include <linux/lsm_hooks.h>
#include <net/netlabel.h>
#include "flask.h"
@@ -2654,7 +2655,7 @@ int security_fs_use(struct super_block *sb)
{
int rc = 0;
struct ocontext *c;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
const char *fstype = sb->s_type->name;
read_lock(&policy_rwlock);
diff --git a/security/smack/smack.h b/security/smack/smack.h
index d14e8d17eea0..1b875c2f3d9d 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -366,12 +366,69 @@ static inline struct smack_known **smack_file(const struct file *file)
return file->f_security;
}
+static inline struct inode_smack *smack_inode(const struct inode *inode)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return inode->i_security + smack_blob_sizes.lbs_inode;
+#else
+ return inode->i_security;
+#endif
+}
+
+static inline struct socket_smack *smack_sock(const struct sock *sock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return sock->sk_security + smack_blob_sizes.lbs_sock;
+#else
+ return sock->sk_security;
+#endif
+}
+
+static inline struct superblock_smack *smack_superblock(
+ const struct super_block *superblock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return superblock->s_security + smack_blob_sizes.lbs_superblock;
+#else
+ return superblock->s_security;
+#endif
+}
+
+static inline struct smack_known **smack_msg_msg(const struct msg_msg *msg)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return msg->security + smack_blob_sizes.lbs_msg_msg;
+#else
+ return msg->security;
+#endif
+}
+
+static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return ipc->security + smack_blob_sizes.lbs_ipc;
+#else
+ return ipc->security;
+#endif
+}
+
+#ifdef CONFIG_KEYS
+static inline struct smack_known **smack_key(const struct key *key)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return key->security + smack_blob_sizes.lbs_key;
+#else
+ return key->security;
+#endif
+}
+#endif /* CONFIG_KEYS */
+
/*
* Is the directory transmuting?
*/
static inline int smk_inode_transmutable(const struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = smack_inode(isp);
return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
}
@@ -380,7 +437,7 @@ static inline int smk_inode_transmutable(const struct inode *isp)
*/
static inline struct smack_known *smk_of_inode(const struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = smack_inode(isp);
return sip->smk_inode;
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c2a585cfef98..bbc27d444662 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -165,7 +165,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc)
static int smk_bu_inode(struct inode *inode, int mode, int rc)
{
struct task_smack *tsp = smack_cred(current_cred());
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (isp->smk_flags & SMK_INODE_IMPURE)
@@ -197,7 +197,7 @@ static int smk_bu_file(struct file *file, int mode, int rc)
struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (isp->smk_flags & SMK_INODE_IMPURE)
@@ -227,7 +227,7 @@ static int smk_bu_credfile(const struct cred *cred, struct file *file,
struct task_smack *tsp = smack_cred(cred);
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (isp->smk_flags & SMK_INODE_IMPURE)
@@ -287,24 +287,18 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip,
}
/**
- * new_inode_smack - allocate an inode security blob
+ * init_inode_smack - initialize an inode security blob
+ * @isp: the blob to initialize
* @skp: a pointer to the Smack label entry to use in the blob
*
- * Returns the new blob or NULL if there's no memory available
*/
-static struct inode_smack *new_inode_smack(struct smack_known *skp)
+static void init_inode_smack(struct inode *inode, struct smack_known *skp)
{
- struct inode_smack *isp;
-
- isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS);
- if (isp == NULL)
- return NULL;
+ struct inode_smack *isp = smack_inode(inode);
isp->smk_inode = skp;
isp->smk_flags = 0;
mutex_init(&isp->smk_lock);
-
- return isp;
}
/**
@@ -525,12 +519,7 @@ static int smack_syslog(int typefrom_file)
*/
static int smack_sb_alloc_security(struct super_block *sb)
{
- struct superblock_smack *sbsp;
-
- sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL);
-
- if (sbsp == NULL)
- return -ENOMEM;
+ struct superblock_smack *sbsp = smack_superblock(sb);
sbsp->smk_root = &smack_known_floor;
sbsp->smk_default = &smack_known_floor;
@@ -539,23 +528,11 @@ static int smack_sb_alloc_security(struct super_block *sb)
/*
* SMK_SB_INITIALIZED will be zero from kzalloc.
*/
- sb->s_security = sbsp;
return 0;
}
/**
- * smack_sb_free_security - free a superblock blob
- * @sb: the superblock getting the blob
- *
- */
-static void smack_sb_free_security(struct super_block *sb)
-{
- kfree(sb->s_security);
- sb->s_security = NULL;
-}
-
-/**
* smack_sb_copy_data - copy mount options data for processing
* @orig: where to start
* @smackopts: mount options string
@@ -745,7 +722,7 @@ static int smack_set_mnt_opts(struct super_block *sb,
{
struct dentry *root = sb->s_root;
struct inode *inode = d_backing_inode(root);
- struct superblock_smack *sp = sb->s_security;
+ struct superblock_smack *sp = smack_superblock(sb);
struct inode_smack *isp;
struct smack_known *skp;
int i;
@@ -823,17 +800,13 @@ static int smack_set_mnt_opts(struct super_block *sb,
/*
* Initialize the root inode.
*/
- isp = inode->i_security;
- if (isp == NULL) {
- isp = new_inode_smack(sp->smk_root);
- if (isp == NULL)
- return -ENOMEM;
- inode->i_security = isp;
- } else
- isp->smk_inode = sp->smk_root;
+ lsm_early_inode(inode);
+ init_inode_smack(inode, sp->smk_root);
- if (transmute)
+ if (transmute) {
+ isp = smack_inode(inode);
isp->smk_flags |= SMK_INODE_TRANSMUTE;
+ }
return 0;
}
@@ -878,7 +851,7 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
*/
static int smack_sb_statfs(struct dentry *dentry)
{
- struct superblock_smack *sbp = dentry->d_sb->s_security;
+ struct superblock_smack *sbp = smack_superblock(dentry->d_sb);
int rc;
struct smk_audit_info ad;
@@ -911,11 +884,11 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->cred_prepared)
return 0;
- isp = inode->i_security;
+ isp = smack_inode(inode);
if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
return 0;
- sbsp = inode->i_sb->s_security;
+ sbsp = smack_superblock(inode->i_sb);
if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) &&
isp->smk_task != sbsp->smk_root)
return 0;
@@ -988,49 +961,11 @@ static int smack_inode_alloc_security(struct inode *inode)
{
struct smack_known *skp = smk_of_current();
- inode->i_security = new_inode_smack(skp);
- if (inode->i_security == NULL)
- return -ENOMEM;
+ init_inode_smack(inode, skp);
return 0;
}
/**
- * smack_inode_free_rcu - Free inode_smack blob from cache
- * @head: the rcu_head for getting inode_smack pointer
- *
- * Call back function called from call_rcu() to free
- * the i_security blob pointer in inode
- */
-static void smack_inode_free_rcu(struct rcu_head *head)
-{
- struct inode_smack *issp;
-
- issp = container_of(head, struct inode_smack, smk_rcu);
- kmem_cache_free(smack_inode_cache, issp);
-}
-
-/**
- * smack_inode_free_security - free an inode blob using call_rcu()
- * @inode: the inode with a blob
- *
- * Clears the blob pointer in inode using RCU
- */
-static void smack_inode_free_security(struct inode *inode)
-{
- struct inode_smack *issp = inode->i_security;
-
- /*
- * The inode may still be referenced in a path walk and
- * a call to smack_inode_permission() can be made
- * after smack_inode_free_security() is called.
- * To avoid race condition free the i_security via RCU
- * and leave the current inode->i_security pointer intact.
- * The inode will be freed after the RCU grace period too.
- */
- call_rcu(&issp->smk_rcu, smack_inode_free_rcu);
-}
-
-/**
* smack_inode_init_security - copy out the smack from an inode
* @inode: the newly created inode
* @dir: containing directory object
@@ -1045,7 +980,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr, const char **name,
void **value, size_t *len)
{
- struct inode_smack *issp = inode->i_security;
+ struct inode_smack *issp = smack_inode(inode);
struct smack_known *skp = smk_of_current();
struct smack_known *isp = smk_of_inode(inode);
struct smack_known *dsp = smk_of_inode(dir);
@@ -1383,7 +1318,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
struct smack_known *skp;
- struct inode_smack *isp = d_backing_inode(dentry)->i_security;
+ struct inode_smack *isp = smack_inode(d_backing_inode(dentry));
if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
isp->smk_flags |= SMK_INODE_TRANSMUTE;
@@ -1464,7 +1399,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
if (rc != 0)
return rc;
- isp = d_backing_inode(dentry)->i_security;
+ isp = smack_inode(d_backing_inode(dentry));
/*
* Don't do anything special for these.
* XATTR_NAME_SMACKIPIN
@@ -1524,7 +1459,7 @@ static int smack_inode_getsecurity(struct inode *inode,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
isp = ssp->smk_in;
@@ -1567,7 +1502,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
*/
static void smack_inode_getsecid(struct inode *inode, u32 *secid)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
*secid = isp->smk_inode->smk_secid;
}
@@ -1744,7 +1679,7 @@ static int smack_mmap_file(struct file *file,
if (unlikely(IS_PRIVATE(file_inode(file))))
return 0;
- isp = file_inode(file)->i_security;
+ isp = smack_inode(file_inode(file));
if (isp->smk_mmap == NULL)
return 0;
sbsp = file_inode(file)->i_sb->s_security;
@@ -1900,7 +1835,7 @@ static int smack_file_receive(struct file *file)
if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
sock = SOCKET_I(inode);
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
tsp = smack_cred(current_cred());
/*
* If the receiving process can't write to the
@@ -2069,7 +2004,7 @@ static int smack_kernel_act_as(struct cred *new, u32 secid)
static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
struct task_smack *tsp = smack_cred(new);
tsp->smk_forked = isp->smk_inode;
@@ -2271,7 +2206,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
*/
static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
struct smack_known *skp = smk_of_task_struct(p);
isp->smk_inode = skp;
@@ -2294,11 +2229,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
{
struct smack_known *skp = smk_of_current();
- struct socket_smack *ssp;
-
- ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
- if (ssp == NULL)
- return -ENOMEM;
+ struct socket_smack *ssp = smack_sock(sk);
/*
* Sockets created by kernel threads receive web label.
@@ -2312,11 +2243,10 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
}
ssp->smk_packet = NULL;
- sk->sk_security = ssp;
-
return 0;
}
+#ifdef SMACK_IPV6_PORT_LABELING
/**
* smack_sk_free_security - Free a socket blob
* @sk: the socket
@@ -2325,7 +2255,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
*/
static void smack_sk_free_security(struct sock *sk)
{
-#ifdef SMACK_IPV6_PORT_LABELING
struct smk_port_label *spp;
if (sk->sk_family == PF_INET6) {
@@ -2338,9 +2267,8 @@ static void smack_sk_free_security(struct sock *sk)
}
rcu_read_unlock();
}
-#endif
- kfree(sk->sk_security);
}
+#endif
/**
* smack_ipv4host_label - check host based restrictions
@@ -2458,7 +2386,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
static int smack_netlabel(struct sock *sk, int labeled)
{
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
int rc = 0;
/*
@@ -2503,7 +2431,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
int rc;
int sk_lbl;
struct smack_known *hkp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smk_audit_info ad;
rcu_read_lock();
@@ -2579,7 +2507,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
{
struct sock *sk = sock->sk;
struct sockaddr_in6 *addr6;
- struct socket_smack *ssp = sock->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
struct smk_port_label *spp;
unsigned short port = 0;
@@ -2666,7 +2594,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
int act)
{
struct smk_port_label *spp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smack_known *skp = NULL;
unsigned short port;
struct smack_known *object;
@@ -2733,7 +2661,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
struct smack_known *skp;
- struct inode_smack *nsp = inode->i_security;
+ struct inode_smack *nsp = smack_inode(inode);
struct socket_smack *ssp;
struct socket *sock;
int rc = 0;
@@ -2760,7 +2688,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
ssp->smk_in = skp;
@@ -2808,7 +2736,7 @@ static int smack_socket_post_create(struct socket *sock, int family,
* Sockets created by kernel threads receive web label.
*/
if (unlikely(current->flags & PF_KTHREAD)) {
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
ssp->smk_in = &smack_known_web;
ssp->smk_out = &smack_known_web;
}
@@ -2860,7 +2788,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
#endif
#ifdef SMACK_IPV6_SECMARK_LABELING
struct smack_known *rsp;
- struct socket_smack *ssp = sock->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
#endif
if (sock->sk == NULL)
@@ -2917,35 +2845,13 @@ static int smack_flags_to_may(int flags)
*/
static int smack_msg_msg_alloc_security(struct msg_msg *msg)
{
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_msg_msg(msg);
- msg->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_msg_msg_free_security - Clear the security blob for msg_msg
- * @msg: the object
- *
- * Clears the blob pointer
- */
-static void smack_msg_msg_free_security(struct msg_msg *msg)
-{
- msg->security = NULL;
-}
-
-/**
- * smack_of_shm - the smack pointer for the shm
- * @shp: the object
- *
- * Returns a pointer to the smack value
- */
-static struct smack_known *smack_of_shm(struct shmid_kernel *shp)
-{
- return (struct smack_known *)shp->shm_perm.security;
-}
-
-/**
* smack_shm_alloc_security - Set the security blob for shm
* @shp: the object
*
@@ -2953,27 +2859,13 @@ static struct smack_known *smack_of_shm(struct shmid_kernel *shp)
*/
static int smack_shm_alloc_security(struct shmid_kernel *shp)
{
- struct kern_ipc_perm *isp = &shp->shm_perm;
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_ipc(&shp->shm_perm);
- isp->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_shm_free_security - Clear the security blob for shm
- * @shp: the object
- *
- * Clears the blob pointer
- */
-static void smack_shm_free_security(struct shmid_kernel *shp)
-{
- struct kern_ipc_perm *isp = &shp->shm_perm;
-
- isp->security = NULL;
-}
-
-/**
* smk_curacc_shm : check if current has access on shm
* @shp : the object
* @access : access requested
@@ -2982,7 +2874,8 @@ static void smack_shm_free_security(struct shmid_kernel *shp)
*/
static int smk_curacc_shm(struct shmid_kernel *shp, int access)
{
- struct smack_known *ssp = smack_of_shm(shp);
+ struct smack_known **blob = smack_ipc(&shp->shm_perm);
+ struct smack_known *ssp = *blob;
struct smk_audit_info ad;
int rc;
@@ -3062,17 +2955,6 @@ static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
}
/**
- * smack_of_sem - the smack pointer for the sem
- * @sma: the object
- *
- * Returns a pointer to the smack value
- */
-static struct smack_known *smack_of_sem(struct sem_array *sma)
-{
- return (struct smack_known *)sma->sem_perm.security;
-}
-
-/**
* smack_sem_alloc_security - Set the security blob for sem
* @sma: the object
*
@@ -3080,27 +2962,13 @@ static struct smack_known *smack_of_sem(struct sem_array *sma)
*/
static int smack_sem_alloc_security(struct sem_array *sma)
{
- struct kern_ipc_perm *isp = &sma->sem_perm;
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_ipc(&sma->sem_perm);
- isp->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_sem_free_security - Clear the security blob for sem
- * @sma: the object
- *
- * Clears the blob pointer
- */
-static void smack_sem_free_security(struct sem_array *sma)
-{
- struct kern_ipc_perm *isp = &sma->sem_perm;
-
- isp->security = NULL;
-}
-
-/**
* smk_curacc_sem : check if current has access on sem
* @sma : the object
* @access : access requested
@@ -3109,7 +2977,8 @@ static void smack_sem_free_security(struct sem_array *sma)
*/
static int smk_curacc_sem(struct sem_array *sma, int access)
{
- struct smack_known *ssp = smack_of_sem(sma);
+ struct smack_known **blob = smack_ipc(&sma->sem_perm);
+ struct smack_known *ssp = *blob;
struct smk_audit_info ad;
int rc;
@@ -3195,45 +3064,20 @@ static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
}
/**
- * smack_msg_alloc_security - Set the security blob for msg
+ * smack_msg_queue_alloc_security - Set the security blob for msg
* @msq: the object
*
* Returns 0
*/
static int smack_msg_queue_alloc_security(struct msg_queue *msq)
{
- struct kern_ipc_perm *kisp = &msq->q_perm;
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_ipc(&msq->q_perm);
- kisp->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_msg_free_security - Clear the security blob for msg
- * @msq: the object
- *
- * Clears the blob pointer
- */
-static void smack_msg_queue_free_security(struct msg_queue *msq)
-{
- struct kern_ipc_perm *kisp = &msq->q_perm;
-
- kisp->security = NULL;
-}
-
-/**
- * smack_of_msq - the smack pointer for the msq
- * @msq: the object
- *
- * Returns a pointer to the smack label entry
- */
-static struct smack_known *smack_of_msq(struct msg_queue *msq)
-{
- return (struct smack_known *)msq->q_perm.security;
-}
-
-/**
* smk_curacc_msq : helper to check if current has access on msq
* @msq : the msq
* @access : access requested
@@ -3242,7 +3086,8 @@ static struct smack_known *smack_of_msq(struct msg_queue *msq)
*/
static int smk_curacc_msq(struct msg_queue *msq, int access)
{
- struct smack_known *msp = smack_of_msq(msq);
+ struct smack_known **blob = smack_ipc(&msq->q_perm);
+ struct smack_known *msp = *blob;
struct smk_audit_info ad;
int rc;
@@ -3345,7 +3190,8 @@ static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
*/
static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
{
- struct smack_known *iskp = ipp->security;
+ struct smack_known **blob = smack_ipc(ipp);
+ struct smack_known *iskp = *blob;
int may = smack_flags_to_may(flag);
struct smk_audit_info ad;
int rc;
@@ -3366,7 +3212,8 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
*/
static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
{
- struct smack_known *iskp = ipp->security;
+ struct smack_known **blob = smack_ipc(ipp);
+ struct smack_known *iskp = *blob;
*secid = iskp->smk_secid;
}
@@ -3394,7 +3241,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
if (inode == NULL)
return;
- isp = inode->i_security;
+ isp = smack_inode(inode);
mutex_lock(&isp->smk_lock);
/*
@@ -3405,7 +3252,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
goto unlockandout;
sbp = inode->i_sb;
- sbsp = sbp->s_security;
+ sbsp = smack_superblock(sbp);
/*
* We're going to use the superblock default label
* if there's no label on the file.
@@ -3699,9 +3546,9 @@ static int smack_unix_stream_connect(struct sock *sock,
{
struct smack_known *skp;
struct smack_known *okp;
- struct socket_smack *ssp = sock->sk_security;
- struct socket_smack *osp = other->sk_security;
- struct socket_smack *nsp = newsk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock);
+ struct socket_smack *osp = smack_sock(other);
+ struct socket_smack *nsp = smack_sock(newsk);
struct smk_audit_info ad;
int rc = 0;
#ifdef CONFIG_AUDIT
@@ -3747,8 +3594,8 @@ static int smack_unix_stream_connect(struct sock *sock,
*/
static int smack_unix_may_send(struct socket *sock, struct socket *other)
{
- struct socket_smack *ssp = sock->sk->sk_security;
- struct socket_smack *osp = other->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
+ struct socket_smack *osp = smack_sock(other->sk);
struct smk_audit_info ad;
int rc;
@@ -3785,7 +3632,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
#endif
#ifdef SMACK_IPV6_SECMARK_LABELING
- struct socket_smack *ssp = sock->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
struct smack_known *rsp;
#endif
int rc = 0;
@@ -3949,7 +3796,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct netlbl_lsm_secattr secattr;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smack_known *skp = NULL;
int rc = 0;
struct smk_audit_info ad;
@@ -4058,7 +3905,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
int slen = 1;
int rc = 0;
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
if (ssp->smk_packet != NULL) {
rcp = ssp->smk_packet->smk_known;
slen = strlen(rcp) + 1;
@@ -4108,7 +3955,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
switch (family) {
case PF_UNIX:
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
s = ssp->smk_out->smk_secid;
break;
case PF_INET:
@@ -4121,7 +3968,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
* Translate what netlabel gave us.
*/
if (sock != NULL && sock->sk != NULL)
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0) {
@@ -4159,7 +4006,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
(sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
return;
- ssp = sk->sk_security;
+ ssp = smack_sock(sk);
ssp->smk_in = skp;
ssp->smk_out = skp;
/* cssp->smk_packet is already set in smack_inet_csk_clone() */
@@ -4179,7 +4026,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
{
u16 family = sk->sk_family;
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct netlbl_lsm_secattr secattr;
struct sockaddr_in addr;
struct iphdr *hdr;
@@ -4278,7 +4125,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void smack_inet_csk_clone(struct sock *sk,
const struct request_sock *req)
{
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smack_known *skp;
if (req->peer_secid != 0) {
@@ -4310,24 +4157,14 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
+ struct smack_known **blob = smack_key(key);
struct smack_known *skp = smk_of_task(smack_cred(cred));
- key->security = skp;
+ *blob = skp;
return 0;
}
/**
- * smack_key_free - Clear the key security blob
- * @key: the object
- *
- * Clear the blob pointer
- */
-static void smack_key_free(struct key *key)
-{
- key->security = NULL;
-}
-
-/**
* smack_key_permission - Smack access on a key
* @key_ref: gets to the object
* @cred: the credentials to use
@@ -4339,6 +4176,8 @@ static void smack_key_free(struct key *key)
static int smack_key_permission(key_ref_t key_ref,
const struct cred *cred, unsigned perm)
{
+ struct smack_known **blob;
+ struct smack_known *skp;
struct key *keyp;
struct smk_audit_info ad;
struct smack_known *tkp = smk_of_task(smack_cred(cred));
@@ -4352,7 +4191,9 @@ static int smack_key_permission(key_ref_t key_ref,
* If the key hasn't been initialized give it access so that
* it may do so.
*/
- if (keyp->security == NULL)
+ blob = smack_key(keyp);
+ skp = *blob;
+ if (skp == NULL)
return 0;
/*
* This should not occur
@@ -4368,8 +4209,8 @@ static int smack_key_permission(key_ref_t key_ref,
request = MAY_READ;
if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
request = MAY_WRITE;
- rc = smk_access(tkp, keyp->security, request, &ad);
- rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
+ rc = smk_access(tkp, skp, request, &ad);
+ rc = smk_bu_note("key access", tkp, skp, request, rc);
return rc;
}
@@ -4384,11 +4225,12 @@ static int smack_key_permission(key_ref_t key_ref,
*/
static int smack_key_getsecurity(struct key *key, char **_buffer)
{
- struct smack_known *skp = key->security;
+ struct smack_known **blob = smack_key(key);
+ struct smack_known *skp = *blob;
size_t length;
char *copy;
- if (key->security == NULL) {
+ if (skp == NULL) {
*_buffer = NULL;
return 0;
}
@@ -4597,6 +4439,14 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
struct lsm_blob_sizes smack_blob_sizes = {
.lbs_cred = sizeof(struct task_smack),
.lbs_file = sizeof(struct smack_known *),
+ .lbs_inode = sizeof(struct inode_smack),
+ .lbs_ipc = sizeof(struct smack_known *),
+#ifdef CONFIG_KEYS
+ .lbs_key = sizeof(struct smack_known *),
+#endif /* CONFIG_KEYS */
+ .lbs_msg_msg = sizeof(struct smack_known *),
+ .lbs_sock = sizeof(struct socket_smack),
+ .lbs_superblock = sizeof(struct superblock_smack),
};
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
@@ -4605,7 +4455,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(syslog, smack_syslog),
LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security),
- LSM_HOOK_INIT(sb_free_security, smack_sb_free_security),
LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data),
LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount),
LSM_HOOK_INIT(sb_statfs, smack_sb_statfs),
@@ -4617,7 +4466,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec),
LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security),
- LSM_HOOK_INIT(inode_free_security, smack_inode_free_security),
LSM_HOOK_INIT(inode_init_security, smack_inode_init_security),
LSM_HOOK_INIT(inode_link, smack_inode_link),
LSM_HOOK_INIT(inode_unlink, smack_inode_unlink),
@@ -4670,23 +4518,19 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
- LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security),
LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security),
- LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security),
LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl),
LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd),
LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv),
LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security),
- LSM_HOOK_INIT(shm_free_security, smack_shm_free_security),
LSM_HOOK_INIT(shm_associate, smack_shm_associate),
LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl),
LSM_HOOK_INIT(shm_shmat, smack_shm_shmat),
LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security),
- LSM_HOOK_INIT(sem_free_security, smack_sem_free_security),
LSM_HOOK_INIT(sem_associate, smack_sem_associate),
LSM_HOOK_INIT(sem_semctl, smack_sem_semctl),
LSM_HOOK_INIT(sem_semop, smack_sem_semop),
@@ -4709,7 +4553,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream),
LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram),
LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security),
+#ifdef SMACK_IPV6_PORT_LABELING
LSM_HOOK_INIT(sk_free_security, smack_sk_free_security),
+#endif
LSM_HOOK_INIT(sock_graft, smack_sock_graft),
LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request),
LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone),
@@ -4717,7 +4563,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
/* key management security hooks */
#ifdef CONFIG_KEYS
LSM_HOOK_INIT(key_alloc, smack_key_alloc),
- LSM_HOOK_INIT(key_free, smack_key_free),
LSM_HOOK_INIT(key_permission, smack_key_permission),
LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity),
#endif /* CONFIG_KEYS */
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index cdeb0f3243dd..a5155295551f 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -31,8 +31,8 @@ static unsigned int smack_ipv6_output(void *priv,
struct socket_smack *ssp;
struct smack_known *skp;
- if (sk && sk->sk_security) {
- ssp = sk->sk_security;
+ if (sk && smack_sock(sk)) {
+ ssp = smack_sock(sk);
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
}
@@ -49,8 +49,8 @@ static unsigned int smack_ipv4_output(void *priv,
struct socket_smack *ssp;
struct smack_known *skp;
- if (sk && sk->sk_security) {
- ssp = sk->sk_security;
+ if (sk && smack_sock(sk)) {
+ ssp = smack_sock(sk);
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
}
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 06/11] LSM: general but not extreme module stacking
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (4 preceding siblings ...)
2017-08-29 20:59 ` [PATCH 05/11] LSM: Infrastructure management of the remaining blobs Casey Schaufler
@ 2017-08-29 21:00 ` Casey Schaufler
2017-08-30 7:28 ` James Morris
2017-08-29 21:01 ` [PATCH 07/11] LSM: Shared secids by token Casey Schaufler
` (4 subsequent siblings)
10 siblings, 1 reply; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 21:00 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 06/11] LSM: general but not extreme module stacking
Leverage the infrastructure management of the credential and
file security blobs to allow stacking of security modules in
all but the most extreme case. Security modules are informed
of the location of their data within the blobs at module
initialization.
Stacking is optional. If stacking is not configured the old
limit of one "major" security module applies. If stacking is
configured any combination that does not include both SELinux
and Smack is allowed.
A subdirectory has been added to /proc/.../attr for each of
SELinux and AppArmor (Smack introduced such a subdirectory earlier)
to disambiguate what data is provided in the proc/.../attr
interfaces. An entry "context" is added to /proc/.../attr and
to each of the subdirectories. The "context" entry provides
process attribute information in the form:
lsm-name='lsm-data'[,lsm-name='lsm-data']...
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/admin-guide/LSM/index.rst | 22 ++++-
fs/proc/base.c | 33 ++++++++
include/linux/lsm_hooks.h | 2 +-
security/Kconfig | 94 +++++++++++++++++++++
security/apparmor/include/context.h | 10 +++
security/apparmor/lsm.c | 44 ++++++++--
security/security.c | 142 +++++++++++++++++++++++++++++++-
security/selinux/hooks.c | 24 +++++-
security/selinux/include/objsec.h | 8 ++
security/smack/smack.h | 9 ++
security/smack/smack_lsm.c | 23 +++---
security/tomoyo/common.h | 12 ++-
security/tomoyo/tomoyo.c | 3 +-
13 files changed, 398 insertions(+), 28 deletions(-)
diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
index 9842e21afd4a..bb5c682c046a 100644
--- a/Documentation/admin-guide/LSM/index.rst
+++ b/Documentation/admin-guide/LSM/index.rst
@@ -17,10 +17,16 @@ MAC extensions, other extensions can be built using the LSM to provide
specific changes to system operation when these tweaks are not available
in the core functionality of Linux itself.
-The Linux capabilities modules will always be included. This may be
-followed by any number of "minor" modules and at most one "major" module.
-For more details on capabilities, see ``capabilities(7)`` in the Linux
-man-pages project.
+The Linux capabilities modules will always be included. For more details
+on capabilities, see ``capabilities(7)`` in the Linux man-pages project.
+
+Security modules that do not use the security data blobs maintained
+by the LSM infrastructure are considered "minor" modules. These may be
+included at compile time and stacked explicitly. Security modules that
+use the LSM maintained security blobs are considered "major" modules.
+These may only be stacked if the CONFIG_LSM_STACKED configuration
+option is used. If this is chosen all of the security modules selected
+will be used.
A list of the active security modules can be found by reading
``/sys/kernel/security/lsm``. This is a comma separated list, and
@@ -37,6 +43,14 @@ security module and contains all its special files. The files directly
in ``/proc/.../attr`` remain as legacy interfaces for modules that provide
subdirectories.
+The files named "context" in the attr directories contain the
+same information as the "current" files, but formatted to
+identify the module it comes from.
+
+if selinux is the active security module:
+ /proc/self/attr/context could contain selinux='unconfined_t'
+ /proc/self/attr/selinux/context could contain selinux='unconfined_t'
+
.. toctree::
:maxdepth: 1
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 6a25a4b1592a..76f24175b8a5 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2592,13 +2592,37 @@ static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \
.setattr = proc_setattr, \
}
+#ifdef CONFIG_SECURITY_SELINUX
+static const struct pid_entry selinux_attr_dir_stuff[] = {
+ ATTR("selinux", "current", 0666),
+ ATTR("selinux", "prev", 0444),
+ ATTR("selinux", "exec", 0666),
+ ATTR("selinux", "fscreate", 0666),
+ ATTR("selinux", "keycreate", 0666),
+ ATTR("selinux", "sockcreate", 0666),
+ ATTR("selinux", "context", 0666),
+};
+LSM_DIR_OPS(selinux);
+#endif
+
#ifdef CONFIG_SECURITY_SMACK
static const struct pid_entry smack_attr_dir_stuff[] = {
ATTR("smack", "current", 0666),
+ ATTR("smack", "context", 0666),
};
LSM_DIR_OPS(smack);
#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+static const struct pid_entry apparmor_attr_dir_stuff[] = {
+ ATTR("apparmor", "current", 0666),
+ ATTR("apparmor", "prev", 0444),
+ ATTR("apparmor", "exec", 0666),
+ ATTR("apparmor", "context", 0666),
+};
+LSM_DIR_OPS(apparmor);
+#endif
+
static const struct pid_entry attr_dir_stuff[] = {
ATTR(NULL, "current", 0666),
ATTR(NULL, "prev", 0444),
@@ -2606,10 +2630,19 @@ static const struct pid_entry attr_dir_stuff[] = {
ATTR(NULL, "fscreate", 0666),
ATTR(NULL, "keycreate", 0666),
ATTR(NULL, "sockcreate", 0666),
+ ATTR(NULL, "context", 0666),
+#ifdef CONFIG_SECURITY_SELINUX
+ DIR("selinux", 0555,
+ proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops),
+#endif
#ifdef CONFIG_SECURITY_SMACK
DIR("smack", 0555,
proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+ DIR("apparmor", 0555,
+ proc_apparmor_attr_dir_inode_ops, proc_apparmor_attr_dir_ops),
+#endif
};
static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 36e848e51782..dfe4dab1ff8d 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1979,7 +1979,7 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
#define __lsm_ro_after_init __ro_after_init
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
-extern int __init security_module_enable(const char *module);
+extern bool __init security_module_enable(const char *lsm, const bool stacked);
extern void __init capability_add_hooks(void);
#ifdef CONFIG_SECURITY_YAMA
extern void __init yama_add_hooks(void);
diff --git a/security/Kconfig b/security/Kconfig
index f3464fb5a8b0..36a1519f31d2 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -36,6 +36,28 @@ config SECURITY_WRITABLE_HOOKS
bool
default n
+config SECURITY_STACKING
+ bool "Security module stacking"
+ depends on SECURITY
+ help
+ Allows multiple major security modules to be stacked.
+ Modules are invoked in the order registered with a
+ "bail on fail" policy, in which the infrastructure
+ will stop processing once a denial is detected. Not
+ all modules can be stacked. SELinux and Smack are
+ known to be incompatible. User space components may
+ have trouble identifying the security module providing
+ data in some cases.
+
+ If you select this option you will have to select which
+ of the stackable modules you wish to be active. The
+ "Default security module" will be ignored. The boot line
+ "security=" option can be used to specify that one of
+ the modules identifed for stacking should be used instead
+ of the entire stack.
+
+ If you are unsure how to answer this question, answer N.
+
config SECURITY_LSM_DEBUG
bool "Enable debugging of the LSM infrastructure"
depends on SECURITY
@@ -225,6 +247,9 @@ source security/yama/Kconfig
source security/integrity/Kconfig
+menu "Security Module Selection"
+ visible if !SECURITY_STACKING
+
choice
prompt "Default security module"
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
@@ -264,3 +289,72 @@ config DEFAULT_SECURITY
endmenu
+menu "Security Module Stack"
+ visible if SECURITY_STACKING
+
+choice
+ prompt "Stacked 'extreme' security module"
+ default SECURITY_SELINUX_STACKED if SECURITY_SELINUX
+ default SECURITY_SMACK_STACKED if SECURITY_SMACK
+
+ help
+ Enable an extreme security module. These modules cannot
+ be used at the same time.
+
+ config SECURITY_SELINUX_STACKED
+ bool "SELinux" if SECURITY_SELINUX=y
+ help
+ Add the SELinux security module to the stack. At this
+ time the Smack security module is incompatible with this
+ module.
+ Please be sure your user space code is accomodating of
+ this security module.
+
+ config SECURITY_SMACK_STACKED
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+ help
+ Add the Smack security module to the stack. At this
+ time the SELinux security module is incompatible with this
+ module.
+ Please be sure your user space code is accomodating of
+ this security module.
+
+ config SECURITY_NOTHING_STACKED
+ bool "Use no 'extreme' security module"
+ help
+ Add neither the SELinux security module nor the Smack security
+ module to the stack.
+ Please be sure your user space code does not require either of
+ these security modules.
+
+endchoice
+
+config SECURITY_TOMOYO_STACKED
+ bool "TOMOYO support is enabled by default"
+ depends on SECURITY_TOMOYO && SECURITY_STACKING
+ default n
+ help
+ This option instructs the system to use the TOMOYO checks.
+ If not selected the module will not be invoked.
+ Stacked security modules may interact in unexpected ways.
+ Please be sure your user space code is accomodating of
+ multiple security modules.
+
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_APPARMOR_STACKED
+ bool "AppArmor support is enabled by default"
+ depends on SECURITY_APPARMOR && SECURITY_STACKING
+ default n
+ help
+ This option instructs the system to use the AppArmor checks.
+ If not selected the module will not be invoked.
+ Stacked security modules may interact in unexpected ways.
+ Please be sure your user space code is accomodating of
+ multiple security modules.
+
+ If you are unsure how to answer this question, answer N.
+
+endmenu
+
+endmenu
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index c6e106a533e8..c6d5dbbd18b0 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -55,9 +55,15 @@ int aa_set_current_hat(struct aa_label *label, u64 token);
int aa_restore_previous_label(u64 cookie);
struct aa_label *aa_get_task_label(struct task_struct *task);
+extern struct lsm_blob_sizes apparmor_blob_sizes;
+
static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + apparmor_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
/**
@@ -89,7 +95,11 @@ static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
static inline struct aa_file_ctx *apparmor_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + apparmor_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
/**
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index fb317cc94510..92cb9f2093c5 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -496,9 +496,13 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
const struct cred *cred = get_task_cred(task);
struct aa_task_ctx *ctx = cred_ctx(cred);
struct aa_label *label = NULL;
+ char *vp;
+ char *np;
if (strcmp(name, "current") == 0)
label = aa_get_newest_label(ctx->label);
+ else if (strcmp(name, "context") == 0 && ctx->label)
+ label = aa_get_newest_label(ctx->label);
else if (strcmp(name, "prev") == 0 && ctx->previous)
label = aa_get_newest_label(ctx->previous);
else if (strcmp(name, "exec") == 0 && ctx->onexec)
@@ -506,8 +510,29 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
else
error = -EINVAL;
- if (label)
- error = aa_getprocattr(label, value);
+ if (label == NULL)
+ goto put_out;
+
+ error = aa_getprocattr(label, &vp);
+ if (error < 0)
+ goto put_out;
+
+ if (strcmp(name, "context") == 0) {
+ *value = kasprintf(GFP_KERNEL, "apparmor='%s'", vp);
+ if (*value == NULL) {
+ error = -ENOMEM;
+ goto put_out;
+ }
+ np = strchr(*value, '\n');
+ if (np != NULL) {
+ np[0] = '\'';
+ np[1] = '\0';
+ }
+ error = strlen(*value);
+ } else
+ *value = vp;
+
+put_out:
aa_put_label(label);
put_cred(cred);
@@ -546,7 +571,7 @@ static int apparmor_setprocattr(const char *name, void *value,
goto out;
arg_size = size - (args - (largs ? largs : (char *) value));
- if (strcmp(name, "current") == 0) {
+ if (strcmp(name, "current") == 0 || strcmp(name, "context") == 0) {
if (strcmp(command, "changehat") == 0) {
error = aa_setprocattr_changehat(args, arg_size,
AA_CHANGE_NOFLAGS);
@@ -570,7 +595,10 @@ static int apparmor_setprocattr(const char *name, void *value,
else
goto fail;
} else
- /* only support the "current" and "exec" process attributes */
+ /*
+ * only support the "current", "context" and "exec"
+ * process attributes
+ */
goto fail;
if (!error)
@@ -1014,13 +1042,17 @@ static int __init apparmor_init(void)
int error;
if (!finish) {
- if (apparmor_enabled && security_module_enable("apparmor"))
+ if (apparmor_enabled &&
+ security_module_enable("apparmor",
+ IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED)))
security_add_blobs(&apparmor_blob_sizes);
finish = 1;
return 0;
}
- if (!apparmor_enabled || !security_module_enable("apparmor")) {
+ if (!apparmor_enabled ||
+ !security_module_enable("apparmor",
+ IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED))) {
aa_info_message("AppArmor disabled by boot time parameter");
apparmor_enabled = 0;
return 0;
diff --git a/security/security.c b/security/security.c
index 9780bf655a10..6b979aa769ad 100644
--- a/security/security.c
+++ b/security/security.c
@@ -35,6 +35,7 @@
/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX 10
+#define MODULE_STACK "(stacking)"
struct security_hook_heads security_hook_heads __lsm_ro_after_init;
static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
@@ -44,7 +45,11 @@ static struct lsm_blob_sizes blob_sizes;
/* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
+#ifdef CONFIG_SECURITY_STACKING
+ MODULE_STACK;
+#else
CONFIG_DEFAULT_SECURITY;
+#endif
static void __init do_security_initcalls(void)
{
@@ -153,6 +158,7 @@ static int lsm_append(char *new, char **result)
/**
* security_module_enable - Load given security module on boot ?
* @module: the name of the module
+ * @stacked: indicates that the module wants to be stacked
*
* Each LSM must pass this method before registering its own operations
* to avoid security registration races. This method may also be used
@@ -168,9 +174,29 @@ static int lsm_append(char *new, char **result)
*
* Otherwise, return false.
*/
-int __init security_module_enable(const char *module)
+bool __init security_module_enable(const char *lsm, const bool stacked)
{
- return !strcmp(module, chosen_lsm);
+#ifdef CONFIG_SECURITY_STACKING
+ /*
+ * Module defined on the command line security=XXXX
+ */
+ if (strcmp(chosen_lsm, MODULE_STACK)) {
+ if (!strcmp(lsm, chosen_lsm)) {
+ pr_info("Command line sets the %s security module.\n",
+ lsm);
+ return true;
+ }
+ return false;
+ }
+ /*
+ * Module configured as stacked.
+ */
+ return stacked;
+#else
+ if (strcmp(lsm, chosen_lsm) == 0)
+ return true;
+ return false;
+#endif
}
/**
@@ -1661,8 +1687,49 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
char **value)
{
struct security_hook_list *hp;
+ char *vp;
+ char *cp = NULL;
+ int trc;
int rc;
+ /*
+ * "context" requires work here in addition to what
+ * the modules provide.
+ */
+ if (strcmp(name, "context") == 0) {
+ *value = NULL;
+ rc = -EINVAL;
+ list_for_each_entry(hp,
+ &security_hook_heads.getprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ trc = hp->hook.getprocattr(p, "context", &vp);
+ if (trc == -ENOENT)
+ continue;
+ if (trc <= 0) {
+ kfree(*value);
+ return trc;
+ }
+ rc = trc;
+ if (*value == NULL) {
+ *value = vp;
+ } else {
+ cp = kasprintf(GFP_KERNEL, "%s,%s", *value, vp);
+ if (cp == NULL) {
+ kfree(*value);
+ kfree(vp);
+ return -ENOMEM;
+ }
+ kfree(*value);
+ kfree(vp);
+ *value = cp;
+ }
+ }
+ if (rc > 0)
+ return strlen(*value);
+ return rc;
+ }
+
list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
if (lsm != NULL && strcmp(lsm, hp->lsm))
continue;
@@ -1678,6 +1745,77 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
{
struct security_hook_list *hp;
int rc;
+ char *local;
+ char *cp;
+ int slen;
+ int failed = 0;
+
+ /*
+ * If lsm is NULL look at all the modules to find one
+ * that processes name. If lsm is not NULL only look at
+ * that module.
+ *
+ * "context" is handled directly here.
+ */
+ if (strcmp(name, "context") == 0) {
+ /*
+ * First verify that the input is acceptable.
+ * lsm1='v1'lsm2='v2'lsm3='v3'
+ *
+ * A note on the use of strncmp() below.
+ * The check is for the substring at the beginning of cp.
+ * The kzalloc of size + 1 ensures a terminated string.
+ */
+ rc = -EINVAL;
+ local = kzalloc(size + 1, GFP_KERNEL);
+ memcpy(local, value, size);
+ cp = local;
+ list_for_each_entry(hp, &security_hook_heads.setprocattr,
+ list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ if (cp[0] == ',') {
+ if (cp == local)
+ goto free_out;
+ cp++;
+ }
+ slen = strlen(hp->lsm);
+ if (strncmp(cp, hp->lsm, slen))
+ goto free_out;
+ cp += slen;
+ if (cp[0] != '=' || cp[1] != '\'' || cp[2] == '\'')
+ goto free_out;
+ for (cp += 2; cp[0] != '\''; cp++)
+ if (cp[0] == '\0')
+ goto free_out;
+ cp++;
+ }
+
+ cp = local;
+ list_for_each_entry(hp, &security_hook_heads.setprocattr,
+ list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ if (cp[0] == ',')
+ cp++;
+ cp += strlen(hp->lsm) + 2;
+ for (slen = 0; cp[slen] != '\''; slen++)
+ ;
+ cp[slen] = '\0';
+
+ rc = hp->hook.setprocattr("context", cp, slen);
+ if (rc < 0)
+ failed = rc;
+ cp += slen + 1;
+ }
+ if (failed != 0)
+ rc = failed;
+ else
+ rc = size;
+free_out:
+ kfree(local);
+ return rc;
+ }
list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
if (lsm != NULL && strcmp(lsm, hp->lsm))
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4c022182bb21..84d533335924 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5733,6 +5733,8 @@ static int selinux_getprocattr(struct task_struct *p,
if (!strcmp(name, "current"))
sid = __tsec->sid;
+ else if (!strcmp(name, "context"))
+ sid = __tsec->sid;
else if (!strcmp(name, "prev"))
sid = __tsec->osid;
else if (!strcmp(name, "exec"))
@@ -5752,7 +5754,19 @@ static int selinux_getprocattr(struct task_struct *p,
if (!sid)
return 0;
- error = security_sid_to_context(sid, value, &len);
+ if (strcmp(name, "context")) {
+ error = security_sid_to_context(sid, value, &len);
+ } else {
+ char *vp;
+
+ error = security_sid_to_context(sid, &vp, &len);
+ if (!error) {
+ *value = kasprintf(GFP_KERNEL, "selinux='%s'", vp);
+ if (*value == NULL)
+ error = -ENOMEM;
+ }
+ }
+
if (error)
return error;
return len;
@@ -5788,6 +5802,9 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
else if (!strcmp(name, "current"))
error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
PROCESS__SETCURRENT, NULL);
+ else if (!strcmp(name, "context"))
+ error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
+ PROCESS__SETCURRENT, NULL);
else
error = -EINVAL;
if (error)
@@ -5848,7 +5865,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
tsec->keycreate_sid = sid;
} else if (!strcmp(name, "sockcreate")) {
tsec->sockcreate_sid = sid;
- } else if (!strcmp(name, "current")) {
+ } else if (!strcmp(name, "current") || !strcmp(name, "context")) {
error = -EINVAL;
if (sid == 0)
goto abort_change;
@@ -6294,7 +6311,8 @@ static __init int selinux_init(void)
{
static int finish;
- if (!security_module_enable("selinux")) {
+ if (!security_module_enable("selinux",
+ IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED))) {
selinux_enabled = 0;
return 0;
}
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 11a372c0e919..306863675614 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -155,12 +155,20 @@ extern struct lsm_blob_sizes selinux_blob_sizes;
static inline struct task_security_struct *selinux_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + selinux_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
static inline struct file_security_struct *selinux_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + selinux_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
static inline struct inode_security_struct *selinux_inode(
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 1b875c2f3d9d..e7611de071f1 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -336,6 +336,7 @@ extern struct smack_known *smack_syslog_label;
extern struct smack_known *smack_unconfined;
#endif
extern int smack_ptrace_rule;
+extern struct lsm_blob_sizes smack_blob_sizes;
extern struct smack_known smack_known_floor;
extern struct smack_known smack_known_hat;
@@ -358,12 +359,20 @@ extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
static inline struct task_smack *smack_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + smack_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
static inline struct smack_known **smack_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + smack_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
static inline struct inode_smack *smack_inode(const struct inode *inode)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index bbc27d444662..1e9ab7bdaf55 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3453,18 +3453,20 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
{
struct smack_known *skp = smk_of_task_struct(p);
char *cp;
- int slen;
- if (strcmp(name, "current") != 0)
+ if (strcmp(name, "current") == 0) {
+ cp = kstrdup(skp->smk_known, GFP_KERNEL);
+ if (cp == NULL)
+ return -ENOMEM;
+ } else if (strcmp(name, "context") == 0) {
+ cp = kasprintf(GFP_KERNEL, "smack='%s'", skp->smk_known);
+ if (cp == NULL)
+ return -ENOMEM;
+ } else
return -EINVAL;
- cp = kstrdup(skp->smk_known, GFP_KERNEL);
- if (cp == NULL)
- return -ENOMEM;
-
- slen = strlen(cp);
*value = cp;
- return slen;
+ return strlen(cp);
}
/**
@@ -3492,7 +3494,7 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
return -EINVAL;
- if (strcmp(name, "current") != 0)
+ if (strcmp(name, "current") != 0 && strcmp(name, "context") != 0)
return -EINVAL;
skp = smk_import_entry(value, size);
@@ -4622,7 +4624,8 @@ static __init int smack_init(void)
struct cred *cred = (struct cred *) current->cred;
struct task_smack *tsp;
- if (!security_module_enable("smack"))
+ if (!security_module_enable("smack",
+ IS_ENABLED(CONFIG_SECURITY_SMACK_STACKED)))
return 0;
if (!finish) {
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index cbcfccc84784..2eed9d44eec1 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -1085,6 +1085,7 @@ extern struct tomoyo_domain_info tomoyo_kernel_domain;
extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];
+extern struct lsm_blob_sizes tomoyo_blob_sizes;
/********** Inlined functions. **********/
@@ -1204,7 +1205,11 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
*/
static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + tomoyo_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
/**
@@ -1214,8 +1219,13 @@ static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred)
*/
static inline struct tomoyo_domain_info *tomoyo_domain(void)
{
- struct tomoyo_domain_info **blob = tomoyo_cred(current_cred());
+ const struct cred *cred = current_cred();
+ struct tomoyo_domain_info **blob;
+
+ if (cred->security == NULL)
+ return NULL;
+ blob = tomoyo_cred(cred);
return *blob;
}
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 901fa7835337..aa52fff4bbe9 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -561,7 +561,8 @@ static int __init tomoyo_init(void)
struct cred *cred = (struct cred *) current_cred();
struct tomoyo_domain_info **blob;
- if (!security_module_enable("tomoyo"))
+ if (!security_module_enable("tomoyo",
+ IS_ENABLED(CONFIG_SECURITY_TOMOYO_STACKED)))
return 0;
if (!finish) {
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 07/11] LSM: Shared secids by token
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (5 preceding siblings ...)
2017-08-29 21:00 ` [PATCH 06/11] LSM: general but not extreme module stacking Casey Schaufler
@ 2017-08-29 21:01 ` Casey Schaufler
2017-08-31 16:30 ` [Non-DoD Source] " Stephen Smalley
2017-08-29 21:02 ` [PATCH 08/11] LSM: Complete abstraction of superblock blob in Smack Casey Schaufler
` (3 subsequent siblings)
10 siblings, 1 reply; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 21:01 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 07/11] LSM: Shared secids by token
Introduces a mechanism for mapping a set of security
module secids to and from a "token". The module interfaces
are changed to generally hide the mechanism from both the
security modules and the callers of the security hooks.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 54 ++++++++-
security/Makefile | 1 +
security/security.c | 248 ++++++++++++++++++++++++++++++++++-----
security/selinux/hooks.c | 31 +++--
security/selinux/include/xfrm.h | 2 +-
security/selinux/xfrm.c | 6 +-
security/smack/smack.h | 1 +
security/smack/smack_lsm.c | 19 ++-
security/smack/smack_netfilter.c | 17 ++-
security/stacking.c | 165 ++++++++++++++++++++++++++
10 files changed, 497 insertions(+), 47 deletions(-)
create mode 100644 security/stacking.c
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index dfe4dab1ff8d..75d95854f2ed 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1627,7 +1627,7 @@ union security_list_options {
void (*secmark_refcount_inc)(void);
void (*secmark_refcount_dec)(void);
void (*req_classify_flow)(const struct request_sock *req,
- struct flowi *fl);
+ u32 *fl_secid);
int (*tun_dev_alloc_security)(void **security);
void (*tun_dev_free_security)(void *security);
int (*tun_dev_create)(void);
@@ -1663,7 +1663,7 @@ union security_list_options {
u8 dir);
int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
struct xfrm_policy *xp,
- const struct flowi *fl);
+ u32 fl_secid);
int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
@@ -1916,9 +1916,59 @@ struct security_hook_list {
struct list_head *head;
union security_list_options hook;
char *lsm;
+ int lsm_index;
} __randomize_layout;
/*
+ * The maximum number of major security modules.
+ * Used to avoid excessive memory management while
+ * mapping global and module specific secids.
+ *
+ * Currently SELinux, Smack, AppArmor, TOMOYO
+ * Oh, but Casey needs to come up with the right way
+ * to identify a "major" module, so use the total number
+ * of modules (including minor) for now.
+ * Minor: Capability, Yama, LoadPin
+ */
+#define LSM_MAX_MAJOR 8
+
+#ifdef CONFIG_SECURITY_STACKING
+struct lsm_secids {
+ u32 secid[LSM_MAX_MAJOR];
+};
+
+extern u32 lsm_secids_to_token(const struct lsm_secids *secids);
+extern void lsm_token_to_secids(const u32 token, struct lsm_secids *secids);
+extern u32 lsm_token_to_module_secid(const u32 token, int lsm);
+extern void lsm_secids_init(struct lsm_secids *secids);
+#else /* CONFIG_SECURITY_STACKING */
+struct lsm_secids {
+ u32 secid;
+};
+
+static inline u32 lsm_secids_to_token(const struct lsm_secids *secids)
+{
+ return secids->secid;
+}
+
+static inline void lsm_token_to_secids(const u32 token,
+ struct lsm_secids *secids)
+{
+ secids->secid = token;
+}
+
+static inline u32 lsm_token_to_module_secid(const u32 token, int lsm)
+{
+ return token;
+}
+
+static inline void lsm_secids_init(struct lsm_secids *secids)
+{
+ secids->secid = 0;
+}
+#endif /* CONFIG_SECURITY_STACKING */
+
+/*
* Security blob size or offset data.
*/
struct lsm_blob_sizes {
diff --git a/security/Makefile b/security/Makefile
index f2d71cdb8e19..05e6d525b5a1 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
+obj-$(CONFIG_SECURITY_STACKING) += stacking.o
# Object integrity file lists
subdir-$(CONFIG_INTEGRITY) += integrity
diff --git a/security/security.c b/security/security.c
index 6b979aa769ad..9d402d954cef 100644
--- a/security/security.c
+++ b/security/security.c
@@ -199,6 +199,11 @@ bool __init security_module_enable(const char *lsm, const bool stacked)
#endif
}
+/*
+ * Keep the order of major modules for mapping secids.
+ */
+static int lsm_next_major;
+
/**
* security_add_hooks - Add a modules hooks to the hook lists.
* @hooks: the hooks to add
@@ -211,9 +216,14 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
char *lsm)
{
int i;
+ int lsm_index = lsm_next_major++;
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ pr_info("LSM: Security module %s gets index %d\n", lsm, lsm_index);
+#endif
for (i = 0; i < count; i++) {
hooks[i].lsm = lsm;
+ hooks[i].lsm_index = lsm_index;
list_add_tail_rcu(&hooks[i].list, hooks[i].head);
}
if (lsm_append(lsm, &lsm_names) < 0)
@@ -1218,7 +1228,15 @@ EXPORT_SYMBOL(security_inode_listsecurity);
void security_inode_getsecid(struct inode *inode, u32 *secid)
{
- call_void_hook(inode_getsecid, inode, secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.inode_getsecid, list)
+ hp->hook.inode_getsecid(inode, &secids.secid[hp->lsm_index]);
+
+ *secid = lsm_secids_to_token(&secids);
}
int security_inode_copy_up(struct dentry *src, struct cred **new)
@@ -1406,7 +1424,18 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
int security_kernel_act_as(struct cred *new, u32 secid)
{
- return call_int_hook(kernel_act_as, 0, new, secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.kernel_act_as, list) {
+ rc = hp->hook.kernel_act_as(new, secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+ return rc;
}
int security_kernel_create_files_as(struct cred *new, struct inode *inode)
@@ -1465,8 +1494,15 @@ int security_task_getsid(struct task_struct *p)
void security_task_getsecid(struct task_struct *p, u32 *secid)
{
- *secid = 0;
- call_void_hook(task_getsecid, p, secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.task_getsecid, list)
+ hp->hook.task_getsecid(p, &secids.secid[hp->lsm_index]);
+
+ *secid = lsm_secids_to_token(&secids);
}
EXPORT_SYMBOL(security_task_getsecid);
@@ -1515,7 +1551,19 @@ int security_task_movememory(struct task_struct *p)
int security_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid)
{
- return call_int_hook(task_kill, 0, p, info, sig, secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.task_kill, list) {
+ rc = hp->hook.task_kill(p, info, sig,
+ secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+ return rc;
}
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
@@ -1548,8 +1596,15 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- *secid = 0;
- call_void_hook(ipc_getsecid, ipcp, secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.ipc_getsecid, list)
+ hp->hook.ipc_getsecid(ipcp, &secids.secid[hp->lsm_index]);
+
+ *secid = lsm_secids_to_token(&secids);
}
int security_msg_msg_alloc(struct msg_msg *msg)
@@ -1840,15 +1895,42 @@ EXPORT_SYMBOL(security_ismaclabel);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
- return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
- seclen);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = -EOPNOTSUPP;
+
+ lsm_token_to_secids(secid, &secids);
+
+ /*
+ * CBS - Return the first result regardless.
+ */
+ list_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
+ rc = hp->hook.secid_to_secctx(secids.secid[hp->lsm_index],
+ secdata, seclen);
+ if (rc != -EOPNOTSUPP)
+ break;
+ }
+ return rc;
}
EXPORT_SYMBOL(security_secid_to_secctx);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
- *secid = 0;
- return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
+ rc = hp->hook.secctx_to_secid(secdata, seclen,
+ &secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+
+ *secid = lsm_secids_to_token(&secids);
+ return rc;
}
EXPORT_SYMBOL(security_secctx_to_secid);
@@ -1977,10 +2059,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
optval, optlen, len);
}
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+ u32 *secid)
{
- return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
- skb, secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = -ENOPROTOOPT;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
+ list) {
+ rc = hp->hook.socket_getpeersec_dgram(sock, skb,
+ &secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+
+ if (!rc)
+ *secid = lsm_secids_to_token(&secids);
+ return rc;
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
@@ -2008,13 +2106,30 @@ EXPORT_SYMBOL(security_sk_clone);
void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
{
- call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.sk_getsecid, list)
+ hp->hook.sk_getsecid(sk, &secids.secid[hp->lsm_index]);
+
+ fl->flowi_secid = lsm_secids_to_token(&secids);
}
EXPORT_SYMBOL(security_sk_classify_flow);
-void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
+void security_req_classify_flow(const struct request_sock *req,
+ struct flowi *fl)
{
- call_void_hook(req_classify_flow, req, fl);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.req_classify_flow, list)
+ hp->hook.req_classify_flow(req, &secids.secid[hp->lsm_index]);
+
+ fl->flowi_secid = lsm_secids_to_token(&secids);
}
EXPORT_SYMBOL(security_req_classify_flow);
@@ -2045,7 +2160,20 @@ void security_inet_conn_established(struct sock *sk,
int security_secmark_relabel_packet(u32 secid)
{
- return call_int_hook(secmark_relabel_packet, 0, secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.secmark_relabel_packet,
+ list) {
+ rc = hp->hook.secmark_relabel_packet(
+ secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+ return rc;
}
EXPORT_SYMBOL(security_secmark_relabel_packet);
@@ -2163,7 +2291,20 @@ EXPORT_SYMBOL(security_xfrm_state_alloc);
int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec, u32 secid)
{
- return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.xfrm_state_alloc_acquire,
+ list) {
+ rc = hp->hook.xfrm_state_alloc_acquire(x, polsec,
+ secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+ return rc;
}
int security_xfrm_state_delete(struct xfrm_state *x)
@@ -2179,7 +2320,19 @@ void security_xfrm_state_free(struct xfrm_state *x)
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
- return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(fl_secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.xfrm_policy_lookup, list) {
+ rc = hp->hook.xfrm_policy_lookup(ctx,
+ secids.secid[hp->lsm_index], dir);
+ if (rc)
+ break;
+ }
+ return rc;
}
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
@@ -2187,6 +2340,7 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
const struct flowi *fl)
{
struct security_hook_list *hp;
+ struct lsm_secids secids;
int rc = 1;
/*
@@ -2198,9 +2352,12 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
* For speed optimization, we explicitly break the loop rather than
* using the macro
*/
+ lsm_token_to_secids(fl->flowi_secid, &secids);
+
list_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
- list) {
- rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl);
+ list) {
+ rc = hp->hook.xfrm_state_pol_flow_match(x, xp,
+ secids.secid[hp->lsm_index]);
break;
}
return rc;
@@ -2208,15 +2365,41 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
{
- return call_int_hook(xfrm_decode_session, 0, skb, secid, 1);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.xfrm_decode_session,
+ list) {
+ rc = hp->hook.xfrm_decode_session(skb,
+ &secids.secid[hp->lsm_index], 1);
+ if (rc)
+ break;
+ }
+ if (!rc)
+ *secid = lsm_secids_to_token(&secids);
+ return rc;
}
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
{
- int rc = call_int_hook(xfrm_decode_session, 0, skb, &fl->flowi_secid,
- 0);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_secids_init(&secids);
+ list_for_each_entry(hp, &security_hook_heads.xfrm_decode_session,
+ list) {
+ rc = hp->hook.xfrm_decode_session(skb,
+ &secids.secid[hp->lsm_index], 0);
+ if (rc)
+ break;
+ }
BUG_ON(rc);
+ fl->flowi_secid = lsm_secids_to_token(&secids);
}
EXPORT_SYMBOL(security_skb_classify_flow);
@@ -2275,7 +2458,18 @@ void security_audit_rule_free(void *lsmrule)
int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx)
{
- return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
- actx);
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) {
+ rc = hp->hook.audit_rule_match(secids.secid[hp->lsm_index],
+ field, op, lsmrule, actx);
+ if (rc)
+ break;
+ }
+ return rc;
}
#endif /* CONFIG_AUDIT */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 84d533335924..389f09ebd374 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -100,6 +100,9 @@
/* SECMARK reference count */
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
+/* Index into lsm_secids */
+static int selinux_secids_index;
+
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
int selinux_enforcing;
@@ -4610,6 +4613,11 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
SECCLASS_NODE, NODE__RECVFROM, ad);
}
+static u32 selinux_secmark_to_secid(u32 token)
+{
+ return lsm_token_to_module_secid(token, selinux_secids_index);
+}
+
static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
u16 family)
{
@@ -4629,7 +4637,9 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
return err;
if (selinux_secmark_enabled()) {
- err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ err = avc_has_perm(sk_sid,
+ selinux_secmark_to_secid(skb->secmark),
+ SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
@@ -4703,7 +4713,9 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
}
if (secmark_active) {
- err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ err = avc_has_perm(sk_sid,
+ selinux_secmark_to_secid(skb->secmark),
+ SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
@@ -4902,9 +4914,9 @@ static void selinux_secmark_refcount_dec(void)
}
static void selinux_req_classify_flow(const struct request_sock *req,
- struct flowi *fl)
+ u32 *fl_secid)
{
- fl->flowi_secid = req->secid;
+ *fl_secid = req->secid;
}
static int selinux_tun_dev_alloc_security(void **security)
@@ -5066,7 +5078,8 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
}
if (secmark_active)
- if (avc_has_perm(peer_sid, skb->secmark,
+ if (avc_has_perm(peer_sid,
+ selinux_secmark_to_secid(skb->secmark),
SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
return NF_DROP;
@@ -5178,7 +5191,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
return NF_DROP;
if (selinux_secmark_enabled())
- if (avc_has_perm(sksec->sid, skb->secmark,
+ if (avc_has_perm(sksec->sid,
+ selinux_secmark_to_secid(skb->secmark),
SECCLASS_PACKET, PACKET__SEND, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
@@ -5301,7 +5315,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
return NF_DROP;
if (secmark_active)
- if (avc_has_perm(peer_sid, skb->secmark,
+ if (avc_has_perm(peer_sid,
+ selinux_secmark_to_secid(skb->secmark),
SECCLASS_PACKET, secmark_perm, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
@@ -6339,6 +6354,8 @@ static __init int selinux_init(void)
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
+ selinux_secids_index = selinux_hooks[0].lsm_index;
+
if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
panic("SELinux: Unable to register AVC netcache callback\n");
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 1450f85b946d..475a328248b3 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -25,7 +25,7 @@ int selinux_xfrm_state_delete(struct xfrm_state *x);
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp,
- const struct flowi *fl);
+ u32 fl_secid);
#ifdef CONFIG_SECURITY_NETWORK_XFRM
extern atomic_t selinux_xfrm_refcount;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 789d07bd900f..d71e2c32b5da 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -174,7 +174,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
*/
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp,
- const struct flowi *fl)
+ u32 fl_secid)
{
u32 state_sid;
@@ -196,13 +196,13 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
state_sid = x->security->ctx_sid;
- if (fl->flowi_secid != state_sid)
+ if (fl_secid != state_sid)
return 0;
/* We don't need a separate SA Vs. policy polmatch check since the SA
* is now of the same label as the flow and a flow Vs. policy polmatch
* check had already happened in selinux_xfrm_policy_lookup() above. */
- return (avc_has_perm(fl->flowi_secid, state_sid,
+ return (avc_has_perm(fl_secid, state_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
NULL) ? 0 : 1);
}
diff --git a/security/smack/smack.h b/security/smack/smack.h
index e7611de071f1..e9fd586e0ec1 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -328,6 +328,7 @@ void smk_destroy_label_list(struct list_head *list);
* Shared data.
*/
extern int smack_enabled;
+extern int smack_secids_index;
extern int smack_cipso_direct;
extern int smack_cipso_mapped;
extern struct smack_known *smack_net_ambient;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 1e9ab7bdaf55..51daf9b05f17 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -57,6 +57,7 @@ static LIST_HEAD(smk_ipv6_port_list);
#endif
static struct kmem_cache *smack_inode_cache;
int smack_enabled;
+int smack_secids_index;
static const match_table_t smk_mount_tokens = {
{Opt_fsdefault, SMK_FSDEFAULT "%s"},
@@ -3788,6 +3789,13 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
}
#endif /* CONFIG_IPV6 */
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+static u32 smk_of_secmark(u32 secmark)
+{
+ return lsm_token_to_module_secid(secmark, smack_secids_index);
+}
+#endif
+
/**
* smack_socket_sock_rcv_skb - Smack packet delivery access check
* @sk: socket
@@ -3819,7 +3827,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
* The secmark is assumed to reflect policy better.
*/
if (skb && skb->secmark != 0) {
- skp = smack_from_secid(skb->secmark);
+ skp = smack_from_secid(smk_of_secmark(skb->secmark));
goto access_check;
}
#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
@@ -3864,7 +3872,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
break;
#ifdef SMACK_IPV6_SECMARK_LABELING
if (skb && skb->secmark != 0)
- skp = smack_from_secid(skb->secmark);
+ skp = smack_from_secid(smk_of_secmark(skb->secmark));
else
skp = smack_ipv6host_label(&sadd);
if (skp == NULL)
@@ -3962,7 +3970,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
break;
case PF_INET:
#ifdef CONFIG_SECURITY_SMACK_NETFILTER
- s = skb->secmark;
+ s = smk_of_secmark(skb->secmark);
if (s != 0)
break;
#endif
@@ -3981,7 +3989,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
break;
case PF_INET6:
#ifdef SMACK_IPV6_SECMARK_LABELING
- s = skb->secmark;
+ s = smk_of_secmark(skb->secmark);
#endif
break;
}
@@ -4060,7 +4068,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
* The secmark is assumed to reflect policy better.
*/
if (skb && skb->secmark != 0) {
- skp = smack_from_secid(skb->secmark);
+ skp = smack_from_secid(smk_of_secmark(skb->secmark));
goto access_check;
}
#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
@@ -4650,6 +4658,7 @@ static __init int smack_init(void)
* Register with LSM
*/
security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
+ smack_secids_index = smack_hooks[0].lsm_index;
smack_enabled = 1;
pr_info("Smack: Initializing.\n");
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index a5155295551f..510661ba6c16 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -23,6 +23,19 @@
#if IS_ENABLED(CONFIG_IPV6)
+/*
+ * Reinvestigate this soon?
+ *
+ */
+static u32 smack_to_secmark(u32 secid)
+{
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+ secids.secid[smack_secids_index] = secid;
+ return lsm_secids_to_token(&secids);
+}
+
static unsigned int smack_ipv6_output(void *priv,
struct sk_buff *skb,
const struct nf_hook_state *state)
@@ -34,7 +47,7 @@ static unsigned int smack_ipv6_output(void *priv,
if (sk && smack_sock(sk)) {
ssp = smack_sock(sk);
skp = ssp->smk_out;
- skb->secmark = skp->smk_secid;
+ skb->secmark = smack_to_secmark(skp->smk_secid);
}
return NF_ACCEPT;
@@ -52,7 +65,7 @@ static unsigned int smack_ipv4_output(void *priv,
if (sk && smack_sock(sk)) {
ssp = smack_sock(sk);
skp = ssp->smk_out;
- skb->secmark = skp->smk_secid;
+ skb->secmark = smack_to_secmark(skp->smk_secid);
}
return NF_ACCEPT;
diff --git a/security/stacking.c b/security/stacking.c
new file mode 100644
index 000000000000..65276cd695de
--- /dev/null
+++ b/security/stacking.c
@@ -0,0 +1,165 @@
+/*
+ * Maintain a mapping between the secid used in networking
+ * and the set of secids used by the security modules.
+ *
+ * Author:
+ * Casey Schaufler <casey@schaufler-ca.com>
+ *
+ * Copyright (C) 2017 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) 2017 Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <linux/lsm_hooks.h>
+
+struct token_entry {
+ int used; /* relative age of the entry */
+ u32 token; /* token value */
+ struct lsm_secids secids; /* secids mapped to this token */
+};
+
+/*
+ * Add an entry to the table when asked for a mapping that
+ * isn't already present. If the table is full throw away the
+ * least recently used entry. If the entry is present undate
+ * when it was used.
+ */
+#define TOKEN_AGE_LIMIT (MAX_INT >> 2)
+#define TOKEN_LIMIT 0x20000000
+#define TOKEN_SET_SIZE 200
+#define TOKEN_BIT 0x80000000
+int token_used;
+u32 token_next;
+struct lsm_secids null_secids;
+struct token_entry token_set[TOKEN_SET_SIZE];
+
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+static void report_token(const char *msg, const struct token_entry *te)
+{
+ int i;
+
+ pr_info("LSM: %s token=%08x %u,%u,%u,%u,%u,%u,%u,%u\n", msg, te->token,
+ te->secids.secid[0], te->secids.secid[1], te->secids.secid[2],
+ te->secids.secid[3], te->secids.secid[4], te->secids.secid[5],
+ te->secids.secid[6], te->secids.secid[7]);
+ for (i = 0; i < LSM_MAX_MAJOR; i++)
+ if (te->secids.secid[i] & TOKEN_BIT)
+ pr_info("LSM: module %d provided a token.\n", i);
+}
+#else
+static inline void report_token(const char *msg, const struct token_entry *te)
+{
+}
+#endif
+
+static int next_used(void)
+{
+ if (token_next >= TOKEN_LIMIT) {
+ pr_info("LSM: Security token use overflow - safe reset\n");
+ token_used = 0;
+ }
+ return ++token_used;
+}
+
+static u32 next_token(void)
+{
+ if (token_next >= TOKEN_LIMIT) {
+ pr_info("LSM: Security token overflow - safe reset\n");
+ token_next = 0;
+ }
+ return ++token_next | TOKEN_BIT;
+}
+
+u32 lsm_secids_to_token(const struct lsm_secids *secids)
+{
+ int i;
+ int j;
+ int old;
+
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ for (i = 0; i < LSM_MAX_MAJOR; i++)
+ if (secids->secid[i] & TOKEN_BIT)
+ pr_info("LSM: %s secid[%d]=%08x has token bit\n",
+ __func__, i, secids->secid[i]);
+#endif
+
+ /*
+ * If none of the secids are set whoever sent this here
+ * was thinking "0".
+ */
+ if (!memcmp(secids, &null_secids, sizeof(*secids)))
+ return 0;
+
+ for (i = 0; i < TOKEN_SET_SIZE; i++) {
+ if (token_set[i].token == 0)
+ break;
+ if (!memcmp(secids, &token_set[i].secids, sizeof(*secids))) {
+ token_set[i].used = next_used();
+ return token_set[i].token;
+ }
+ }
+ if (i == TOKEN_SET_SIZE) {
+ old = token_used;
+ for (j = 0; j < TOKEN_SET_SIZE; j++) {
+ if (token_set[j].used < old) {
+ old = token_set[j].used;
+ i = j;
+ }
+ }
+ }
+ token_set[i].secids = *secids;
+ token_set[i].token = next_token();
+ token_set[i].used = next_used();
+
+ report_token("new", &token_set[i]);
+
+ return token_set[i].token;
+}
+
+void lsm_token_to_secids(const u32 token, struct lsm_secids *secids)
+{
+ int i;
+ struct lsm_secids fudge;
+
+ if (token) {
+ if (!(token & TOKEN_BIT)) {
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ pr_info("LSM: %s token=%08x has no token bit\n",
+ __func__, token);
+#endif
+ for (i = 0; i < LSM_MAX_MAJOR; i++)
+ fudge.secid[i] = token;
+ *secids = fudge;
+ return;
+ }
+ for (i = 0; i < TOKEN_SET_SIZE; i++) {
+ if (token_set[i].token == 0)
+ break;
+ if (token_set[i].token == token) {
+ *secids = token_set[i].secids;
+ token_set[i].used = next_used();
+ return;
+ }
+ }
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ pr_info("LSM: %s token=%u was not found\n", __func__, token);
+#endif
+ }
+ *secids = null_secids;
+}
+
+u32 lsm_token_to_module_secid(const u32 token, int lsm)
+{
+ struct lsm_secids secids;
+
+ lsm_token_to_secids(token, &secids);
+ return secids.secid[lsm];
+}
+
+void lsm_secids_init(struct lsm_secids *secids)
+{
+ *secids = null_secids;
+}
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info@ http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 08/11] LSM: Complete abstraction of superblock blob in Smack
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (6 preceding siblings ...)
2017-08-29 21:01 ` [PATCH 07/11] LSM: Shared secids by token Casey Schaufler
@ 2017-08-29 21:02 ` Casey Schaufler
2017-08-29 21:03 ` [PATCH 09/11] LSM: Multiple security mount option support Casey Schaufler
` (2 subsequent siblings)
10 siblings, 0 replies; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 21:02 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 08/11] LSM: Complete abstraction of superblock blob in Smack
Three cases of the abstraction of the superblock blob
where missed in the Smack code. This fixes the omission.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/smack/smack_lsm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 51daf9b05f17..3523072b5548 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1166,7 +1166,7 @@ static int smack_inode_rename(struct inode *old_inode,
*/
static int smack_inode_permission(struct inode *inode, int mask)
{
- struct superblock_smack *sbsp = inode->i_sb->s_security;
+ struct superblock_smack *sbsp = smack_superblock(inode->i_sb);
struct smk_audit_info ad;
int no_block = mask & MAY_NOT_BLOCK;
int rc;
@@ -1408,7 +1408,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
*/
if (strcmp(name, XATTR_NAME_SMACK) == 0) {
struct super_block *sbp = dentry->d_sb;
- struct superblock_smack *sbsp = sbp->s_security;
+ struct superblock_smack *sbsp = smack_superblock(sbp);
isp->smk_inode = sbsp->smk_default;
} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
@@ -1683,7 +1683,7 @@ static int smack_mmap_file(struct file *file,
isp = smack_inode(file_inode(file));
if (isp->smk_mmap == NULL)
return 0;
- sbsp = file_inode(file)->i_sb->s_security;
+ sbsp = smack_superblock(file_inode(file)->i_sb);
if (sbsp->smk_flags & SMK_SB_UNTRUSTED &&
isp->smk_mmap != sbsp->smk_root)
return -EACCES;
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 09/11] LSM: Multiple security mount option support
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (7 preceding siblings ...)
2017-08-29 21:02 ` [PATCH 08/11] LSM: Complete abstraction of superblock blob in Smack Casey Schaufler
@ 2017-08-29 21:03 ` Casey Schaufler
2017-08-29 21:03 ` [PATCH 10/11] LSM: Complete task_alloc hook Casey Schaufler
2017-08-29 21:05 ` [PATCH 11/11] LSM: Allow stacking of all existing security Casey Schaufler
10 siblings, 0 replies; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 21:03 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 09/11] LSM: Multiple security mount option support
There needs to be separate data for each of the
security modules that support mount options.
Expand the security_mnt_opts structure to include
an entry for each security module that uses them.
It would be better to have a variable size blob,
but there isn't a convenient place to hang such.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/btrfs/super.c | 10 +++---
include/linux/security.h | 54 +++++++++++++++++++++-------
security/security.c | 15 ++++++--
security/selinux/hooks.c | 90 +++++++++++++++++++++++-----------------------
security/smack/smack_lsm.c | 51 +++++++++++++-------------
5 files changed, 131 insertions(+), 89 deletions(-)
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 12540b6104b5..1b54bd0a0806 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1498,15 +1498,15 @@ static int setup_security_options(struct btrfs_fs_info *fs_info,
return ret;
#ifdef CONFIG_SECURITY
- if (!fs_info->security_opts.num_mnt_opts) {
+ if (fs_info->security_opts.selinux.num_mnt_opts != 0 ||
+ fs_info->security_opts.smack.num_mnt_opts != 0) {
/* first time security setup, copy sec_opts to fs_info */
memcpy(&fs_info->security_opts, sec_opts, sizeof(*sec_opts));
} else {
/*
- * Since SELinux (the only one supporting security_mnt_opts)
- * does NOT support changing context during remount/mount of
- * the same sb, this must be the same or part of the same
- * security options, just free it.
+ * Since no modules support changing context during
+ * remount/mount of the same sb, this must be the same
+ * or part of the same security options, just free it.
*/
security_free_mnt_opts(sec_opts);
}
diff --git a/include/linux/security.h b/include/linux/security.h
index 8317ace3c30f..f9ac8e9fe2c3 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -162,34 +162,64 @@ typedef int (*initxattrs) (struct inode *inode,
#ifdef CONFIG_SECURITY
-struct security_mnt_opts {
+struct lsm_mnt_opts {
char **mnt_opts;
int *mnt_opts_flags;
int num_mnt_opts;
};
+#ifdef SECURITY_EXTREME_STACKING
+
+struct security_mnt_opts {
+ struct lsm_mnt_opts selinux;
+ struct lsm_mnt_opts smack;
+};
+
+#else
+
+struct security_mnt_opts {
+ union {
+ struct lsm_mnt_opts selinux;
+ struct lsm_mnt_opts smack;
+ };
+};
+
+#endif
+
int call_lsm_notifier(enum lsm_event event, void *data);
int register_lsm_notifier(struct notifier_block *nb);
int unregister_lsm_notifier(struct notifier_block *nb);
static inline void security_init_mnt_opts(struct security_mnt_opts *opts)
{
- opts->mnt_opts = NULL;
- opts->mnt_opts_flags = NULL;
- opts->num_mnt_opts = 0;
+ opts->selinux.mnt_opts = NULL;
+ opts->selinux.mnt_opts_flags = NULL;
+ opts->selinux.num_mnt_opts = 0;
+ opts->smack.mnt_opts = NULL;
+ opts->smack.mnt_opts_flags = NULL;
+ opts->smack.num_mnt_opts = 0;
}
static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
{
int i;
- if (opts->mnt_opts)
- for (i = 0; i < opts->num_mnt_opts; i++)
- kfree(opts->mnt_opts[i]);
- kfree(opts->mnt_opts);
- opts->mnt_opts = NULL;
- kfree(opts->mnt_opts_flags);
- opts->mnt_opts_flags = NULL;
- opts->num_mnt_opts = 0;
+ if (opts->selinux.mnt_opts)
+ for (i = 0; i < opts->selinux.num_mnt_opts; i++)
+ kfree(opts->selinux.mnt_opts[i]);
+ kfree(opts->selinux.mnt_opts);
+ opts->selinux.mnt_opts = NULL;
+ kfree(opts->selinux.mnt_opts_flags);
+ opts->selinux.mnt_opts_flags = NULL;
+ opts->selinux.num_mnt_opts = 0;
+
+ if (opts->smack.mnt_opts)
+ for (i = 0; i < opts->smack.num_mnt_opts; i++)
+ kfree(opts->smack.mnt_opts[i]);
+ kfree(opts->smack.mnt_opts);
+ opts->smack.mnt_opts = NULL;
+ kfree(opts->smack.mnt_opts_flags);
+ opts->smack.mnt_opts_flags = NULL;
+ opts->smack.num_mnt_opts = 0;
}
/* prototypes */
diff --git a/security/security.c b/security/security.c
index 9d402d954cef..6ebcc89004ef 100644
--- a/security/security.c
+++ b/security/security.c
@@ -770,9 +770,18 @@ int security_sb_set_mnt_opts(struct super_block *sb,
unsigned long kern_flags,
unsigned long *set_kern_flags)
{
- return call_int_hook(sb_set_mnt_opts,
- opts->num_mnt_opts ? -EOPNOTSUPP : 0, sb,
- opts, kern_flags, set_kern_flags);
+ int nobody = 0;
+
+#ifdef SECURITY_EXTREME_STACKING
+ if (opts->selinux.num_mnt_opts != 0 || opts->smack.num_mnt_opts != 0)
+ nobody = -EOPNOTSUPP;
+#else
+ if (opts->selinux.num_mnt_opts != 0)
+ nobody = -EOPNOTSUPP;
+#endif
+
+ return call_int_hook(sb_set_mnt_opts, nobody, sb, opts, kern_flags,
+ set_kern_flags);
}
EXPORT_SYMBOL(security_sb_set_mnt_opts);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 389f09ebd374..1cb90a7ac0cb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -545,21 +545,23 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
/* count the number of mount options for this sb */
for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
if (tmp & 0x01)
- opts->num_mnt_opts++;
+ opts->selinux.num_mnt_opts++;
tmp >>= 1;
}
/* Check if the Label support flag is set */
if (sbsec->flags & SBLABEL_MNT)
- opts->num_mnt_opts++;
+ opts->selinux.num_mnt_opts++;
- opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
- if (!opts->mnt_opts) {
+ opts->selinux.mnt_opts = kcalloc(opts->selinux.num_mnt_opts,
+ sizeof(char *), GFP_ATOMIC);
+ if (!opts->selinux.mnt_opts) {
rc = -ENOMEM;
goto out_free;
}
- opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
- if (!opts->mnt_opts_flags) {
+ opts->selinux.mnt_opts_flags = kcalloc(opts->selinux.num_mnt_opts,
+ sizeof(int), GFP_ATOMIC);
+ if (!opts->selinux.mnt_opts_flags) {
rc = -ENOMEM;
goto out_free;
}
@@ -569,22 +571,22 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
rc = security_sid_to_context(sbsec->sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = FSCONTEXT_MNT;
}
if (sbsec->flags & CONTEXT_MNT) {
rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = CONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = CONTEXT_MNT;
}
if (sbsec->flags & DEFCONTEXT_MNT) {
rc = security_sid_to_context(sbsec->def_sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = DEFCONTEXT_MNT;
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct dentry *root = sbsec->sb->s_root;
@@ -594,15 +596,15 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
}
if (sbsec->flags & SBLABEL_MNT) {
- opts->mnt_opts[i] = NULL;
- opts->mnt_opts_flags[i++] = SBLABEL_MNT;
+ opts->selinux.mnt_opts[i] = NULL;
+ opts->selinux.mnt_opts_flags[i++] = SBLABEL_MNT;
}
- BUG_ON(i != opts->num_mnt_opts);
+ BUG_ON(i != opts->selinux.num_mnt_opts);
return 0;
@@ -648,9 +650,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
struct inode_security_struct *root_isec;
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0;
- char **mount_options = opts->mnt_opts;
- int *flags = opts->mnt_opts_flags;
- int num_opts = opts->num_mnt_opts;
+ char **mount_options = opts->selinux.mnt_opts;
+ int *flags = opts->selinux.mnt_opts_flags;
+ int num_opts = opts->selinux.num_mnt_opts;
mutex_lock(&sbsec->lock);
@@ -1008,7 +1010,7 @@ static int selinux_parse_opts_str(char *options,
char *fscontext = NULL, *rootcontext = NULL;
int rc, num_mnt_opts = 0;
- opts->num_mnt_opts = 0;
+ opts->selinux.num_mnt_opts = 0;
/* Standard string-based options. */
while ((p = strsep(&options, "|")) != NULL) {
@@ -1075,41 +1077,39 @@ static int selinux_parse_opts_str(char *options,
case Opt_labelsupport:
break;
default:
- rc = -EINVAL;
printk(KERN_WARNING "SELinux: unknown mount option\n");
- goto out_err;
-
+ break;
}
}
rc = -ENOMEM;
- opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
- if (!opts->mnt_opts)
+ opts->selinux.mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
+ if (!opts->selinux.mnt_opts)
goto out_err;
- opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
+ opts->selinux.mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
GFP_KERNEL);
- if (!opts->mnt_opts_flags)
+ if (!opts->selinux.mnt_opts_flags)
goto out_err;
if (fscontext) {
- opts->mnt_opts[num_mnt_opts] = fscontext;
- opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = fscontext;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
}
if (context) {
- opts->mnt_opts[num_mnt_opts] = context;
- opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = context;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
}
if (rootcontext) {
- opts->mnt_opts[num_mnt_opts] = rootcontext;
- opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = rootcontext;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
}
if (defcontext) {
- opts->mnt_opts[num_mnt_opts] = defcontext;
- opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = defcontext;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
}
- opts->num_mnt_opts = num_mnt_opts;
+ opts->selinux.num_mnt_opts = num_mnt_opts;
return 0;
out_err:
@@ -1154,15 +1154,15 @@ static void selinux_write_opts(struct seq_file *m,
int i;
char *prefix;
- for (i = 0; i < opts->num_mnt_opts; i++) {
+ for (i = 0; i < opts->selinux.num_mnt_opts; i++) {
char *has_comma;
- if (opts->mnt_opts[i])
- has_comma = strchr(opts->mnt_opts[i], ',');
+ if (opts->selinux.mnt_opts[i])
+ has_comma = strchr(opts->selinux.mnt_opts[i], ',');
else
has_comma = NULL;
- switch (opts->mnt_opts_flags[i]) {
+ switch (opts->selinux.mnt_opts_flags[i]) {
case CONTEXT_MNT:
prefix = CONTEXT_STR;
break;
@@ -1188,7 +1188,7 @@ static void selinux_write_opts(struct seq_file *m,
seq_puts(m, prefix);
if (has_comma)
seq_putc(m, '\"');
- seq_escape(m, opts->mnt_opts[i], "\"\n\\");
+ seq_escape(m, opts->selinux.mnt_opts[i], "\"\n\\");
if (has_comma)
seq_putc(m, '\"');
}
@@ -2698,10 +2698,10 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
if (rc)
goto out_free_secdata;
- mount_options = opts.mnt_opts;
- flags = opts.mnt_opts_flags;
+ mount_options = opts.selinux.mnt_opts;
+ flags = opts.selinux.mnt_opts_flags;
- for (i = 0; i < opts.num_mnt_opts; i++) {
+ for (i = 0; i < opts.selinux.num_mnt_opts; i++) {
u32 sid;
if (flags[i] == SBLABEL_MNT)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 3523072b5548..1e32fcd99a0d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -602,7 +602,7 @@ static int smack_parse_opts_str(char *options,
int num_mnt_opts = 0;
int token;
- opts->num_mnt_opts = 0;
+ opts->smack.num_mnt_opts = 0;
if (!options)
return 0;
@@ -658,37 +658,40 @@ static int smack_parse_opts_str(char *options,
}
}
- opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_KERNEL);
- if (!opts->mnt_opts)
+ opts->smack.mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *),
+ GFP_KERNEL);
+ if (!opts->smack.mnt_opts)
goto out_err;
- opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int),
- GFP_KERNEL);
- if (!opts->mnt_opts_flags)
+ opts->smack.mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int),
+ GFP_KERNEL);
+ if (!opts->smack.mnt_opts_flags) {
+ kfree(opts->smack.mnt_opts);
goto out_err;
+ }
if (fsdefault) {
- opts->mnt_opts[num_mnt_opts] = fsdefault;
- opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fsdefault;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT;
}
if (fsfloor) {
- opts->mnt_opts[num_mnt_opts] = fsfloor;
- opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fsfloor;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT;
}
if (fshat) {
- opts->mnt_opts[num_mnt_opts] = fshat;
- opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fshat;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT;
}
if (fsroot) {
- opts->mnt_opts[num_mnt_opts] = fsroot;
- opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fsroot;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT;
}
if (fstransmute) {
- opts->mnt_opts[num_mnt_opts] = fstransmute;
- opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fstransmute;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT;
}
- opts->num_mnt_opts = num_mnt_opts;
+ opts->smack.num_mnt_opts = num_mnt_opts;
return 0;
out_opt_err:
@@ -727,7 +730,7 @@ static int smack_set_mnt_opts(struct super_block *sb,
struct inode_smack *isp;
struct smack_known *skp;
int i;
- int num_opts = opts->num_mnt_opts;
+ int num_opts = opts->smack.num_mnt_opts;
int transmute = 0;
if (sp->smk_flags & SMK_SB_INITIALIZED)
@@ -761,33 +764,33 @@ static int smack_set_mnt_opts(struct super_block *sb,
sp->smk_flags |= SMK_SB_INITIALIZED;
for (i = 0; i < num_opts; i++) {
- switch (opts->mnt_opts_flags[i]) {
+ switch (opts->smack.mnt_opts_flags[i]) {
case FSDEFAULT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_default = skp;
break;
case FSFLOOR_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_floor = skp;
break;
case FSHAT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_hat = skp;
break;
case FSROOT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_root = skp;
break;
case FSTRANS_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_root = skp;
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 10/11] LSM: Complete task_alloc hook
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (8 preceding siblings ...)
2017-08-29 21:03 ` [PATCH 09/11] LSM: Multiple security mount option support Casey Schaufler
@ 2017-08-29 21:03 ` Casey Schaufler
2017-08-29 21:05 ` [PATCH 11/11] LSM: Allow stacking of all existing security Casey Schaufler
10 siblings, 0 replies; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 21:03 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 10/11] LSM: Complete task_alloc hook
The Task alloc hook needs to allocate the data.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/security.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/security/security.c b/security/security.c
index 6ebcc89004ef..a66663ac932b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1387,6 +1387,10 @@ int security_file_open(struct file *file, const struct cred *cred)
int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
{
+ int rc = lsm_task_alloc(task);
+
+ if (rc)
+ return rc;
return call_int_hook(task_alloc, 0, task, clone_flags);
}
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 11/11] LSM: Allow stacking of all existing security
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (9 preceding siblings ...)
2017-08-29 21:03 ` [PATCH 10/11] LSM: Complete task_alloc hook Casey Schaufler
@ 2017-08-29 21:05 ` Casey Schaufler
10 siblings, 0 replies; 21+ messages in thread
From: Casey Schaufler @ 2017-08-29 21:05 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 11/11] LSM: Allow stacking of all existing security
Allow any combination of existing security modules,
including those using secids and security marked networking.
The interfaces used by filesystems to maintain security
attributes:
security_inode_setsecctx
security_inode_getsecctx
security_inode_notifysecctx
have been trained to keep a full set of attributes
using the "lsm1='data1',lsm2='data2'" format.
A prtcl interface has been added to identify which
security module should be invoked when secids are
translated to secctx and back. If none is specified the
first module will be used. This eliminates the ambiguity
of what data will be seen in user-space at the cost of
requiring user-space code to be explicit about what it
wants to see.
Issues remain with the use of netlabel, as SELinux and
Smack use the interfaces differently.
Audit has not been fully tested, and may not always
be providing the correct security module information.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/xattr.c | 6 +-
include/linux/lsm_audit.h | 4 +
include/linux/lsm_hooks.h | 10 +-
include/net/request_sock.h | 2 +
include/uapi/linux/prctl.h | 6 +
kernel/fork.c | 3 +
net/netlabel/netlabel_unlabeled.c | 2 +-
security/Kconfig | 41 +--
security/security.c | 658 ++++++++++++++++++++++++++++++------
security/selinux/hooks.c | 41 +--
security/selinux/include/objsec.h | 13 +
security/selinux/include/security.h | 3 +-
security/selinux/netlabel.c | 5 +-
security/selinux/ss/services.c | 4 +-
security/smack/smack.h | 10 +
security/smack/smack_lsm.c | 79 ++---
security/smack/smack_netfilter.c | 17 +-
security/smack/smackfs.c | 3 +-
security/stacking.c | 63 +++-
19 files changed, 733 insertions(+), 237 deletions(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 464c94bf65f9..01983733651c 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -249,7 +249,11 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
}
memcpy(value, buffer, len);
out:
- security_release_secctx(buffer, len);
+ /*
+ * security_inode_getsecurity() does not put a secctx
+ * into buffer, it puts an allocated string into buffer.
+ */
+ kfree(buffer);
out_noalloc:
return len;
}
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 22b5d4e687ce..44004e477d97 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -94,7 +94,11 @@ struct common_audit_data {
struct lsm_ibendport_audit *ibendport;
} u;
/* this union contains LSM specific data */
+#ifdef CONFIG_SECURITY_STACKING
+ struct {
+#else
union {
+#endif
#ifdef CONFIG_SECURITY_SMACK
struct smack_audit_data *smack_audit_data;
#endif
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 75d95854f2ed..61460f930adb 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1939,7 +1939,8 @@ struct lsm_secids {
extern u32 lsm_secids_to_token(const struct lsm_secids *secids);
extern void lsm_token_to_secids(const u32 token, struct lsm_secids *secids);
-extern u32 lsm_token_to_module_secid(const u32 token, int lsm);
+extern u32 lsm_token_get_secid(const u32 token, int lsm);
+extern u32 lsm_token_set_secid(const u32 token, u32 lsecid, int lsm);
extern void lsm_secids_init(struct lsm_secids *secids);
#else /* CONFIG_SECURITY_STACKING */
struct lsm_secids {
@@ -1957,11 +1958,16 @@ static inline void lsm_token_to_secids(const u32 token,
secids->secid = token;
}
-static inline u32 lsm_token_to_module_secid(const u32 token, int lsm)
+static inline u32 lsm_token_get_secid(const u32 token, int lsm)
{
return token;
}
+static inline u32 lsm_token_set_secid(const u32 token, u32 lsecid, int lsm)
+{
+ return lsecid;
+}
+
static inline void lsm_secids_init(struct lsm_secids *secids)
{
secids->secid = 0;
diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index 23e22054aa60..07c0e919c4e7 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h
@@ -102,6 +102,8 @@ reqsk_alloc(const struct request_sock_ops *ops, struct sock *sk_listener,
sk_tx_queue_clear(req_to_sk(req));
req->saved_syn = NULL;
refcount_set(&req->rsk_refcnt, 0);
+ req->secid = 0;
+ req->peer_secid = 0;
return req;
}
diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index a8d0759a9e40..e7234c5cb7de 100644
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -197,4 +197,10 @@ struct prctl_mm_map {
# define PR_CAP_AMBIENT_LOWER 3
# define PR_CAP_AMBIENT_CLEAR_ALL 4
+/*
+ * Control the LSM specific information reported by
+ * SO_PEERSEC and /proc/.../attr/current
+ */
+#define PR_GET_DISPLAY_LSM 48
+#define PR_SET_DISPLAY_LSM 49
#endif /* _LINUX_PRCTL_H */
diff --git a/kernel/fork.c b/kernel/fork.c
index 5ff0ebcaafc3..01b90e4f76eb 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1696,6 +1696,9 @@ static __latent_entropy struct task_struct *copy_process(
p->sequential_io = 0;
p->sequential_io_avg = 0;
#endif
+#ifdef CONFIG_SECURITY
+ p->security = NULL;
+#endif
/* Perform scheduler related setup. Assign this task to a CPU. */
retval = sched_fork(clone_flags, p);
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 22dc1b9d6362..751cfac79b3e 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -899,7 +899,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
/* Don't allow users to add both IPv4 and IPv6 addresses for a
* single entry. However, allow users to create two entries, one each
- * for IPv4 and IPv4, with the same LSM security context which should
+ * for IPv4 and IPv6, with the same LSM security context which should
* achieve the same result. */
if (!info->attrs[NLBL_UNLABEL_A_SECCTX] ||
!info->attrs[NLBL_UNLABEL_A_IFACE] ||
diff --git a/security/Kconfig b/security/Kconfig
index 36a1519f31d2..499175d0b164 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -292,42 +292,27 @@ endmenu
menu "Security Module Stack"
visible if SECURITY_STACKING
-choice
- prompt "Stacked 'extreme' security module"
- default SECURITY_SELINUX_STACKED if SECURITY_SELINUX
- default SECURITY_SMACK_STACKED if SECURITY_SMACK
-
- help
- Enable an extreme security module. These modules cannot
- be used at the same time.
-
- config SECURITY_SELINUX_STACKED
- bool "SELinux" if SECURITY_SELINUX=y
+config SECURITY_SELINUX_STACKED
+ bool "SELinux" if SECURITY_SELINUX=y
help
- Add the SELinux security module to the stack. At this
- time the Smack security module is incompatible with this
- module.
+ Add the SELinux security module to the stack.
Please be sure your user space code is accomodating of
this security module.
+ Ensure that your network configuration is compatible
+ with your combination of security modules.
- config SECURITY_SMACK_STACKED
- bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_SMACK_STACKED
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
help
- Add the Smack security module to the stack. At this
- time the SELinux security module is incompatible with this
- module.
+ Add the Smack security module to the stack.
Please be sure your user space code is accomodating of
this security module.
+ Ensure that your network configuration is compatible
+ with your combination of security modules.
- config SECURITY_NOTHING_STACKED
- bool "Use no 'extreme' security module"
- help
- Add neither the SELinux security module nor the Smack security
- module to the stack.
- Please be sure your user space code does not require either of
- these security modules.
-
-endchoice
+ If you are unsure how to answer this question, answer N.
config SECURITY_TOMOYO_STACKED
bool "TOMOYO support is enabled by default"
diff --git a/security/security.c b/security/security.c
index a66663ac932b..0ee8aca486ca 100644
--- a/security/security.c
+++ b/security/security.c
@@ -28,10 +28,16 @@
#include <linux/backing-dev.h>
#include <linux/string.h>
#include <linux/msg.h>
+#include <linux/prctl.h>
#include <net/flow.h>
#include <net/sock.h>
-#define MAX_LSM_EVM_XATTR 2
+/*
+ * EVM, SElinux, Smack, and one extra.
+ *
+ * This should be computed.
+ */
+#define MAX_LSM_EVM_XATTR 8
/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX 10
@@ -41,7 +47,17 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init;
static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
char *lsm_names;
-static struct lsm_blob_sizes blob_sizes;
+
+/*
+ * If stacking is enabled the task blob will always
+ * include an indicator of what security module data
+ * should be displayed. This is set with PR_SET_DISPLAY_LSM.
+ */
+static struct lsm_blob_sizes blob_sizes = {
+#ifdef CONFIG_SECURITY_STACKING
+ .lbs_task = SECURITY_NAME_MAX + 2,
+#endif
+};
/* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
@@ -354,6 +370,64 @@ int lsm_file_alloc(struct file *file)
return 0;
}
+#ifdef CONFIG_SECURITY_STACKING
+static inline char *lsm_of_task(struct task_struct *task)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (task->security == NULL)
+ pr_info("%s: task has no lsm name.\n", __func__);
+#endif
+ return task->security;
+}
+#endif
+
+#ifdef CONFIG_SECURITY_STACKING
+struct lsm_value {
+ char *lsm;
+ char *data;
+};
+
+/**
+ * lsm_parse_context - break a compound "context" into module data
+ * @cxt: the initial data, which will be modified
+ * @vlist: an array to receive the results
+ *
+ * Returns the number of entries, or -EINVAL if the cxt is unworkable.
+ */
+static int lsm_parse_context(char *cxt, struct lsm_value *vlist)
+{
+ char *lsm;
+ char *data;
+ char *cp;
+ int i;
+
+ lsm = cxt;
+ for (i = 0; i < LSM_MAX_MAJOR; i++) {
+ data = strstr(lsm, "='");
+ if (!data)
+ break;
+ *data = '\0';
+ data += 2;
+ cp = strchr(data, '\'');
+ if (!cp)
+ return -EINVAL;
+ *cp++ = '\0';
+ vlist[i].lsm = lsm;
+ vlist[i].data = data;
+ if (*cp == '\0') {
+ i++;
+ break;
+ }
+ if (*cp == ',')
+ cp++;
+ else
+ return -EINVAL;
+ lsm = cp;
+ }
+ return i;
+}
+#endif /* CONFIG_SECURITY_STACKING */
+
/**
* lsm_task_alloc - allocate a composite task blob
* @task: the task that needs a blob
@@ -860,9 +934,10 @@ int security_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr,
const initxattrs initxattrs, void *fs_data)
{
- struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1];
- struct xattr *lsm_xattr, *evm_xattr, *xattr;
- int ret;
+ struct security_hook_list *hp;
+ struct xattr xattrs[MAX_LSM_EVM_XATTR + 1];
+ int rc = -EOPNOTSUPP;
+ int attrn = 0;
if (unlikely(IS_PRIVATE(inode)))
return 0;
@@ -870,24 +945,41 @@ int security_inode_init_security(struct inode *inode, struct inode *dir,
if (!initxattrs)
return call_int_hook(inode_init_security, -EOPNOTSUPP, inode,
dir, qstr, NULL, NULL, NULL);
- memset(new_xattrs, 0, sizeof(new_xattrs));
- lsm_xattr = new_xattrs;
- ret = call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, qstr,
- &lsm_xattr->name,
- &lsm_xattr->value,
- &lsm_xattr->value_len);
- if (ret)
+
+ memset(xattrs, 0, sizeof(xattrs));
+
+ list_for_each_entry(hp, &security_hook_heads.inode_init_security,
+ list) {
+ rc = hp->hook.inode_init_security(inode, dir, qstr,
+ &xattrs[attrn].name,
+ &xattrs[attrn].value,
+ &xattrs[attrn].value_len);
+ /*
+ * If the module doesn't support this, reuse the entry.
+ * If it's a real error, bail out of the loop.
+ */
+ if (rc == -EOPNOTSUPP)
+ rc = 0;
+ else if (rc)
+ break;
+ else
+ attrn++;
+ }
+ if (rc)
goto out;
- evm_xattr = lsm_xattr + 1;
- ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
- if (ret)
+ /*
+ * Should EVM loop on these?
+ * Do the first one until it's sorted out.
+ */
+ rc = evm_inode_init_security(inode, &xattrs[0], &xattrs[attrn]);
+ if (rc)
goto out;
- ret = initxattrs(inode, new_xattrs, fs_data);
+ rc = initxattrs(inode, xattrs, fs_data);
out:
- for (xattr = new_xattrs; xattr->value != NULL; xattr++)
- kfree(xattr->value);
- return (ret == -EOPNOTSUPP) ? 0 : ret;
+ for (; attrn >= 0; attrn--)
+ kfree(xattrs[attrn].value);
+ return (rc == -EOPNOTSUPP) ? 0 : rc;
}
EXPORT_SYMBOL(security_inode_init_security);
@@ -1115,24 +1207,26 @@ int security_inode_getattr(const struct path *path)
int security_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
- int ret;
+ struct security_hook_list *hp;
+ int rc = -ENOSYS;
+ int trc;
if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
return 0;
- /*
- * SELinux and Smack integrate the cap call,
- * so assume that all LSMs supplying this call do so.
- */
- ret = call_int_hook(inode_setxattr, 1, dentry, name, value, size,
- flags);
-
- if (ret == 1)
- ret = cap_inode_setxattr(dentry, name, value, size, flags);
- if (ret)
- return ret;
- ret = ima_inode_setxattr(dentry, name, value, size);
- if (ret)
- return ret;
+ list_for_each_entry(hp, &security_hook_heads.inode_setxattr, list) {
+ trc = hp->hook.inode_setxattr(dentry, name, value, size, flags);
+ if (trc != -ENOSYS) {
+ rc = trc;
+ break;
+ }
+ }
+ if (rc == -ENOSYS)
+ rc = cap_inode_setxattr(dentry, name, value, size, flags);
+ if (rc)
+ return rc;
+ rc = ima_inode_setxattr(dentry, name, value, size);
+ if (rc)
+ return rc;
return evm_inode_setxattr(dentry, name, value, size);
}
@@ -1237,6 +1331,7 @@ EXPORT_SYMBOL(security_inode_listsecurity);
void security_inode_getsecid(struct inode *inode, u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
@@ -1246,6 +1341,9 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
hp->hook.inode_getsecid(inode, &secids.secid[hp->lsm_index]);
*secid = lsm_secids_to_token(&secids);
+#else
+ call_void_hook(inode_getsecid, inode, secid);
+#endif
}
int security_inode_copy_up(struct dentry *src, struct cred **new)
@@ -1437,6 +1535,7 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
int security_kernel_act_as(struct cred *new, u32 secid)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
int rc = 0;
@@ -1444,11 +1543,20 @@ int security_kernel_act_as(struct cred *new, u32 secid)
lsm_token_to_secids(secid, &secids);
list_for_each_entry(hp, &security_hook_heads.kernel_act_as, list) {
+ /*
+ * Not all of the security modules may have gotten
+ * a secid when this token was created, so ignore 0.
+ */
+ if (secids.secid[hp->lsm_index] == 0)
+ continue;
rc = hp->hook.kernel_act_as(new, secids.secid[hp->lsm_index]);
if (rc)
break;
}
return rc;
+#else
+ return call_int_hook(kernel_act_as, 0, new, secid);
+#endif
}
int security_kernel_create_files_as(struct cred *new, struct inode *inode)
@@ -1507,6 +1615,7 @@ int security_task_getsid(struct task_struct *p)
void security_task_getsecid(struct task_struct *p, u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
@@ -1516,6 +1625,10 @@ void security_task_getsecid(struct task_struct *p, u32 *secid)
hp->hook.task_getsecid(p, &secids.secid[hp->lsm_index]);
*secid = lsm_secids_to_token(&secids);
+#else
+ *secid = 0;
+ call_void_hook(task_getsecid, p, secid);
+#endif
}
EXPORT_SYMBOL(security_task_getsecid);
@@ -1564,6 +1677,7 @@ int security_task_movememory(struct task_struct *p)
int security_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
int rc = 0;
@@ -1577,7 +1691,61 @@ int security_task_kill(struct task_struct *p, struct siginfo *info,
break;
}
return rc;
+#else
+ return call_int_hook(task_kill, 0, p, info, sig, secid);
+#endif
+}
+
+#ifdef CONFIG_SECURITY_STACKING
+static char *nolsm = "-default";
+#define NOLSMLEN 9
+
+static int lsm_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+ unsigned long arg4, unsigned long arg5)
+{
+ char *lsm = lsm_of_task(current);
+ char buffer[SECURITY_NAME_MAX + 1];
+ __user char *optval = (__user char *)arg2;
+ __user int *optlen = (__user int *)arg3;
+ int dlen;
+ int len;
+
+ switch (option) {
+ case PR_GET_DISPLAY_LSM:
+ len = arg4;
+ if (lsm[0] == '\0') {
+ lsm = nolsm;
+ dlen = NOLSMLEN;
+ } else
+ dlen = strlen(lsm) + 1;
+ if (dlen > len)
+ return -ERANGE;
+ if (copy_to_user(optval, lsm, dlen))
+ return -EFAULT;
+ if (put_user(dlen, optlen))
+ return -EFAULT;
+ break;
+ case PR_SET_DISPLAY_LSM:
+ len = arg3;
+ if (len > SECURITY_NAME_MAX)
+ return -EINVAL;
+ if (copy_from_user(buffer, optval, len))
+ return -EFAULT;
+ buffer[len] = '\0';
+ /*
+ * Trust the caller to know what lsm name(s) are available.
+ */
+ if (!strncmp(buffer, nolsm, NOLSMLEN))
+ lsm[0] = '\0';
+ else
+ strcpy(lsm, buffer);
+ break;
+ default:
+ return -ENOSYS;
+ }
+ return 0;
}
+#endif
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
@@ -1586,6 +1754,12 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
int rc = -ENOSYS;
struct security_hook_list *hp;
+#ifdef CONFIG_SECURITY_STACKING
+ rc = lsm_task_prctl(option, arg2, arg3, arg4, arg5);
+ if (rc != -ENOSYS)
+ return rc;
+#endif
+
list_for_each_entry(hp, &security_hook_heads.task_prctl, list) {
thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5);
if (thisrc != -ENOSYS) {
@@ -1609,6 +1783,7 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
@@ -1618,6 +1793,10 @@ void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
hp->hook.ipc_getsecid(ipcp, &secids.secid[hp->lsm_index]);
*secid = lsm_secids_to_token(&secids);
+#else
+ *secid = 0;
+ call_void_hook(ipc_getsecid, ipcp, secid);
+#endif
}
int security_msg_msg_alloc(struct msg_msg *msg)
@@ -1754,6 +1933,9 @@ EXPORT_SYMBOL(security_d_instantiate);
int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
char **value)
{
+#ifdef CONFIG_SECURITY_STACKING
+ char *speclsm = lsm_of_task(p);
+#endif
struct security_hook_list *hp;
char *vp;
char *cp = NULL;
@@ -1801,6 +1983,10 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
if (lsm != NULL && strcmp(lsm, hp->lsm))
continue;
+#ifdef CONFIG_SECURITY_STACKING
+ if (!lsm && speclsm && speclsm[0] && strcmp(speclsm, hp->lsm))
+ continue;
+#endif
rc = hp->hook.getprocattr(p, name, value);
if (rc != -ENOENT)
return rc;
@@ -1811,12 +1997,17 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
int security_setprocattr(const char *lsm, const char *name, void *value,
size_t size)
{
+#ifdef CONFIG_SECURITY_STACKING
+ char *speclsm = lsm_of_task(current);
+ struct lsm_value *lsm_value = NULL;
+ int count;
+#else
+ char *tvalue;
+#endif
struct security_hook_list *hp;
int rc;
- char *local;
+ char *temp;
char *cp;
- int slen;
- int failed = 0;
/*
* If lsm is NULL look at all the modules to find one
@@ -1826,71 +2017,81 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
* "context" is handled directly here.
*/
if (strcmp(name, "context") == 0) {
- /*
- * First verify that the input is acceptable.
- * lsm1='v1'lsm2='v2'lsm3='v3'
- *
- * A note on the use of strncmp() below.
- * The check is for the substring at the beginning of cp.
- * The kzalloc of size + 1 ensures a terminated string.
- */
rc = -EINVAL;
- local = kzalloc(size + 1, GFP_KERNEL);
- memcpy(local, value, size);
- cp = local;
- list_for_each_entry(hp, &security_hook_heads.setprocattr,
- list) {
- if (lsm != NULL && strcmp(lsm, hp->lsm))
- continue;
- if (cp[0] == ',') {
- if (cp == local)
- goto free_out;
- cp++;
- }
- slen = strlen(hp->lsm);
- if (strncmp(cp, hp->lsm, slen))
- goto free_out;
- cp += slen;
- if (cp[0] != '=' || cp[1] != '\'' || cp[2] == '\'')
- goto free_out;
- for (cp += 2; cp[0] != '\''; cp++)
- if (cp[0] == '\0')
- goto free_out;
- cp++;
+ temp = kmemdup(value, size + 1, GFP_KERNEL);
+ if (!temp)
+ return -ENOMEM;
+
+ temp[size] = '\0';
+ cp = strrchr(temp, '\'');
+ if (!cp)
+ goto free_out;
+
+ cp[1] = '\0';
+#ifdef CONFIG_SECURITY_STACKING
+ lsm_value = kzalloc(sizeof(*lsm_value) * LSM_MAX_MAJOR,
+ GFP_KERNEL);
+ if (!lsm_value) {
+ rc = -ENOMEM;
+ goto free_out;
}
- cp = local;
+ count = lsm_parse_context(temp, lsm_value);
+ if (count <= 0)
+ goto free_out;
+
+ for (count--; count >= 0; count--) {
+ list_for_each_entry(hp,
+ &security_hook_heads.setprocattr, list) {
+
+ if (lsm && strcmp(lsm, hp->lsm))
+ continue;
+ if (!strcmp(hp->lsm, lsm_value[count].lsm)) {
+ rc = hp->hook.setprocattr("context",
+ lsm_value[count].data,
+ strlen(lsm_value[count].data));
+ break;
+ }
+ }
+ if (rc < 0 || (lsm && rc >0))
+ break;
+ }
+#else /* CONFIG_SECURITY_STACKING */
+ cp = strstr(temp, "='");
+ if (!cp)
+ goto free_out;
+ *cp = '\0';
+ tvalue = strchr(cp + 2, '\'');
+ if (!tvalue)
+ goto free_out;
list_for_each_entry(hp, &security_hook_heads.setprocattr,
- list) {
- if (lsm != NULL && strcmp(lsm, hp->lsm))
- continue;
- if (cp[0] == ',')
- cp++;
- cp += strlen(hp->lsm) + 2;
- for (slen = 0; cp[slen] != '\''; slen++)
- ;
- cp[slen] = '\0';
-
- rc = hp->hook.setprocattr("context", cp, slen);
- if (rc < 0)
- failed = rc;
- cp += slen + 1;
+ list) {
+ if (lsm == NULL || !strcmp(lsm, hp->lsm)) {
+ rc = hp->hook.setprocattr(name, tvalue, size);
+ break;
+ }
}
- if (failed != 0)
- rc = failed;
- else
- rc = size;
+#endif /* CONFIG_SECURITY_STACKING */
free_out:
- kfree(local);
+ kfree(temp);
+#ifdef CONFIG_SECURITY_STACKING
+ kfree(lsm_value);
+#endif
+ if (rc >= 0)
+ return size;
return rc;
}
list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
- if (lsm != NULL && strcmp(lsm, hp->lsm))
+ if (lsm && strcmp(lsm, hp->lsm))
continue;
+#ifdef CONFIG_SECURITY_STACKING
+ if (!lsm && speclsm && speclsm[0] && strcmp(speclsm, hp->lsm))
+ continue;
+#endif
rc = hp->hook.setprocattr(name, value, size);
if (rc != -ENOENT)
- return rc;
+ return rc;
}
return -EINVAL;
}
@@ -1908,48 +2109,71 @@ EXPORT_SYMBOL(security_ismaclabel);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
+#ifdef CONFIG_SECURITY_STACKING
+ char *speclsm = lsm_of_task(current);
struct security_hook_list *hp;
struct lsm_secids secids;
int rc = -EOPNOTSUPP;
lsm_token_to_secids(secid, &secids);
- /*
- * CBS - Return the first result regardless.
- */
list_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
+ if (speclsm && speclsm[0] && strcmp(hp->lsm, speclsm))
+ continue;
rc = hp->hook.secid_to_secctx(secids.secid[hp->lsm_index],
secdata, seclen);
- if (rc != -EOPNOTSUPP)
- break;
+ return rc;
}
- return rc;
+ return -EOPNOTSUPP;
+#else
+ return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
+ seclen);
+#endif
}
EXPORT_SYMBOL(security_secid_to_secctx);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
- struct security_hook_list *hp;
+#ifdef CONFIG_SECURITY_STACKING
+ char *speclsm = lsm_of_task(current);
struct lsm_secids secids;
+ struct security_hook_list *hp;
int rc = 0;
lsm_secids_init(&secids);
list_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
+ if (speclsm && speclsm[0] && strcmp(hp->lsm, speclsm))
+ continue;
rc = hp->hook.secctx_to_secid(secdata, seclen,
&secids.secid[hp->lsm_index]);
- if (rc)
- break;
+ break;
}
*secid = lsm_secids_to_token(&secids);
return rc;
+#else
+ *secid = 0;
+ return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+#endif
}
EXPORT_SYMBOL(security_secctx_to_secid);
void security_release_secctx(char *secdata, u32 seclen)
{
- call_void_hook(release_secctx, secdata, seclen);
+#ifdef CONFIG_SECURITY_STACKING
+ char *speclsm = lsm_of_task(current);
+#endif
+ struct security_hook_list *hp;
+
+ list_for_each_entry(hp, &security_hook_heads.release_secctx, list) {
+#ifdef CONFIG_SECURITY_STACKING
+ if (speclsm[0] && strcmp(hp->lsm, speclsm))
+ continue;
+#endif
+ hp->hook.release_secctx(secdata, seclen);
+ break;
+ }
}
EXPORT_SYMBOL(security_release_secctx);
@@ -1961,19 +2185,173 @@ EXPORT_SYMBOL(security_inode_invalidate_secctx);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_value *lsm_value;
+ char *temp;
+ int count;
+ int rc = 0;
+
+ if (!ctx || !ctxlen)
+ return -EACCES;
+
+ lsm_value = kzalloc(sizeof(*lsm_value) * LSM_MAX_MAJOR, GFP_KERNEL);
+ if (!lsm_value)
+ return -ENOMEM;
+
+ temp = kmemdup(ctx, ctxlen + 1, GFP_KERNEL);
+ if (!temp) {
+ rc = -ENOMEM;
+ goto free_out;
+ }
+ temp[ctxlen] = '\0';
+
+ count = lsm_parse_context(temp, lsm_value);
+ if (count <= 0) {
+ rc = -EINVAL;
+ goto free_out;
+ }
+
+ for (count--; count >= 0; count--) {
+ list_for_each_entry(hp, &security_hook_heads.inode_notifysecctx,
+ list) {
+ if (!strcmp(hp->lsm, lsm_value[count].lsm)) {
+ rc = hp->hook.inode_notifysecctx(inode,
+ lsm_value[count].data,
+ strlen(lsm_value[count].data));
+ break;
+ }
+ }
+ if (rc)
+ break;
+ }
+
+free_out:
+ kfree(lsm_value);
+ kfree(temp);
+ return rc;
+#else
return call_int_hook(inode_notifysecctx, 0, inode, ctx, ctxlen);
+#endif
}
EXPORT_SYMBOL(security_inode_notifysecctx);
+/**
+ * security_inode_setsecctx - set the LSM security attribute(s) on an inode
+ * @dentry: the directory entry containing the inode
+ * @ctx: the security attributes, in text form
+ * @ctxlen: the length of the attributes
+ *
+ * This should only be called by filesystems for the purpose
+ * of setting attributes in an LSM agnositic way. The @ctx
+ * value should never be externally supplied.
+ *
+ * Returns 0 on success and LSM defined errors.
+ */
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_value *lsm_value;
+ char *temp;
+ int count;
+ int rc = 0;
+
+ lsm_value = kzalloc(sizeof(*lsm_value) * LSM_MAX_MAJOR, GFP_KERNEL);
+ if (!lsm_value)
+ return -ENOMEM;
+
+ temp = kmemdup(ctx, ctxlen + 1, GFP_KERNEL);
+ if (!temp) {
+ rc = -ENOMEM;
+ goto free_out;
+ }
+ temp[ctxlen] = '\0';
+
+ count = lsm_parse_context(temp, lsm_value);
+ if (count <= 0) {
+ rc = -EINVAL;
+ goto free_out;
+ }
+
+ for (count--; count >= 0; count--) {
+ list_for_each_entry(hp, &security_hook_heads.inode_setsecctx,
+ list) {
+ if (!strcmp(hp->lsm, lsm_value[count].lsm)) {
+ rc = hp->hook.inode_setsecctx(dentry,
+ lsm_value[count].data,
+ strlen(lsm_value[count].data));
+ break;
+ }
+ }
+ if (rc)
+ break;
+ }
+
+free_out:
+ kfree(lsm_value);
+ kfree(temp);
+ return rc;
+#else
return call_int_hook(inode_setsecctx, 0, dentry, ctx, ctxlen);
+#endif
}
EXPORT_SYMBOL(security_inode_setsecctx);
+/**
+ * security_inode_getsecctx - get the LSM security attribute(s) of an inode
+ * @inode: the inode
+ * @ctx: the fetched security attributes, in text form
+ * @ctxlen: the length of the fetched attributes
+ *
+ * This should only be called by filesystems for the purpose
+ * of getting attributes in an LSM agnositic way. The @ctx
+ * value should never be externally exposed.
+ *
+ * Returns 0 on success and LSM defined errors.
+ */
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ char *value = NULL;
+ void *vp;
+ char *cp;
+ u32 tlen;
+ int trc;
+ int rc = -EOPNOTSUPP;
+
+ list_for_each_entry(hp, &security_hook_heads.inode_getsecctx, list) {
+ trc = hp->hook.inode_getsecctx(inode, &vp, &tlen);
+ if (trc < 0) {
+ kfree(value);
+ return trc;
+ }
+ rc = trc;
+ if (value == NULL) {
+ value = kasprintf(GFP_KERNEL, "%s='%s'", hp->lsm,
+ (char *)vp);
+ kfree(vp);
+ if (value == NULL)
+ return -ENOMEM;
+ } else {
+ cp = kasprintf(GFP_KERNEL, "%s,%s='%s'", value,
+ hp->lsm, (char *)vp);
+ kfree(vp);
+ kfree(value);
+ if (cp == NULL)
+ return -ENOMEM;
+ value = cp;
+ }
+ }
+ if (!rc) {
+ *ctxlen = strlen(value);
+ *ctx = value;
+ }
+ return rc;
+#else
return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen);
+#endif
}
EXPORT_SYMBOL(security_inode_getsecctx);
@@ -2068,30 +2446,61 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ char *lsm = lsm_of_task(current);
+
+ list_for_each_entry(hp, &security_hook_heads.socket_getpeersec_stream,
+ list) {
+ if (!lsm || !lsm[0] || !strcmp(lsm, hp->lsm))
+ return hp->hook.socket_getpeersec_stream(sock, optval,
+ optlen, len);
+ }
+ return -ENOPROTOOPT;
+#else
return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
optval, optlen, len);
+#endif
}
+/**
+ * security_socket_getpeersec_dgram - get peer secids for datagrams
+ * @sock: the socket
+ * @skb: packet data
+ * @secid: the result goes here
+ *
+ * The return is based on the task display module, but gather
+ * all the results to get a full token.
+ *
+ * Returns 0 on success, -ENOPROTOOPT if no modules, module error otherwise
+ */
int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
+ char *lsm = lsm_of_task(current);
int rc = -ENOPROTOOPT;
+ int trc;
lsm_secids_init(&secids);
list_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
list) {
- rc = hp->hook.socket_getpeersec_dgram(sock, skb,
+ trc = hp->hook.socket_getpeersec_dgram(sock, skb,
&secids.secid[hp->lsm_index]);
- if (rc)
- break;
+ if (!lsm || !lsm[0] || !strcmp(lsm, hp->lsm))
+ rc = trc;
}
if (!rc)
*secid = lsm_secids_to_token(&secids);
return rc;
+#else
+ return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
+ skb, secid);
+#endif
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
@@ -2119,6 +2528,7 @@ EXPORT_SYMBOL(security_sk_clone);
void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
@@ -2128,12 +2538,16 @@ void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
hp->hook.sk_getsecid(sk, &secids.secid[hp->lsm_index]);
fl->flowi_secid = lsm_secids_to_token(&secids);
+#else
+ call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
+#endif
}
EXPORT_SYMBOL(security_sk_classify_flow);
void security_req_classify_flow(const struct request_sock *req,
struct flowi *fl)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
@@ -2143,6 +2557,9 @@ void security_req_classify_flow(const struct request_sock *req,
hp->hook.req_classify_flow(req, &secids.secid[hp->lsm_index]);
fl->flowi_secid = lsm_secids_to_token(&secids);
+#else
+ call_void_hook(req_classify_flow, req, &fl->flowi_secid);
+#endif
}
EXPORT_SYMBOL(security_req_classify_flow);
@@ -2173,6 +2590,7 @@ void security_inet_conn_established(struct sock *sk,
int security_secmark_relabel_packet(u32 secid)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
int rc = 0;
@@ -2187,6 +2605,9 @@ int security_secmark_relabel_packet(u32 secid)
break;
}
return rc;
+#else
+ return call_int_hook(secmark_relabel_packet, 0, secid);
+#endif
}
EXPORT_SYMBOL(security_secmark_relabel_packet);
@@ -2304,6 +2725,7 @@ EXPORT_SYMBOL(security_xfrm_state_alloc);
int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec, u32 secid)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
int rc = 0;
@@ -2318,6 +2740,9 @@ int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
break;
}
return rc;
+#else
+ return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid);
+#endif
}
int security_xfrm_state_delete(struct xfrm_state *x)
@@ -2333,6 +2758,7 @@ void security_xfrm_state_free(struct xfrm_state *x)
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
int rc = 0;
@@ -2346,6 +2772,9 @@ int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
break;
}
return rc;
+#else
+ return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir);
+#endif
}
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
@@ -2353,8 +2782,10 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
const struct flowi *fl)
{
struct security_hook_list *hp;
- struct lsm_secids secids;
int rc = 1;
+#ifdef CONFIG_SECURITY_STACKING
+ struct lsm_secids secids;
+#endif
/*
* Since this function is expected to return 0 or 1, the judgment
@@ -2365,12 +2796,18 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
* For speed optimization, we explicitly break the loop rather than
* using the macro
*/
+#ifdef CONFIG_SECURITY_STACKING
lsm_token_to_secids(fl->flowi_secid, &secids);
+#endif
list_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
list) {
+#ifdef CONFIG_SECURITY_STACKING
rc = hp->hook.xfrm_state_pol_flow_match(x, xp,
secids.secid[hp->lsm_index]);
+#else
+ rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl->flowi_secid);
+#endif
break;
}
return rc;
@@ -2378,6 +2815,7 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
int rc = 0;
@@ -2394,10 +2832,14 @@ int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
if (!rc)
*secid = lsm_secids_to_token(&secids);
return rc;
+#else
+ return call_int_hook(xfrm_decode_session, 0, skb, secid, 1);
+#endif
}
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
int rc = 0;
@@ -2413,6 +2855,11 @@ void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
}
BUG_ON(rc);
fl->flowi_secid = lsm_secids_to_token(&secids);
+#else
+ int rc = call_int_hook(xfrm_decode_session, 0, skb, &fl->flowi_secid,
+ 0);
+ BUG_ON(rc);
+#endif
}
EXPORT_SYMBOL(security_skb_classify_flow);
@@ -2471,6 +2918,7 @@ void security_audit_rule_free(void *lsmrule)
int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx)
{
+#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
int rc = 0;
@@ -2484,5 +2932,9 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
break;
}
return rc;
+#else
+ return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
+ actx);
+#endif
}
#endif /* CONFIG_AUDIT */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1cb90a7ac0cb..a93450cf9c8b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -101,7 +101,7 @@
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
/* Index into lsm_secids */
-static int selinux_secids_index;
+int selinux_secids_index;
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
int selinux_enforcing;
@@ -411,6 +411,7 @@ static int may_context_mount_inode_relabel(u32 sid,
{
const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
+
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
@@ -4613,11 +4614,6 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
SECCLASS_NODE, NODE__RECVFROM, ad);
}
-static u32 selinux_secmark_to_secid(u32 token)
-{
- return lsm_token_to_module_secid(token, selinux_secids_index);
-}
-
static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
u16 family)
{
@@ -4638,7 +4634,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
if (selinux_secmark_enabled()) {
err = avc_has_perm(sk_sid,
- selinux_secmark_to_secid(skb->secmark),
+ selinux_token_to_secid(skb->secmark),
SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
@@ -4714,7 +4710,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
if (secmark_active) {
err = avc_has_perm(sk_sid,
- selinux_secmark_to_secid(skb->secmark),
+ selinux_token_to_secid(skb->secmark),
SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
@@ -4783,7 +4779,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
out:
*secid = peer_secid;
- if (peer_secid == SECSID_NULL)
+ if (*secid == SECSID_NULL)
return -EINVAL;
return 0;
}
@@ -4857,8 +4853,8 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
err = selinux_conn_sid(sksec->sid, peersid, &connsid);
if (err)
return err;
- req->secid = connsid;
- req->peer_secid = peersid;
+ req->secid = selinux_token_from_secid(req->secid, connsid);
+ req->peer_secid = selinux_token_from_secid(req->peer_secid, peersid);
return selinux_netlbl_inet_conn_request(req, family);
}
@@ -4868,8 +4864,10 @@ static void selinux_inet_csk_clone(struct sock *newsk,
{
struct sk_security_struct *newsksec = selinux_sock(newsk);
- newsksec->sid = req->secid;
- newsksec->peer_sid = req->peer_secid;
+
+ newsksec->sid = selinux_token_to_secid(req->secid);
+ newsksec->peer_sid = selinux_token_to_secid(req->peer_secid);
+
/* NOTE: Ideally, we should also get the isec->sid for the
new socket in sync, but we don't have the isec available yet.
So we will wait until sock_graft to do it, by which
@@ -4916,7 +4914,7 @@ static void selinux_secmark_refcount_dec(void)
static void selinux_req_classify_flow(const struct request_sock *req,
u32 *fl_secid)
{
- *fl_secid = req->secid;
+ *fl_secid = selinux_token_to_secid(req->secid);
}
static int selinux_tun_dev_alloc_security(void **security)
@@ -5079,7 +5077,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
if (secmark_active)
if (avc_has_perm(peer_sid,
- selinux_secmark_to_secid(skb->secmark),
+ selinux_token_to_secid(skb->secmark),
SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
return NF_DROP;
@@ -5192,7 +5190,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
if (selinux_secmark_enabled())
if (avc_has_perm(sksec->sid,
- selinux_secmark_to_secid(skb->secmark),
+ selinux_token_to_secid(skb->secmark),
SECCLASS_PACKET, PACKET__SEND, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
@@ -5316,7 +5314,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
if (secmark_active)
if (avc_has_perm(peer_sid,
- selinux_secmark_to_secid(skb->secmark),
+ selinux_token_to_secid(skb->secmark),
SECCLASS_PACKET, secmark_perm, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
@@ -5493,14 +5491,16 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
/* Can this process write to the queue? */
rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
MSGQ__WRITE, &ad);
- if (!rc)
+ if (!rc) {
/* Can this process send the message */
rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
MSG__SEND, &ad);
- if (!rc)
+ }
+ if (!rc) {
/* Can the message be put in the queue? */
rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
MSGQ__ENQUEUE, &ad);
+ }
return rc;
}
@@ -5523,9 +5523,10 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
rc = avc_has_perm(sid, isec->sid,
SECCLASS_MSGQ, MSGQ__READ, &ad);
- if (!rc)
+ if (!rc) {
rc = avc_has_perm(sid, msec->sid,
SECCLASS_MSG, MSG__RECEIVE, &ad);
+ }
return rc;
}
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 306863675614..939db01e86dc 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -231,4 +231,17 @@ static inline struct sk_security_struct *selinux_sock(const struct sock *sock)
#endif
}
+extern int selinux_secids_index;
+
+static inline u32 selinux_token_to_secid(u32 token)
+{
+ return lsm_token_get_secid(token, selinux_secids_index);
+}
+
+static inline u32 selinux_token_from_secid(u32 token, u32 secid)
+{
+ return lsm_token_set_secid(token, secid, selinux_secids_index);
+}
+
+
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index e91f08c16c0b..88bcf6a111c6 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -160,8 +160,7 @@ int security_member_sid(u32 ssid, u32 tsid,
int security_change_sid(u32 ssid, u32 tsid,
u16 tclass, u32 *out_sid);
-int security_sid_to_context(u32 sid, char **scontext,
- u32 *scontext_len);
+int security_sid_to_context(u32 sid, char **scontext, u32 *scontext_len);
int security_sid_to_context_force(u32 sid, char **scontext, u32 *scontext_len);
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 0b0091c04688..fe556c3ca1b3 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -122,7 +122,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
return NULL;
if ((secattr->flags & NETLBL_SECATTR_SECID) &&
- (secattr->attr.secid == sid))
+ (selinux_token_to_secid(secattr->attr.secid) == sid))
return secattr;
return NULL;
@@ -291,7 +291,8 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
return 0;
netlbl_secattr_init(&secattr);
- rc = security_netlbl_sid_to_secattr(req->secid, &secattr);
+ rc = security_netlbl_sid_to_secattr(selinux_token_to_secid(req->secid),
+ &secattr);
if (rc != 0)
goto inet_conn_request_return;
rc = netlbl_req_setattr(req, &secattr);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4558a23d160e..303460b8f551 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3445,7 +3445,7 @@ int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr,
if (secattr->flags & NETLBL_SECATTR_CACHE)
*sid = *(u32 *)secattr->cache->data;
else if (secattr->flags & NETLBL_SECATTR_SECID)
- *sid = secattr->attr.secid;
+ *sid = selinux_token_to_secid(secattr->attr.secid);
else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
rc = -EIDRM;
ctx = sidtab_search(&sidtab, SECINITSID_NETMSG);
@@ -3516,7 +3516,7 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
if (secattr->domain == NULL)
goto out;
- secattr->attr.secid = sid;
+ secattr->attr.secid = selinux_token_from_secid(secattr->attr.secid, sid);
secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
mls_export_netlbl_lvl(ctx, secattr);
rc = mls_export_netlbl_cat(ctx, secattr);
diff --git a/security/smack/smack.h b/security/smack/smack.h
index e9fd586e0ec1..7d606e49dea0 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -433,6 +433,16 @@ static inline struct smack_known **smack_key(const struct key *key)
}
#endif /* CONFIG_KEYS */
+static inline u32 smack_from_token(u32 token)
+{
+ return lsm_token_get_secid(token, smack_secids_index);
+}
+
+static inline u32 smack_to_token(u32 token, u32 secid)
+{
+ return lsm_token_set_secid(token, secid, smack_secids_index);
+}
+
/*
* Is the directory transmuting?
*/
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 1e32fcd99a0d..f7063bf9f014 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1429,7 +1429,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
* @inode: the object
* @name: attribute name
* @buffer: where to put the result
- * @alloc: unused
+ * @alloc: requires a buffer be allocated
*
* Returns the size of the attribute or an error code
*/
@@ -1442,43 +1442,39 @@ static int smack_inode_getsecurity(struct inode *inode,
struct super_block *sbp;
struct inode *ip = (struct inode *)inode;
struct smack_known *isp;
- int ilen;
- int rc = 0;
- if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+ if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
isp = smk_of_inode(inode);
- ilen = strlen(isp->smk_known);
- *buffer = isp->smk_known;
- return ilen;
- }
-
- /*
- * The rest of the Smack xattrs are only on sockets.
- */
- sbp = ip->i_sb;
- if (sbp->s_magic != SOCKFS_MAGIC)
- return -EOPNOTSUPP;
+ else {
+ /*
+ * The rest of the Smack xattrs are only on sockets.
+ */
+ sbp = ip->i_sb;
+ if (sbp->s_magic != SOCKFS_MAGIC)
+ return -EOPNOTSUPP;
- sock = SOCKET_I(ip);
- if (sock == NULL || sock->sk == NULL)
- return -EOPNOTSUPP;
+ sock = SOCKET_I(ip);
+ if (sock == NULL || sock->sk == NULL)
+ return -EOPNOTSUPP;
- ssp = smack_sock(sock->sk);
+ ssp = smack_sock(sock->sk);
- if (strcmp(name, XATTR_SMACK_IPIN) == 0)
- isp = ssp->smk_in;
- else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
- isp = ssp->smk_out;
- else
- return -EOPNOTSUPP;
+ if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+ isp = ssp->smk_in;
+ else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
+ isp = ssp->smk_out;
+ else
+ return -EOPNOTSUPP;
+ }
- ilen = strlen(isp->smk_known);
- if (rc == 0) {
+ if (alloc) {
+ *buffer = kstrdup(isp->smk_known, GFP_KERNEL);
+ if (*buffer == NULL)
+ return -ENOMEM;
+ } else
*buffer = isp->smk_known;
- rc = ilen;
- }
- return rc;
+ return strlen(isp->smk_known);
}
@@ -3734,7 +3730,7 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
/*
* Looks like a fallback, which gives us a secid.
*/
- return smack_from_secid(sap->attr.secid);
+ return smack_from_secid(smack_from_token(sap->attr.secid));
/*
* Without guidance regarding the smack value
* for the packet fall back on the network
@@ -3792,13 +3788,6 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
}
#endif /* CONFIG_IPV6 */
-#ifdef CONFIG_SECURITY_SMACK_NETFILTER
-static u32 smk_of_secmark(u32 secmark)
-{
- return lsm_token_to_module_secid(secmark, smack_secids_index);
-}
-#endif
-
/**
* smack_socket_sock_rcv_skb - Smack packet delivery access check
* @sk: socket
@@ -3830,7 +3819,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
* The secmark is assumed to reflect policy better.
*/
if (skb && skb->secmark != 0) {
- skp = smack_from_secid(smk_of_secmark(skb->secmark));
+ skp = smack_from_secid(smack_from_token(skb->secmark));
goto access_check;
}
#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
@@ -3875,7 +3864,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
break;
#ifdef SMACK_IPV6_SECMARK_LABELING
if (skb && skb->secmark != 0)
- skp = smack_from_secid(smk_of_secmark(skb->secmark));
+ skp = smack_from_secid(smack_from_token(skb->secmark));
else
skp = smack_ipv6host_label(&sadd);
if (skp == NULL)
@@ -3973,7 +3962,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
break;
case PF_INET:
#ifdef CONFIG_SECURITY_SMACK_NETFILTER
- s = smk_of_secmark(skb->secmark);
+ s = smack_from_token(skb->secmark);
if (s != 0)
break;
#endif
@@ -3992,7 +3981,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
break;
case PF_INET6:
#ifdef SMACK_IPV6_SECMARK_LABELING
- s = smk_of_secmark(skb->secmark);
+ s = smack_from_token(skb->secmark);
#endif
break;
}
@@ -4071,7 +4060,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
* The secmark is assumed to reflect policy better.
*/
if (skb && skb->secmark != 0) {
- skp = smack_from_secid(smk_of_secmark(skb->secmark));
+ skp = smack_from_secid(smack_from_token(skb->secmark));
goto access_check;
}
#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
@@ -4107,7 +4096,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
* Save the peer's label in the request_sock so we can later setup
* smk_packet in the child socket so that SO_PEERCRED can report it.
*/
- req->peer_secid = skp->smk_secid;
+ req->peer_secid = smack_to_token(0, skp->smk_secid);
/*
* We need to decide if we want to label the incoming connection here
@@ -4142,7 +4131,7 @@ static void smack_inet_csk_clone(struct sock *sk,
struct smack_known *skp;
if (req->peer_secid != 0) {
- skp = smack_from_secid(req->peer_secid);
+ skp = smack_from_secid(smack_from_token(req->peer_secid));
ssp->smk_packet = skp;
} else
ssp->smk_packet = NULL;
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 510661ba6c16..ee5c32c62643 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -23,19 +23,6 @@
#if IS_ENABLED(CONFIG_IPV6)
-/*
- * Reinvestigate this soon?
- *
- */
-static u32 smack_to_secmark(u32 secid)
-{
- struct lsm_secids secids;
-
- lsm_secids_init(&secids);
- secids.secid[smack_secids_index] = secid;
- return lsm_secids_to_token(&secids);
-}
-
static unsigned int smack_ipv6_output(void *priv,
struct sk_buff *skb,
const struct nf_hook_state *state)
@@ -47,7 +34,7 @@ static unsigned int smack_ipv6_output(void *priv,
if (sk && smack_sock(sk)) {
ssp = smack_sock(sk);
skp = ssp->smk_out;
- skb->secmark = smack_to_secmark(skp->smk_secid);
+ skb->secmark = smack_to_token(skb->secmark, skp->smk_secid);
}
return NF_ACCEPT;
@@ -65,7 +52,7 @@ static unsigned int smack_ipv4_output(void *priv,
if (sk && smack_sock(sk)) {
ssp = smack_sock(sk);
skp = ssp->smk_out;
- skb->secmark = smack_to_secmark(skp->smk_secid);
+ skb->secmark = smack_to_token(skb->secmark, skp->smk_secid);
}
return NF_ACCEPT;
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 9d2dde608298..a4274f1e1e9b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -1284,7 +1284,8 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
if (rc == 0 && skp != NULL)
rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
&snp->smk_host, &snp->smk_mask, PF_INET,
- snp->smk_label->smk_secid, &audit_info);
+ smack_to_token(0, snp->smk_label->smk_secid),
+ &audit_info);
if (rc == 0)
rc = count;
diff --git a/security/stacking.c b/security/stacking.c
index 65276cd695de..88000d3158b1 100644
--- a/security/stacking.c
+++ b/security/stacking.c
@@ -30,7 +30,9 @@ struct token_entry {
#define TOKEN_AGE_LIMIT (MAX_INT >> 2)
#define TOKEN_LIMIT 0x20000000
#define TOKEN_SET_SIZE 200
+#ifdef CONFIG_SECURITY_LSM_DEBUG
#define TOKEN_BIT 0x80000000
+#endif
int token_used;
u32 token_next;
struct lsm_secids null_secids;
@@ -41,7 +43,8 @@ static void report_token(const char *msg, const struct token_entry *te)
{
int i;
- pr_info("LSM: %s token=%08x %u,%u,%u,%u,%u,%u,%u,%u\n", msg, te->token,
+ pr_info("LSM: %s token=%08x %u,%u,%u,%u,%u,%u,%u,%u\n",
+ msg, te->token,
te->secids.secid[0], te->secids.secid[1], te->secids.secid[2],
te->secids.secid[3], te->secids.secid[4], te->secids.secid[5],
te->secids.secid[6], te->secids.secid[7]);
@@ -70,7 +73,11 @@ static u32 next_token(void)
pr_info("LSM: Security token overflow - safe reset\n");
token_next = 0;
}
+#ifdef CONFIG_SECURITY_LSM_DEBUG
return ++token_next | TOKEN_BIT;
+#else
+ return ++token_next;
+#endif
}
u32 lsm_secids_to_token(const struct lsm_secids *secids)
@@ -80,18 +87,23 @@ u32 lsm_secids_to_token(const struct lsm_secids *secids)
int old;
#ifdef CONFIG_SECURITY_LSM_DEBUG
- for (i = 0; i < LSM_MAX_MAJOR; i++)
+ for (i = 0; i < LSM_MAX_MAJOR; i++) {
+ WARN_ON_ONCE(secids->secid[i] & TOKEN_BIT);
if (secids->secid[i] & TOKEN_BIT)
pr_info("LSM: %s secid[%d]=%08x has token bit\n",
__func__, i, secids->secid[i]);
+ }
#endif
-
/*
* If none of the secids are set whoever sent this here
* was thinking "0".
*/
if (!memcmp(secids, &null_secids, sizeof(*secids)))
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ return TOKEN_BIT;
+#else
return 0;
+#endif
for (i = 0; i < TOKEN_SET_SIZE; i++) {
if (token_set[i].token == 0)
@@ -122,19 +134,12 @@ u32 lsm_secids_to_token(const struct lsm_secids *secids)
void lsm_token_to_secids(const u32 token, struct lsm_secids *secids)
{
int i;
- struct lsm_secids fudge;
- if (token) {
- if (!(token & TOKEN_BIT)) {
#ifdef CONFIG_SECURITY_LSM_DEBUG
- pr_info("LSM: %s token=%08x has no token bit\n",
- __func__, token);
+ if ((token & TOKEN_BIT) && token != TOKEN_BIT) {
+#else
+ if (token) {
#endif
- for (i = 0; i < LSM_MAX_MAJOR; i++)
- fudge.secid[i] = token;
- *secids = fudge;
- return;
- }
for (i = 0; i < TOKEN_SET_SIZE; i++) {
if (token_set[i].token == 0)
break;
@@ -145,13 +150,18 @@ void lsm_token_to_secids(const u32 token, struct lsm_secids *secids)
}
}
#ifdef CONFIG_SECURITY_LSM_DEBUG
- pr_info("LSM: %s token=%u was not found\n", __func__, token);
+ pr_info("LSM: %s token=%08x was not found\n", __func__, token);
#endif
}
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (token && !(token & TOKEN_BIT))
+ pr_info("LSM: %s token=%08x has no token bit\n",
+ __func__, token);
+#endif
*secids = null_secids;
}
-u32 lsm_token_to_module_secid(const u32 token, int lsm)
+u32 lsm_token_get_secid(const u32 token, int lsm)
{
struct lsm_secids secids;
@@ -163,3 +173,26 @@ void lsm_secids_init(struct lsm_secids *secids)
{
*secids = null_secids;
}
+
+u32 lsm_token_set_secid(const u32 token, u32 lsecid, int lsm)
+{
+ struct lsm_secids secids;
+
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (!(token & TOKEN_BIT)) {
+ if (token)
+ pr_info("LSM: %s token=%08x has no token bit\n",
+ __func__, token);
+#else
+ if (!token) {
+#endif
+ lsm_secids_init(&secids);
+ } else {
+ lsm_token_to_secids(token, &secids);
+ if (secids.secid[lsm] == lsecid)
+ return token;
+ }
+
+ secids.secid[lsm] = lsecid;
+ return lsm_secids_to_token(&secids);
+}
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info@ http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH 06/11] LSM: general but not extreme module stacking
2017-08-29 21:00 ` [PATCH 06/11] LSM: general but not extreme module stacking Casey Schaufler
@ 2017-08-30 7:28 ` James Morris
0 siblings, 0 replies; 21+ messages in thread
From: James Morris @ 2017-08-30 7:28 UTC (permalink / raw)
To: linux-security-module
On Tue, 29 Aug 2017, Casey Schaufler wrote:
> + config SECURITY_SELINUX_STACKED
> + bool "SELinux" if SECURITY_SELINUX=y
> + help
> + Add the SELinux security module to the stack. At this
> + time the Smack security module is incompatible with this
> + module.
> + Please be sure your user space code is accomodating of
> + this security module.
> +
> + config SECURITY_SMACK_STACKED
> + bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
> + help
> + Add the Smack security module to the stack. At this
> + time the SELinux security module is incompatible with this
> + module.
> + Please be sure your user space code is accomodating of
> + this security module.
> +
> + config SECURITY_NOTHING_STACKED
> + bool "Use no 'extreme' security module"
> + help
> + Add neither the SELinux security module nor the Smack security
> + module to the stack.
> + Please be sure your user space code does not require either of
> + these security modules.
> +
These help texts are likely to be confusing. e.g. "the stack" usually
refers to a kernel or task stack, and which "user space code" needs what
exactly?
--
James Morris
<jmorris@namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
* [PATCH 01/11] procfs: add smack subdir to attrs
2017-08-29 20:55 ` [PATCH 01/11] procfs: add smack subdir to attrs Casey Schaufler
@ 2017-08-31 9:12 ` John Johansen
0 siblings, 0 replies; 21+ messages in thread
From: John Johansen @ 2017-08-31 9:12 UTC (permalink / raw)
To: linux-security-module
On 08/29/2017 01:55 PM, Casey Schaufler wrote:
> Subject: [PATCH 01/11] procfs: add smack subdir to attrs
>
> Back in 2007 I made what turned out to be a rather serious
> mistake in the implementation of the Smack security module.
> The SELinux module used an interface in /proc to manipulate
> the security context on processes. Rather than use a similar
> interface, I used the same interface. The AppArmor team did
> likewise. Now /proc/.../attr/current will tell you the
> security "context" of the process, but it will be different
> depending on the security module you're using.
>
> This patch provides a subdirectory in /proc/.../attr for
> Smack. Smack user space can use the "current" file in
> this subdirectory and never have to worry about getting
> SELinux attributes by mistake. Programs that use the
> old interface will continue to work (or fail, as the case
> may be) as before.
>
> This patch does not include subdirectories for SELinux
> or AppArmor. I do have a patch that provides those, and
> will happily make it available should anyone see value
> in it.
>
> The original implementation is by Kees Cook.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> Documentation/admin-guide/LSM/index.rst | 13 +++++--
> fs/proc/base.c | 63 ++++++++++++++++++++++++++++-----
> fs/proc/internal.h | 1 +
> include/linux/security.h | 15 +++++---
> security/security.c | 30 +++++++++++++---
> 5 files changed, 101 insertions(+), 21 deletions(-)
>
> diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
> index c980dfe9abf1..9842e21afd4a 100644
> --- a/Documentation/admin-guide/LSM/index.rst
> +++ b/Documentation/admin-guide/LSM/index.rst
> @@ -17,9 +17,8 @@ MAC extensions, other extensions can be built using the LSM to provide
> specific changes to system operation when these tweaks are not available
> in the core functionality of Linux itself.
>
> -Without a specific LSM built into the kernel, the default LSM will be the
> -Linux capabilities system. Most LSMs choose to extend the capabilities
> -system, building their checks on top of the defined capability hooks.
> +The Linux capabilities modules will always be included. This may be
> +followed by any number of "minor" modules and at most one "major" module.
> For more details on capabilities, see ``capabilities(7)`` in the Linux
> man-pages project.
>
> @@ -30,6 +29,14 @@ order in which checks are made. The capability module will always
> be first, followed by any "minor" modules (e.g. Yama) and then
> the one "major" module (e.g. SELinux) if there is one configured.
>
> +Process attributes associated with "major" security modules should
> +be accessed and maintained using the special files in ``/proc/.../attr``.
> +A security module may maintain a module specific subdirectory there,
> +named after the module. ``/proc/.../attr/smack`` is provided by the Smack
> +security module and contains all its special files. The files directly
> +in ``/proc/.../attr`` remain as legacy interfaces for modules that provide
> +subdirectories.
> +
> .. toctree::
> :maxdepth: 1
>
<< snip >>
> -int security_getprocattr(struct task_struct *p, char *name, char **value)
> +int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
> + char **value)
> {
> - return call_int_hook(getprocattr, -EINVAL, p, name, value);
> + struct security_hook_list *hp;
> + int rc;
> +
> + list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
> + if (lsm != NULL && strcmp(lsm, hp->lsm))
> + continue;
> + rc = hp->hook.getprocattr(p, name, value);
> + if (rc != -ENOENT)
> + return rc;
> + }
> + return -EINVAL;
> }
>
> -int security_setprocattr(const char *name, void *value, size_t size)
> +int security_setprocattr(const char *lsm, const char *name, void *value,
> + size_t size)
> {
> - return call_int_hook(setprocattr, -EINVAL, name, value, size);
> + struct security_hook_list *hp;
> + int rc;
> +
> + list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
> + if (lsm != NULL && strcmp(lsm, hp->lsm))
> + continue;
> + rc = hp->hook.setprocattr(name, value, size);
> + if (rc != -ENOENT)
> + return rc;
why
if (rc != -ENOENT), here and above in getprocattr?
this breaks apparmor, as -ENOENT is returned when trying to set a
label that doesn't exist
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
* [Non-DoD Source] [PATCH 03/11] LSM: Manage file security blobs
2017-08-29 20:57 ` [PATCH 03/11] LSM: Manage file " Casey Schaufler
@ 2017-08-31 15:47 ` Stephen Smalley
2017-08-31 15:58 ` Casey Schaufler
0 siblings, 1 reply; 21+ messages in thread
From: Stephen Smalley @ 2017-08-31 15:47 UTC (permalink / raw)
To: linux-security-module
On Tue, 2017-08-29 at 13:57 -0700, Casey Schaufler wrote:
> Subject: [PATCH 03/11] LSM: Manage file security blobs
>
> Move the management of file security blobs from the individual
> security modules to the security infrastructure. The security modules
> using file blobs have been updated accordingly. Modules are required
> to identify the space they need at module initialization. In some
> cases a module no longer needs to supply a blob management hook, in
> which case the hook has been removed.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> ?include/linux/lsm_hooks.h???????????|??1 +
> ?security/apparmor/include/context.h |??5 +++++
> ?security/apparmor/include/file.h????|??2 +-
> ?security/apparmor/lsm.c?????????????| 19 +++++++++--------
> ?security/security.c?????????????????| 32
> +++++++++++++++++++++++++++++
> ?security/selinux/hooks.c????????????| 41 +++++++++----------------
> ------------
> ?security/selinux/include/objsec.h???|??5 +++++
> ?security/smack/smack.h??????????????|??5 +++++
> ?security/smack/smack_lsm.c??????????| 26 ++++++++---------------
> ?9 files changed, 78 insertions(+), 58 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 4ecb4ed572cf..0603c57726e4 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1923,6 +1923,7 @@ struct security_hook_list {
> ? */
> ?struct lsm_blob_sizes {
> ? int lbs_cred;
> + int lbs_file;
> ?};
> ?
> ?/*
> diff --git a/security/apparmor/include/context.h
> b/security/apparmor/include/context.h
> index 301ab3a0dd04..c6e106a533e8 100644
> --- a/security/apparmor/include/context.h
> +++ b/security/apparmor/include/context.h
> @@ -87,6 +87,11 @@ static inline struct aa_label
> *aa_get_newest_cred_label(const struct cred *cred)
> ? return aa_get_newest_label(aa_cred_raw_label(cred));
> ?}
> ?
> +static inline struct aa_file_ctx *apparmor_file(const struct file
> *file)
> +{
> + return file->f_security;
> +}
> +
> ?/**
> ? * __aa_task_raw_label - retrieve another task's label
> ? * @task: task to query??(NOT NULL)
> diff --git a/security/apparmor/include/file.h
> b/security/apparmor/include/file.h
> index 001e40073ff9..af87b23700d7 100644
> --- a/security/apparmor/include/file.h
> +++ b/security/apparmor/include/file.h
> @@ -32,7 +32,7 @@ struct path;
> ? ?AA_MAY_CHMOD | AA_MAY_CHOWN |
> AA_MAY_LOCK | \
> ? ?AA_EXEC_MMAP | AA_MAY_LINK)
> ?
> -#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security)
> +#define file_ctx(X) apparmor_file(X)
> ?
> ?/* struct aa_file_ctx - the AppArmor context the file was opened in
> ? * @lock: lock to update the ctx
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 827df7012fe4..fb317cc94510 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -400,21 +400,21 @@ static int apparmor_file_open(struct file
> *file, const struct cred *cred)
> ?
> ?static int apparmor_file_alloc_security(struct file *file)
> ?{
> - int error = 0;
> -
> - /* freed by apparmor_file_free_security */
> + struct aa_file_ctx *ctx = file_ctx(file);
> ? struct aa_label *label = begin_current_label_crit_section();
> - file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
> - if (!file_ctx(file))
> - error = -ENOMEM;
> - end_current_label_crit_section(label);
> ?
> - return error;
> + spin_lock_init(&ctx->lock);
> + rcu_assign_pointer(ctx->label, aa_get_label(label));
> + end_current_label_crit_section(label);
> + return 0;
> ?}
> ?
> ?static void apparmor_file_free_security(struct file *file)
> ?{
> - aa_free_file_ctx(file_ctx(file));
> + struct aa_file_ctx *ctx = file_ctx(file);
> +
> + if (ctx)
> + aa_put_label(rcu_access_pointer(ctx->label));
> ?}
> ?
> ?static int common_file_perm(const char *op, struct file *file, u32
> mask)
> @@ -635,6 +635,7 @@ static int apparmor_task_setrlimit(struct
> task_struct *task,
> ?
> ?struct lsm_blob_sizes apparmor_blob_sizes = {
> ? .lbs_cred = sizeof(struct aa_task_ctx),
> + .lbs_file = sizeof(struct aa_file_ctx),
> ?};
> ?
> ?static struct security_hook_list apparmor_hooks[]
> __lsm_ro_after_init = {
> diff --git a/security/security.c b/security/security.c
> index 89d43c65630c..b9346db8a2d4 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -91,6 +91,7 @@ int __init security_init(void)
> ?
> ?#ifdef CONFIG_SECURITY_LSM_DEBUG
> ? pr_info("LSM: cred blob size???????= %d\n",
> blob_sizes.lbs_cred);
> + pr_info("LSM: file blob size???????= %d\n",
> blob_sizes.lbs_file);
> ?#endif
> ?
> ? return 0;
> @@ -267,6 +268,30 @@ static void __init lsm_set_size(int *need, int
> *lbs)
> ?void __init security_add_blobs(struct lsm_blob_sizes *needed)
> ?{
> ? lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
> + lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
> +}
> +
> +/**
> + * lsm_file_alloc - allocate a composite file blob
> + * @file: the file that needs a blob
> + *
> + * Allocate the file blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +int lsm_file_alloc(struct file *file)
> +{
> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> + if (file->f_security)
> + pr_info("%s: Inbound file blob is not NULL.\n",
> __func__);
> +#endif
> + if (blob_sizes.lbs_file == 0)
> + return 0;
> +
> + file->f_security = kzalloc(blob_sizes.lbs_file, GFP_KERNEL);
> + if (file->f_security == NULL)
> + return -ENOMEM;
> + return 0;
> ?}
> ?
> ?/*
> @@ -957,12 +982,19 @@ int security_file_permission(struct file *file,
> int mask)
> ?
> ?int security_file_alloc(struct file *file)
> ?{
> + int rc = lsm_file_alloc(file);
> +
> + if (rc)
> + return rc;
> ? return call_int_hook(file_alloc_security, 0, file);
> ?}
> ?
> ?void security_file_free(struct file *file)
> ?{
> ? call_void_hook(file_free_security, file);
> +
> + kfree(file->f_security);
> + file->f_security = NULL;
> ?}
> ?
> ?int security_file_ioctl(struct file *file, unsigned int cmd,
> unsigned long arg)
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3b2f028f1e86..b7909d710368 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -129,7 +129,6 @@ int selinux_enabled = 1;
> ?#endif
> ?
> ?static struct kmem_cache *sel_inode_cache;
> -static struct kmem_cache *file_security_cache;
> ?
> ?/**
> ? * selinux_secmark_enabled - Check to see if SECMARK is currently
> enabled
> @@ -359,27 +358,15 @@ static void inode_free_security(struct inode
> *inode)
> ?
> ?static int file_alloc_security(struct file *file)
> ?{
> - struct file_security_struct *fsec;
> + struct file_security_struct *fsec = selinux_file(file);
> ? u32 sid = current_sid();
> ?
> - fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
> - if (!fsec)
> - return -ENOMEM;
> -
NAK. See commit 63205654c0e05e5ffa1c6eef2fbef21dcabd2185 for why this
was changed from a simple kzalloc() to using its own cache; we don't
want to regress in this regard.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
* [Non-DoD Source] [PATCH 03/11] LSM: Manage file security blobs
2017-08-31 15:47 ` [Non-DoD Source] " Stephen Smalley
@ 2017-08-31 15:58 ` Casey Schaufler
2017-08-31 18:41 ` Stephen Smalley
0 siblings, 1 reply; 21+ messages in thread
From: Casey Schaufler @ 2017-08-31 15:58 UTC (permalink / raw)
To: linux-security-module
On 8/31/2017 8:47 AM, Stephen Smalley wrote:
> On Tue, 2017-08-29 at 13:57 -0700, Casey Schaufler wrote:
>> Subject: [PATCH 03/11] LSM: Manage file security blobs
>>
>> Move the management of file security blobs from the individual
>> security modules to the security infrastructure. The security modules
>> using file blobs have been updated accordingly. Modules are required
>> to identify the space they need at module initialization. In some
>> cases a module no longer needs to supply a blob management hook, in
>> which case the hook has been removed.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
<SNIP>
>> ?/**
>> ? * selinux_secmark_enabled - Check to see if SECMARK is currently
>> enabled
>> @@ -359,27 +358,15 @@ static void inode_free_security(struct inode
>> *inode)
>> ?
>> ?static int file_alloc_security(struct file *file)
>> ?{
>> - struct file_security_struct *fsec;
>> + struct file_security_struct *fsec = selinux_file(file);
>> ? u32 sid = current_sid();
>> ?
>> - fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
>> - if (!fsec)
>> - return -ENOMEM;
>> -
> NAK. See commit 63205654c0e05e5ffa1c6eef2fbef21dcabd2185 for why this
> was changed from a simple kzalloc() to using its own cache; we don't
> want to regress in this regard.
I was somewhat expecting this. Is there any reason that using
kmem_cache_zalloc() in the infrastructure would not address the
issue? If this is a win for SELinux it should be a win for any
module that uses file blobs.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
* [Non-DoD Source] [PATCH 05/11] LSM: Infrastructure management of the remaining blobs
2017-08-29 20:59 ` [PATCH 05/11] LSM: Infrastructure management of the remaining blobs Casey Schaufler
@ 2017-08-31 16:09 ` Stephen Smalley
0 siblings, 0 replies; 21+ messages in thread
From: Stephen Smalley @ 2017-08-31 16:09 UTC (permalink / raw)
To: linux-security-module
On Tue, 2017-08-29 at 13:59 -0700, Casey Schaufler wrote:
> Subject: [PATCH 05/11] LSM: Infrastructure management of the
> remaining blobs
>
> Move management of the inode, ipc, key, msg_msg, sock and superblock
> security blobs from the security modules to the infrastructure.
> Use of the blob pointers is abstracted in the security modules.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> ?include/linux/lsm_hooks.h?????????|???8 +
> ?security/security.c???????????????| 259 +++++++++++++++++++++++++++-
> ?security/selinux/hooks.c??????????| 333 ++++++++++++--------------
> ----------
> ?security/selinux/include/objsec.h |??65 +++++++-
> ?security/selinux/netlabel.c???????|??15 +-
> ?security/selinux/selinuxfs.c??????|???4 +-
> ?security/selinux/ss/services.c????|???3 +-
> ?security/smack/smack.h????????????|??61 ++++++-
> ?security/smack/smack_lsm.c????????| 343 +++++++++++-----------------
> ----------
> ?security/smack/smack_netfilter.c??|???8 +-
> ?10 files changed, 599 insertions(+), 500 deletions(-)
>
<snip>
> @@ -319,6 +341,166 @@ int lsm_task_alloc(struct task_struct *task)
> ? return 0;
> ?}
> ?
> +/**
> + * lsm_inode_alloc - allocate a composite inode blob
> + * @inode: the inode that needs a blob
> + *
> + * Allocate the inode blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +int lsm_inode_alloc(struct inode *inode)
> +{
> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> + if (inode->i_security)
> + pr_info("%s: Inbound inode blob is not NULL.\n",
> __func__);
> +#endif
> + if (blob_sizes.lbs_inode == 0)
> + return 0;
> +
> + inode->i_security = kzalloc(blob_sizes.lbs_inode,
> GFP_KERNEL);
> + if (inode->i_security == NULL)
> + return -ENOMEM;
> + return 0;
> +}
NAK. See commit 7cae7e26f245151b9ccad868bf2edf8c8048d307 for why we
moved to using our own cache for inode security blobs in SELinux; we
don't want to regress here. Also, you need to use GFP_NOFS here, see
commit a02fe13297af26c13d004b1d44f391c077094ea0.
<snip>
> @@ -570,14 +758,39 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
> ?
> ?int security_inode_alloc(struct inode *inode)
> ?{
> - inode->i_security = NULL;
> + int rc = lsm_inode_alloc(inode);
> +
> + if (rc)
> + return rc;
> ? return call_int_hook(inode_alloc_security, 0, inode);
> ?}
> ?
> +static void inode_free_by_rcu(struct rcu_head *head)
> +{
> + /*
> + ?* The rcu head is at the start of the inode blob
> + ?*/
> + kfree(head);
> +}
> +
> ?void security_inode_free(struct inode *inode)
> ?{
> ? integrity_inode_free(inode);
> ? call_void_hook(inode_free_security, inode);
> + /*
> + ?* The inode may still be referenced in a path walk and
> + ?* a call to security_inode_permission() can be made
> + ?* after inode_free_security() is called. Ideally, the VFS
> + ?* wouldn't do this, but fixing that is a much harder
> + ?* job. For now, simply free the i_security via RCU, and
> + ?* leave the current inode->i_security pointer intact.
> + ?* The inode will be freed after the RCU grace period too.
> + ?*/
> + if (inode->i_security != NULL) {
> + call_rcu((struct rcu_head *)inode->i_security,
> + inode_free_by_rcu);
> + inode->i_security = NULL;
You can't clear inode->i_security here; see the comment above that you
copied from the original SELinux code.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
* [Non-DoD Source] [PATCH 07/11] LSM: Shared secids by token
2017-08-29 21:01 ` [PATCH 07/11] LSM: Shared secids by token Casey Schaufler
@ 2017-08-31 16:30 ` Stephen Smalley
2017-08-31 18:37 ` Stephen Smalley
0 siblings, 1 reply; 21+ messages in thread
From: Stephen Smalley @ 2017-08-31 16:30 UTC (permalink / raw)
To: linux-security-module
On Tue, 2017-08-29 at 14:01 -0700, Casey Schaufler wrote:
> Subject: [PATCH 07/11] LSM: Shared secids by token
>
> Introduces a mechanism for mapping a set of security
> module secids to and from a "token". The module interfaces
> are changed to generally hide the mechanism from both the
> security modules and the callers of the security hooks.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> ?include/linux/lsm_hooks.h????????|??54 ++++++++-
> ?security/Makefile????????????????|???1 +
> ?security/security.c??????????????| 248
> ++++++++++++++++++++++++++++++++++-----
> ?security/selinux/hooks.c?????????|??31 +++--
> ?security/selinux/include/xfrm.h??|???2 +-
> ?security/selinux/xfrm.c??????????|???6 +-
> ?security/smack/smack.h???????????|???1 +
> ?security/smack/smack_lsm.c???????|??19 ++-
> ?security/smack/smack_netfilter.c |??17 ++-
> ?security/stacking.c??????????????| 165 ++++++++++++++++++++++++++
> ?10 files changed, 497 insertions(+), 47 deletions(-)
> ?create mode 100644 security/stacking.c
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index dfe4dab1ff8d..75d95854f2ed 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1627,7 +1627,7 @@ union security_list_options {
> ? void (*secmark_refcount_inc)(void);
> ? void (*secmark_refcount_dec)(void);
> ? void (*req_classify_flow)(const struct request_sock *req,
> - struct flowi *fl);
> + u32 *fl_secid);
> ? int (*tun_dev_alloc_security)(void **security);
> ? void (*tun_dev_free_security)(void *security);
> ? int (*tun_dev_create)(void);
> @@ -1663,7 +1663,7 @@ union security_list_options {
> ? u8 dir);
> ? int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
> ? struct xfrm_policy
> *xp,
> - const struct flowi
> *fl);
> + u32 fl_secid);
> ? int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid,
> int ckall);
> ?#endif /* CONFIG_SECURITY_NETWORK_XFRM */
> ?
> @@ -1916,9 +1916,59 @@ struct security_hook_list {
> ? struct list_head *head;
> ? union security_list_options hook;
> ? char *lsm;
> + int lsm_index;
> ?} __randomize_layout;
> ?
> ?/*
> + * The maximum number of major security modules.
> + * Used to avoid excessive memory management while
> + * mapping global and module specific secids.
> + *
> + * Currently SELinux, Smack, AppArmor, TOMOYO
> + * Oh, but Casey needs to come up with the right way
> + * to identify a "major" module, so use the total number
> + * of modules (including minor) for now.
> + * Minor: Capability, Yama, LoadPin
> + */
> +#define LSM_MAX_MAJOR 8
> +
> +#ifdef CONFIG_SECURITY_STACKING
> +struct lsm_secids {
> + u32 secid[LSM_MAX_MAJOR];
> +};
> +
> +extern u32 lsm_secids_to_token(const struct lsm_secids *secids);
> +extern void lsm_token_to_secids(const u32 token, struct lsm_secids
> *secids);
> +extern u32 lsm_token_to_module_secid(const u32 token, int lsm);
> +extern void lsm_secids_init(struct lsm_secids *secids);
> +#else /* CONFIG_SECURITY_STACKING */
> +struct lsm_secids {
> + u32 secid;
> +};
> +
> +static inline u32 lsm_secids_to_token(const struct lsm_secids
> *secids)
> +{
> + return secids->secid;
> +}
> +
> +static inline void lsm_token_to_secids(const u32 token,
> + ???????struct lsm_secids *secids)
> +{
> + secids->secid = token;
> +}
> +
> +static inline u32 lsm_token_to_module_secid(const u32 token, int
> lsm)
> +{
> + return token;
> +}
> +
> +static inline void lsm_secids_init(struct lsm_secids *secids)
> +{
> + secids->secid = 0;
> +}
> +#endif /* CONFIG_SECURITY_STACKING */
> +
> +/*
> ? * Security blob size or offset data.
> ? */
> ?struct lsm_blob_sizes {
> diff --git a/security/Makefile b/security/Makefile
> index f2d71cdb8e19..05e6d525b5a1 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) +=
> apparmor/
> ?obj-$(CONFIG_SECURITY_YAMA) += yama/
> ?obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> ?obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
> +obj-$(CONFIG_SECURITY_STACKING) += stacking.o
> ?
> ?# Object integrity file lists
> ?subdir-$(CONFIG_INTEGRITY) += integrity
> diff --git a/security/security.c b/security/security.c
> index 6b979aa769ad..9d402d954cef 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -199,6 +199,11 @@ bool __init security_module_enable(const char
> *lsm, const bool stacked)
> ?#endif
> ?}
> ?
> +/*
> + * Keep the order of major modules for mapping secids.
> + */
> +static int lsm_next_major;
> +
> ?/**
> ? * security_add_hooks - Add a modules hooks to the hook lists.
> ? * @hooks: the hooks to add
> @@ -211,9 +216,14 @@ void __init security_add_hooks(struct
> security_hook_list *hooks, int count,
> ? char *lsm)
> ?{
> ? int i;
> + int lsm_index = lsm_next_major++;
> ?
> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> + pr_info("LSM: Security module %s gets index %d\n", lsm,
> lsm_index);
> +#endif
> ? for (i = 0; i < count; i++) {
> ? hooks[i].lsm = lsm;
> + hooks[i].lsm_index = lsm_index;
> ? list_add_tail_rcu(&hooks[i].list, hooks[i].head);
> ? }
> ? if (lsm_append(lsm, &lsm_names) < 0)
> @@ -1218,7 +1228,15 @@ EXPORT_SYMBOL(security_inode_listsecurity);
> ?
> ?void security_inode_getsecid(struct inode *inode, u32 *secid)
> ?{
> - call_void_hook(inode_getsecid, inode, secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> +
> + lsm_secids_init(&secids);
> +
> + list_for_each_entry(hp, &security_hook_heads.inode_getsecid,
> list)
> + hp->hook.inode_getsecid(inode, &secids.secid[hp-
> >lsm_index]);
> +
> + *secid = lsm_secids_to_token(&secids);
> ?}
> ?
> ?int security_inode_copy_up(struct dentry *src, struct cred **new)
> @@ -1406,7 +1424,18 @@ void security_transfer_creds(struct cred *new,
> const struct cred *old)
> ?
> ?int security_kernel_act_as(struct cred *new, u32 secid)
> ?{
> - return call_int_hook(kernel_act_as, 0, new, secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = 0;
> +
> + lsm_token_to_secids(secid, &secids);
> +
> + list_for_each_entry(hp, &security_hook_heads.kernel_act_as,
> list) {
> + rc = hp->hook.kernel_act_as(new, secids.secid[hp-
> >lsm_index]);
> + if (rc)
> + break;
> + }
> + return rc;
> ?}
> ?
> ?int security_kernel_create_files_as(struct cred *new, struct inode
> *inode)
> @@ -1465,8 +1494,15 @@ int security_task_getsid(struct task_struct
> *p)
> ?
> ?void security_task_getsecid(struct task_struct *p, u32 *secid)
> ?{
> - *secid = 0;
> - call_void_hook(task_getsecid, p, secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> +
> + lsm_secids_init(&secids);
> +
> + list_for_each_entry(hp, &security_hook_heads.task_getsecid,
> list)
> + hp->hook.task_getsecid(p, &secids.secid[hp-
> >lsm_index]);
> +
> + *secid = lsm_secids_to_token(&secids);
> ?}
> ?EXPORT_SYMBOL(security_task_getsecid);
> ?
> @@ -1515,7 +1551,19 @@ int security_task_movememory(struct
> task_struct *p)
> ?int security_task_kill(struct task_struct *p, struct siginfo *info,
> ? int sig, u32 secid)
> ?{
> - return call_int_hook(task_kill, 0, p, info, sig, secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = 0;
> +
> + lsm_token_to_secids(secid, &secids);
> +
> + list_for_each_entry(hp, &security_hook_heads.task_kill,
> list) {
> + rc = hp->hook.task_kill(p, info, sig,
> + secids.secid[hp-
> >lsm_index]);
> + if (rc)
> + break;
> + }
> + return rc;
> ?}
> ?
> ?int security_task_prctl(int option, unsigned long arg2, unsigned
> long arg3,
> @@ -1548,8 +1596,15 @@ int security_ipc_permission(struct
> kern_ipc_perm *ipcp, short flag)
> ?
> ?void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
> ?{
> - *secid = 0;
> - call_void_hook(ipc_getsecid, ipcp, secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> +
> + lsm_secids_init(&secids);
> +
> + list_for_each_entry(hp, &security_hook_heads.ipc_getsecid,
> list)
> + hp->hook.ipc_getsecid(ipcp, &secids.secid[hp-
> >lsm_index]);
> +
> + *secid = lsm_secids_to_token(&secids);
> ?}
> ?
> ?int security_msg_msg_alloc(struct msg_msg *msg)
> @@ -1840,15 +1895,42 @@ EXPORT_SYMBOL(security_ismaclabel);
> ?
> ?int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> ?{
> - return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid,
> secdata,
> - seclen);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = -EOPNOTSUPP;
> +
> + lsm_token_to_secids(secid, &secids);
> +
> + /*
> + ?* CBS - Return the first result regardless.
> + ?*/
> + list_for_each_entry(hp,
> &security_hook_heads.secid_to_secctx, list) {
> + rc = hp->hook.secid_to_secctx(secids.secid[hp-
> >lsm_index],
> + secdata, seclen);
> + if (rc != -EOPNOTSUPP)
> + break;
> + }
> + return rc;
> ?}
> ?EXPORT_SYMBOL(security_secid_to_secctx);
> ?
> ?int security_secctx_to_secid(const char *secdata, u32 seclen, u32
> *secid)
> ?{
> - *secid = 0;
> - return call_int_hook(secctx_to_secid, 0, secdata, seclen,
> secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = 0;
> +
> + lsm_secids_init(&secids);
> +
> + list_for_each_entry(hp,
> &security_hook_heads.secctx_to_secid, list) {
> + rc = hp->hook.secctx_to_secid(secdata, seclen,
> + &secids.secid[hp-
> >lsm_index]);
> + if (rc)
> + break;
> + }
> +
> + *secid = lsm_secids_to_token(&secids);
> + return rc;
> ?}
> ?EXPORT_SYMBOL(security_secctx_to_secid);
> ?
> @@ -1977,10 +2059,26 @@ int security_socket_getpeersec_stream(struct
> socket *sock, char __user *optval,
> ? optval, optlen, len);
> ?}
> ?
> -int security_socket_getpeersec_dgram(struct socket *sock, struct
> sk_buff *skb, u32 *secid)
> +int security_socket_getpeersec_dgram(struct socket *sock, struct
> sk_buff *skb,
> + ?????u32 *secid)
> ?{
> - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT,
> sock,
> - ?????skb, secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = -ENOPROTOOPT;
> +
> + lsm_secids_init(&secids);
> +
> + list_for_each_entry(hp,
> &security_hook_heads.socket_getpeersec_dgram,
> +
> list) {
> + rc = hp->hook.socket_getpeersec_dgram(sock, skb,
> + &secids.secid[hp-
> >lsm_index]);
> + if (rc)
> + break;
> + }
> +
> + if (!rc)
> + *secid = lsm_secids_to_token(&secids);
> + return rc;
> ?}
> ?EXPORT_SYMBOL(security_socket_getpeersec_dgram);
> ?
> @@ -2008,13 +2106,30 @@ EXPORT_SYMBOL(security_sk_clone);
> ?
> ?void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
> ?{
> - call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> +
> + lsm_secids_init(&secids);
> +
> + list_for_each_entry(hp, &security_hook_heads.sk_getsecid,
> list)
> + hp->hook.sk_getsecid(sk, &secids.secid[hp-
> >lsm_index]);
> +
> + fl->flowi_secid = lsm_secids_to_token(&secids);
> ?}
> ?EXPORT_SYMBOL(security_sk_classify_flow);
> ?
> -void security_req_classify_flow(const struct request_sock *req,
> struct flowi *fl)
> +void security_req_classify_flow(const struct request_sock *req,
> + struct flowi *fl)
> ?{
> - call_void_hook(req_classify_flow, req, fl);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> +
> + lsm_secids_init(&secids);
> +
> + list_for_each_entry(hp,
> &security_hook_heads.req_classify_flow, list)
> + hp->hook.req_classify_flow(req, &secids.secid[hp-
> >lsm_index]);
> +
> + fl->flowi_secid = lsm_secids_to_token(&secids);
> ?}
> ?EXPORT_SYMBOL(security_req_classify_flow);
> ?
> @@ -2045,7 +2160,20 @@ void security_inet_conn_established(struct
> sock *sk,
> ?
> ?int security_secmark_relabel_packet(u32 secid)
> ?{
> - return call_int_hook(secmark_relabel_packet, 0, secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = 0;
> +
> + lsm_token_to_secids(secid, &secids);
> +
> + list_for_each_entry(hp,
> &security_hook_heads.secmark_relabel_packet,
> +
> list) {
> + rc = hp->hook.secmark_relabel_packet(
> + secids.secid[hp-
> >lsm_index]);
> + if (rc)
> + break;
> + }
> + return rc;
> ?}
> ?EXPORT_SYMBOL(security_secmark_relabel_packet);
> ?
> @@ -2163,7 +2291,20 @@ EXPORT_SYMBOL(security_xfrm_state_alloc);
> ?int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
> ? ??????struct xfrm_sec_ctx *polsec,
> u32 secid)
> ?{
> - return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec,
> secid);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = 0;
> +
> + lsm_token_to_secids(secid, &secids);
> +
> + list_for_each_entry(hp,
> &security_hook_heads.xfrm_state_alloc_acquire,
> +
> list) {
> + rc = hp->hook.xfrm_state_alloc_acquire(x, polsec,
> + secids.secid[hp-
> >lsm_index]);
> + if (rc)
> + break;
> + }
> + return rc;
> ?}
> ?
> ?int security_xfrm_state_delete(struct xfrm_state *x)
> @@ -2179,7 +2320,19 @@ void security_xfrm_state_free(struct
> xfrm_state *x)
> ?
> ?int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32
> fl_secid, u8 dir)
> ?{
> - return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid,
> dir);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = 0;
> +
> + lsm_token_to_secids(fl_secid, &secids);
> +
> + list_for_each_entry(hp,
> &security_hook_heads.xfrm_policy_lookup, list) {
> + rc = hp->hook.xfrm_policy_lookup(ctx,
> + secids.secid[hp->lsm_index],
> dir);
> + if (rc)
> + break;
> + }
> + return rc;
> ?}
> ?
> ?int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
> @@ -2187,6 +2340,7 @@ int security_xfrm_state_pol_flow_match(struct
> xfrm_state *x,
> ? ???????const struct flowi *fl)
> ?{
> ? struct security_hook_list *hp;
> + struct lsm_secids secids;
> ? int rc = 1;
> ?
> ? /*
> @@ -2198,9 +2352,12 @@ int security_xfrm_state_pol_flow_match(struct
> xfrm_state *x,
> ? ?* For speed optimization, we explicitly break the loop
> rather than
> ? ?* using the macro
> ? ?*/
> + lsm_token_to_secids(fl->flowi_secid, &secids);
> +
> ? list_for_each_entry(hp,
> &security_hook_heads.xfrm_state_pol_flow_match,
> - list) {
> - rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl);
> +
> list) {
> + rc = hp->hook.xfrm_state_pol_flow_match(x, xp,
> + secids.secid[hp->lsm_index]);
> ? break;
> ? }
> ? return rc;
> @@ -2208,15 +2365,41 @@ int security_xfrm_state_pol_flow_match(struct
> xfrm_state *x,
> ?
> ?int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
> ?{
> - return call_int_hook(xfrm_decode_session, 0, skb, secid, 1);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = 0;
> +
> + lsm_secids_init(&secids);
> +
> + list_for_each_entry(hp,
> &security_hook_heads.xfrm_decode_session,
> +
> list) {
> + rc = hp->hook.xfrm_decode_session(skb,
> + &secids.secid[hp-
> >lsm_index], 1);
> + if (rc)
> + break;
> + }
> + if (!rc)
> + *secid = lsm_secids_to_token(&secids);
> + return rc;
> ?}
> ?
> ?void security_skb_classify_flow(struct sk_buff *skb, struct flowi
> *fl)
> ?{
> - int rc = call_int_hook(xfrm_decode_session, 0, skb, &fl-
> >flowi_secid,
> - 0);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = 0;
> +
> + lsm_secids_init(&secids);
> ?
> + list_for_each_entry(hp,
> &security_hook_heads.xfrm_decode_session,
> +
> list) {
> + rc = hp->hook.xfrm_decode_session(skb,
> + &secids.secid[hp-
> >lsm_index], 0);
> + if (rc)
> + break;
> + }
> ? BUG_ON(rc);
> + fl->flowi_secid = lsm_secids_to_token(&secids);
> ?}
> ?EXPORT_SYMBOL(security_skb_classify_flow);
> ?
> @@ -2275,7 +2458,18 @@ void security_audit_rule_free(void *lsmrule)
> ?int security_audit_rule_match(u32 secid, u32 field, u32 op, void
> *lsmrule,
> ? ??????struct audit_context *actx)
> ?{
> - return call_int_hook(audit_rule_match, 0, secid, field, op,
> lsmrule,
> - actx);
> + struct security_hook_list *hp;
> + struct lsm_secids secids;
> + int rc = 0;
> +
> + lsm_token_to_secids(secid, &secids);
> +
> + list_for_each_entry(hp,
> &security_hook_heads.audit_rule_match, list) {
> + rc = hp->hook.audit_rule_match(secids.secid[hp-
> >lsm_index],
> + field, op, lsmrule,
> actx);
> + if (rc)
> + break;
> + }
> + return rc;
> ?}
> ?#endif /* CONFIG_AUDIT */
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 84d533335924..389f09ebd374 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -100,6 +100,9 @@
> ?/* SECMARK reference count */
> ?static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
> ?
> +/* Index into lsm_secids */
> +static int selinux_secids_index;
> +
> ?#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
> ?int selinux_enforcing;
> ?
> @@ -4610,6 +4613,11 @@ static int selinux_inet_sys_rcv_skb(struct net
> *ns, int ifindex,
> ? ????SECCLASS_NODE, NODE__RECVFROM, ad);
> ?}
> ?
> +static u32 selinux_secmark_to_secid(u32 token)
> +{
> + return lsm_token_to_module_secid(token,
> selinux_secids_index);
> +}
> +
> ?static int selinux_sock_rcv_skb_compat(struct sock *sk, struct
> sk_buff *skb,
> ? ???????u16 family)
> ?{
> @@ -4629,7 +4637,9 @@ static int selinux_sock_rcv_skb_compat(struct
> sock *sk, struct sk_buff *skb,
> ? return err;
> ?
> ? if (selinux_secmark_enabled()) {
> - err = avc_has_perm(sk_sid, skb->secmark,
> SECCLASS_PACKET,
> + err = avc_has_perm(sk_sid,
> + ???selinux_secmark_to_secid(skb-
> >secmark),
> + ???SECCLASS_PACKET,
> ? ???PACKET__RECV, &ad);
> ? if (err)
> ? return err;
> @@ -4703,7 +4713,9 @@ static int selinux_socket_sock_rcv_skb(struct
> sock *sk, struct sk_buff *skb)
> ? }
> ?
> ? if (secmark_active) {
> - err = avc_has_perm(sk_sid, skb->secmark,
> SECCLASS_PACKET,
> + err = avc_has_perm(sk_sid,
> + ???selinux_secmark_to_secid(skb-
> >secmark),
> + ???SECCLASS_PACKET,
> ? ???PACKET__RECV, &ad);
> ? if (err)
> ? return err;
> @@ -4902,9 +4914,9 @@ static void selinux_secmark_refcount_dec(void)
> ?}
> ?
> ?static void selinux_req_classify_flow(const struct request_sock
> *req,
> - ??????struct flowi *fl)
> + ??????u32 *fl_secid)
> ?{
> - fl->flowi_secid = req->secid;
> + *fl_secid = req->secid;
> ?}
> ?
> ?static int selinux_tun_dev_alloc_security(void **security)
> @@ -5066,7 +5078,8 @@ static unsigned int selinux_ip_forward(struct
> sk_buff *skb,
> ? }
> ?
> ? if (secmark_active)
> - if (avc_has_perm(peer_sid, skb->secmark,
> + if (avc_has_perm(peer_sid,
> + ?selinux_secmark_to_secid(skb-
> >secmark),
> ? ?SECCLASS_PACKET,
> PACKET__FORWARD_IN, &ad))
> ? return NF_DROP;
> ?
> @@ -5178,7 +5191,8 @@ static unsigned int
> selinux_ip_postroute_compat(struct sk_buff *skb,
> ? return NF_DROP;
> ?
> ? if (selinux_secmark_enabled())
> - if (avc_has_perm(sksec->sid, skb->secmark,
> + if (avc_has_perm(sksec->sid,
> + ?selinux_secmark_to_secid(skb-
> >secmark),
> ? ?SECCLASS_PACKET, PACKET__SEND,
> &ad))
> ? return NF_DROP_ERR(-ECONNREFUSED);
> ?
> @@ -5301,7 +5315,8 @@ static unsigned int selinux_ip_postroute(struct
> sk_buff *skb,
> ? return NF_DROP;
> ?
> ? if (secmark_active)
> - if (avc_has_perm(peer_sid, skb->secmark,
> + if (avc_has_perm(peer_sid,
> + ?selinux_secmark_to_secid(skb-
> >secmark),
> ? ?SECCLASS_PACKET, secmark_perm,
> &ad))
> ? return NF_DROP_ERR(-ECONNREFUSED);
> ?
> @@ -6339,6 +6354,8 @@ static __init int selinux_init(void)
> ?
> ? security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
> "selinux");
> ?
> + selinux_secids_index = selinux_hooks[0].lsm_index;
> +
> ? if (avc_add_callback(selinux_netcache_avc_callback,
> AVC_CALLBACK_RESET))
> ? panic("SELinux: Unable to register AVC netcache
> callback\n");
> ?
> diff --git a/security/selinux/include/xfrm.h
> b/security/selinux/include/xfrm.h
> index 1450f85b946d..475a328248b3 100644
> --- a/security/selinux/include/xfrm.h
> +++ b/security/selinux/include/xfrm.h
> @@ -25,7 +25,7 @@ int selinux_xfrm_state_delete(struct xfrm_state
> *x);
> ?int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32
> fl_secid, u8 dir);
> ?int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
> ? ??????struct xfrm_policy *xp,
> - ??????const struct flowi *fl);
> + ??????u32 fl_secid);
> ?
> ?#ifdef CONFIG_SECURITY_NETWORK_XFRM
> ?extern atomic_t selinux_xfrm_refcount;
> diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
> index 789d07bd900f..d71e2c32b5da 100644
> --- a/security/selinux/xfrm.c
> +++ b/security/selinux/xfrm.c
> @@ -174,7 +174,7 @@ int selinux_xfrm_policy_lookup(struct
> xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
> ? */
> ?int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
> ? ??????struct xfrm_policy *xp,
> - ??????const struct flowi *fl)
> + ??????u32 fl_secid)
> ?{
> ? u32 state_sid;
> ?
> @@ -196,13 +196,13 @@ int selinux_xfrm_state_pol_flow_match(struct
> xfrm_state *x,
> ?
> ? state_sid = x->security->ctx_sid;
> ?
> - if (fl->flowi_secid != state_sid)
> + if (fl_secid != state_sid)
> ? return 0;
> ?
> ? /* We don't need a separate SA Vs. policy polmatch check
> since the SA
> ? ?* is now of the same label as the flow and a flow Vs.
> policy polmatch
> ? ?* check had already happened in
> selinux_xfrm_policy_lookup() above. */
> - return (avc_has_perm(fl->flowi_secid, state_sid,
> + return (avc_has_perm(fl_secid, state_sid,
> ? ????SECCLASS_ASSOCIATION,
> ASSOCIATION__SENDTO,
> ? ????NULL) ? 0 : 1);
> ?}
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index e7611de071f1..e9fd586e0ec1 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -328,6 +328,7 @@ void smk_destroy_label_list(struct list_head
> *list);
> ? * Shared data.
> ? */
> ?extern int smack_enabled;
> +extern int smack_secids_index;
> ?extern int smack_cipso_direct;
> ?extern int smack_cipso_mapped;
> ?extern struct smack_known *smack_net_ambient;
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 1e9ab7bdaf55..51daf9b05f17 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -57,6 +57,7 @@ static LIST_HEAD(smk_ipv6_port_list);
> ?#endif
> ?static struct kmem_cache *smack_inode_cache;
> ?int smack_enabled;
> +int smack_secids_index;
> ?
> ?static const match_table_t smk_mount_tokens = {
> ? {Opt_fsdefault, SMK_FSDEFAULT "%s"},
> @@ -3788,6 +3789,13 @@ static int smk_skb_to_addr_ipv6(struct sk_buff
> *skb, struct sockaddr_in6 *sip)
> ?}
> ?#endif /* CONFIG_IPV6 */
> ?
> +#ifdef CONFIG_SECURITY_SMACK_NETFILTER
> +static u32 smk_of_secmark(u32 secmark)
> +{
> + return lsm_token_to_module_secid(secmark,
> smack_secids_index);
> +}
> +#endif
> +
> ?/**
> ? * smack_socket_sock_rcv_skb - Smack packet delivery access check
> ? * @sk: socket
> @@ -3819,7 +3827,7 @@ static int smack_socket_sock_rcv_skb(struct
> sock *sk, struct sk_buff *skb)
> ? ?* The secmark is assumed to reflect policy better.
> ? ?*/
> ? if (skb && skb->secmark != 0) {
> - skp = smack_from_secid(skb->secmark);
> + skp = smack_from_secid(smk_of_secmark(skb-
> >secmark));
> ? goto access_check;
> ? }
> ?#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
> @@ -3864,7 +3872,7 @@ static int smack_socket_sock_rcv_skb(struct
> sock *sk, struct sk_buff *skb)
> ? break;
> ?#ifdef SMACK_IPV6_SECMARK_LABELING
> ? if (skb && skb->secmark != 0)
> - skp = smack_from_secid(skb->secmark);
> + skp = smack_from_secid(smk_of_secmark(skb-
> >secmark));
> ? else
> ? skp = smack_ipv6host_label(&sadd);
> ? if (skp == NULL)
> @@ -3962,7 +3970,7 @@ static int smack_socket_getpeersec_dgram(struct
> socket *sock,
> ? break;
> ? case PF_INET:
> ?#ifdef CONFIG_SECURITY_SMACK_NETFILTER
> - s = skb->secmark;
> + s = smk_of_secmark(skb->secmark);
> ? if (s != 0)
> ? break;
> ?#endif
> @@ -3981,7 +3989,7 @@ static int smack_socket_getpeersec_dgram(struct
> socket *sock,
> ? break;
> ? case PF_INET6:
> ?#ifdef SMACK_IPV6_SECMARK_LABELING
> - s = skb->secmark;
> + s = smk_of_secmark(skb->secmark);
> ?#endif
> ? break;
> ? }
> @@ -4060,7 +4068,7 @@ static int smack_inet_conn_request(struct sock
> *sk, struct sk_buff *skb,
> ? ?* The secmark is assumed to reflect policy better.
> ? ?*/
> ? if (skb && skb->secmark != 0) {
> - skp = smack_from_secid(skb->secmark);
> + skp = smack_from_secid(smk_of_secmark(skb-
> >secmark));
> ? goto access_check;
> ? }
> ?#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
> @@ -4650,6 +4658,7 @@ static __init int smack_init(void)
> ? ?* Register with LSM
> ? ?*/
> ? security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks),
> "smack");
> + smack_secids_index = smack_hooks[0].lsm_index;
> ? smack_enabled = 1;
> ?
> ? pr_info("Smack:??Initializing.\n");
> diff --git a/security/smack/smack_netfilter.c
> b/security/smack/smack_netfilter.c
> index a5155295551f..510661ba6c16 100644
> --- a/security/smack/smack_netfilter.c
> +++ b/security/smack/smack_netfilter.c
> @@ -23,6 +23,19 @@
> ?
> ?#if IS_ENABLED(CONFIG_IPV6)
> ?
> +/*
> + * Reinvestigate this soon?
> + *
> + */
> +static u32 smack_to_secmark(u32 secid)
> +{
> + struct lsm_secids secids;
> +
> + lsm_secids_init(&secids);
> + secids.secid[smack_secids_index] = secid;
> + return lsm_secids_to_token(&secids);
> +}
> +
> ?static unsigned int smack_ipv6_output(void *priv,
> ? struct sk_buff *skb,
> ? const struct nf_hook_state
> *state)
> @@ -34,7 +47,7 @@ static unsigned int smack_ipv6_output(void *priv,
> ? if (sk && smack_sock(sk)) {
> ? ssp = smack_sock(sk);
> ? skp = ssp->smk_out;
> - skb->secmark = skp->smk_secid;
> + skb->secmark = smack_to_secmark(skp->smk_secid);
> ? }
> ?
> ? return NF_ACCEPT;
> @@ -52,7 +65,7 @@ static unsigned int smack_ipv4_output(void *priv,
> ? if (sk && smack_sock(sk)) {
> ? ssp = smack_sock(sk);
> ? skp = ssp->smk_out;
> - skb->secmark = skp->smk_secid;
> + skb->secmark = smack_to_secmark(skp->smk_secid);
> ? }
> ?
> ? return NF_ACCEPT;
> diff --git a/security/stacking.c b/security/stacking.c
> new file mode 100644
> index 000000000000..65276cd695de
> --- /dev/null
> +++ b/security/stacking.c
> @@ -0,0 +1,165 @@
> +/*
> + *??Maintain a mapping between the secid used in networking
> + *??and the set of secids used by the security modules.
> + *
> + *??Author:
> + * Casey Schaufler <casey@schaufler-ca.com>
> + *
> + *??Copyright (C) 2017 Casey Schaufler <casey@schaufler-ca.com>
> + *??Copyright (C) 2017 Intel Corporation.
> + *
> + * This program is free software; you can redistribute it
> and/or modify
> + * it under the terms of the GNU General Public License
> version 2,
> + *??????as published by the Free Software Foundation.
> + */
> +
> +#include <linux/lsm_hooks.h>
> +
> +struct token_entry {
> + int used; /* relative age of
> the entry */
> + u32 token; /* token value */
> + struct lsm_secids secids; /* secids mapped to
> this token */
> +};
> +
> +/*
> + * Add an entry to the table when asked for a mapping that
> + * isn't already present. If the table is full throw away the
> + * least recently used entry. If the entry is present undate
> + * when it was used.
> + */
> +#define TOKEN_AGE_LIMIT (MAX_INT >> 2)
> +#define TOKEN_LIMIT 0x20000000
> +#define TOKEN_SET_SIZE 200
> +#define TOKEN_BIT 0x80000000
> +int token_used;
> +u32 token_next;
> +struct lsm_secids null_secids;
> +struct token_entry token_set[TOKEN_SET_SIZE];
> +
> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> +static void report_token(const char *msg, const struct token_entry
> *te)
> +{
> + int i;
> +
> + pr_info("LSM: %s token=%08x %u,%u,%u,%u,%u,%u,%u,%u\n", msg,
> te->token,
> + te->secids.secid[0], te->secids.secid[1], te-
> >secids.secid[2],
> + te->secids.secid[3], te->secids.secid[4], te-
> >secids.secid[5],
> + te->secids.secid[6], te->secids.secid[7]);
> + for (i = 0; i < LSM_MAX_MAJOR; i++)
> + if (te->secids.secid[i] & TOKEN_BIT)
> + pr_info("LSM: module %d provided a
> token.\n", i);
> +}
> +#else
> +static inline void report_token(const char *msg, const struct
> token_entry *te)
> +{
> +}
> +#endif
> +
> +static int next_used(void)
> +{
> + if (token_next >= TOKEN_LIMIT) {
> + pr_info("LSM: Security token use overflow - safe
> reset\n");
> + token_used = 0;
> + }
> + return ++token_used;
> +}
> +
> +static u32 next_token(void)
> +{
> + if (token_next >= TOKEN_LIMIT) {
> + pr_info("LSM: Security token overflow - safe
> reset\n");
> + token_next = 0;
> + }
> + return ++token_next | TOKEN_BIT;
> +}
> +
> +u32 lsm_secids_to_token(const struct lsm_secids *secids)
> +{
> + int i;
> + int j;
> + int old;
> +
> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> + for (i = 0; i < LSM_MAX_MAJOR; i++)
> + if (secids->secid[i] & TOKEN_BIT)
> + pr_info("LSM: %s secid[%d]=%08x has token
> bit\n",
> + __func__, i, secids->secid[i]);
> +#endif
> +
> + /*
> + ?* If none of the secids are set whoever sent this here
> + ?* was thinking "0".
> + ?*/
> + if (!memcmp(secids, &null_secids, sizeof(*secids)))
> + return 0;
> +
> + for (i = 0; i < TOKEN_SET_SIZE; i++) {
> + if (token_set[i].token == 0)
> + break;
> + if (!memcmp(secids, &token_set[i].secids,
> sizeof(*secids))) {
> + token_set[i].used = next_used();
> + return token_set[i].token;
> + }
> + }
> + if (i == TOKEN_SET_SIZE) {
> + old = token_used;
> + for (j = 0; j < TOKEN_SET_SIZE; j++) {
> + if (token_set[j].used < old) {
> + old = token_set[j].used;
> + i = j;
> + }
> + }
> + }
> + token_set[i].secids = *secids;
> + token_set[i].token = next_token();
> + token_set[i].used = next_used();
> +
> + report_token("new", &token_set[i]);
> +
> + return token_set[i].token;
> +}
> +
> +void lsm_token_to_secids(const u32 token, struct lsm_secids *secids)
> +{
> + int i;
> + struct lsm_secids fudge;
> +
> + if (token) {
> + if (!(token & TOKEN_BIT)) {
> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> + pr_info("LSM: %s token=%08x has no token
> bit\n",
> + __func__, token);
> +#endif
> + for (i = 0; i < LSM_MAX_MAJOR; i++)
> + fudge.secid[i] = token;
> + *secids = fudge;
> + return;
> + }
> + for (i = 0; i < TOKEN_SET_SIZE; i++) {
> + if (token_set[i].token == 0)
> + break;
> + if (token_set[i].token == token) {
> + *secids = token_set[i].secids;
> + token_set[i].used = next_used();
> + return;
> + }
> + }
> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> + pr_info("LSM: %s token=%u was not found\n", __func__,
> token);
> +#endif
> + }
> + *secids = null_secids;
> +}
> +
> +u32 lsm_token_to_module_secid(const u32 token, int lsm)
> +{
> + struct lsm_secids secids;
> +
> +????????lsm_token_to_secids(token, &secids);
> + return secids.secid[lsm];
> +}
> +
> +void lsm_secids_init(struct lsm_secids *secids)
> +{
> + *secids = null_secids;
> +}
ENOLOCKING
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
* [Non-DoD Source] [PATCH 07/11] LSM: Shared secids by token
2017-08-31 16:30 ` [Non-DoD Source] " Stephen Smalley
@ 2017-08-31 18:37 ` Stephen Smalley
2017-08-31 22:43 ` Casey Schaufler
0 siblings, 1 reply; 21+ messages in thread
From: Stephen Smalley @ 2017-08-31 18:37 UTC (permalink / raw)
To: linux-security-module
On Thu, 2017-08-31 at 12:30 -0400, Stephen Smalley wrote:
> On Tue, 2017-08-29 at 14:01 -0700, Casey Schaufler wrote:
> > Subject: [PATCH 07/11] LSM: Shared secids by token
> >
> > Introduces a mechanism for mapping a set of security
> > module secids to and from a "token". The module interfaces
> > are changed to generally hide the mechanism from both the
> > security modules and the callers of the security hooks.
> >
> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > ---
> > ?include/linux/lsm_hooks.h????????|??54 ++++++++-
> > ?security/Makefile????????????????|???1 +
> > ?security/security.c??????????????| 248
> > ++++++++++++++++++++++++++++++++++-----
> > ?security/selinux/hooks.c?????????|??31 +++--
> > ?security/selinux/include/xfrm.h??|???2 +-
> > ?security/selinux/xfrm.c??????????|???6 +-
> > ?security/smack/smack.h???????????|???1 +
> > ?security/smack/smack_lsm.c???????|??19 ++-
> > ?security/smack/smack_netfilter.c |??17 ++-
> > ?security/stacking.c??????????????| 165 ++++++++++++++++++++++++++
> > ?10 files changed, 497 insertions(+), 47 deletions(-)
> > ?create mode 100644 security/stacking.c
> >
> > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> > index dfe4dab1ff8d..75d95854f2ed 100644
> > --- a/include/linux/lsm_hooks.h
> > +++ b/include/linux/lsm_hooks.h
> > @@ -1627,7 +1627,7 @@ union security_list_options {
> > ? void (*secmark_refcount_inc)(void);
> > ? void (*secmark_refcount_dec)(void);
> > ? void (*req_classify_flow)(const struct request_sock *req,
> > - struct flowi *fl);
> > + u32 *fl_secid);
> > ? int (*tun_dev_alloc_security)(void **security);
> > ? void (*tun_dev_free_security)(void *security);
> > ? int (*tun_dev_create)(void);
> > @@ -1663,7 +1663,7 @@ union security_list_options {
> > ? u8 dir);
> > ? int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
> > ? struct xfrm_policy
> > *xp,
> > - const struct flowi
> > *fl);
> > + u32 fl_secid);
> > ? int (*xfrm_decode_session)(struct sk_buff *skb, u32
> > *secid,
> > int ckall);
> > ?#endif /* CONFIG_SECURITY_NETWORK_XFRM */
> > ?
> > @@ -1916,9 +1916,59 @@ struct security_hook_list {
> > ? struct list_head *head;
> > ? union security_list_options hook;
> > ? char *lsm;
> > + int lsm_index;
> > ?} __randomize_layout;
> > ?
> > ?/*
> > + * The maximum number of major security modules.
> > + * Used to avoid excessive memory management while
> > + * mapping global and module specific secids.
> > + *
> > + * Currently SELinux, Smack, AppArmor, TOMOYO
> > + * Oh, but Casey needs to come up with the right way
> > + * to identify a "major" module, so use the total number
> > + * of modules (including minor) for now.
> > + * Minor: Capability, Yama, LoadPin
> > + */
> > +#define LSM_MAX_MAJOR 8
> > +
> > +#ifdef CONFIG_SECURITY_STACKING
> > +struct lsm_secids {
> > + u32 secid[LSM_MAX_MAJOR];
> > +};
> > +
> > +extern u32 lsm_secids_to_token(const struct lsm_secids *secids);
> > +extern void lsm_token_to_secids(const u32 token, struct lsm_secids
> > *secids);
> > +extern u32 lsm_token_to_module_secid(const u32 token, int lsm);
> > +extern void lsm_secids_init(struct lsm_secids *secids);
> > +#else /* CONFIG_SECURITY_STACKING */
> > +struct lsm_secids {
> > + u32 secid;
> > +};
> > +
> > +static inline u32 lsm_secids_to_token(const struct lsm_secids
> > *secids)
> > +{
> > + return secids->secid;
> > +}
> > +
> > +static inline void lsm_token_to_secids(const u32 token,
> > + ???????struct lsm_secids *secids)
> > +{
> > + secids->secid = token;
> > +}
> > +
> > +static inline u32 lsm_token_to_module_secid(const u32 token, int
> > lsm)
> > +{
> > + return token;
> > +}
> > +
> > +static inline void lsm_secids_init(struct lsm_secids *secids)
> > +{
> > + secids->secid = 0;
> > +}
> > +#endif /* CONFIG_SECURITY_STACKING */
> > +
> > +/*
> > ? * Security blob size or offset data.
> > ? */
> > ?struct lsm_blob_sizes {
> > diff --git a/security/Makefile b/security/Makefile
> > index f2d71cdb8e19..05e6d525b5a1 100644
> > --- a/security/Makefile
> > +++ b/security/Makefile
> > @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) +=
> > apparmor/
> > ?obj-$(CONFIG_SECURITY_YAMA) += yama/
> > ?obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> > ?obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
> > +obj-$(CONFIG_SECURITY_STACKING) += stacking.o
> > ?
> > ?# Object integrity file lists
> > ?subdir-$(CONFIG_INTEGRITY) += integrity
> > diff --git a/security/security.c b/security/security.c
> > index 6b979aa769ad..9d402d954cef 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -199,6 +199,11 @@ bool __init security_module_enable(const char
> > *lsm, const bool stacked)
> > ?#endif
> > ?}
> > ?
> > +/*
> > + * Keep the order of major modules for mapping secids.
> > + */
> > +static int lsm_next_major;
> > +
> > ?/**
> > ? * security_add_hooks - Add a modules hooks to the hook lists.
> > ? * @hooks: the hooks to add
> > @@ -211,9 +216,14 @@ void __init security_add_hooks(struct
> > security_hook_list *hooks, int count,
> > ? char *lsm)
> > ?{
> > ? int i;
> > + int lsm_index = lsm_next_major++;
> > ?
> > +#ifdef CONFIG_SECURITY_LSM_DEBUG
> > + pr_info("LSM: Security module %s gets index %d\n", lsm,
> > lsm_index);
> > +#endif
> > ? for (i = 0; i < count; i++) {
> > ? hooks[i].lsm = lsm;
> > + hooks[i].lsm_index = lsm_index;
> > ? list_add_tail_rcu(&hooks[i].list, hooks[i].head);
> > ? }
> > ? if (lsm_append(lsm, &lsm_names) < 0)
> > @@ -1218,7 +1228,15 @@ EXPORT_SYMBOL(security_inode_listsecurity);
> > ?
> > ?void security_inode_getsecid(struct inode *inode, u32 *secid)
> > ?{
> > - call_void_hook(inode_getsecid, inode, secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > +
> > + lsm_secids_init(&secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.inode_getsecid,
> > list)
> > + hp->hook.inode_getsecid(inode, &secids.secid[hp-
> > > lsm_index]);
> >
> > +
> > + *secid = lsm_secids_to_token(&secids);
> > ?}
> > ?
> > ?int security_inode_copy_up(struct dentry *src, struct cred **new)
> > @@ -1406,7 +1424,18 @@ void security_transfer_creds(struct cred
> > *new,
> > const struct cred *old)
> > ?
> > ?int security_kernel_act_as(struct cred *new, u32 secid)
> > ?{
> > - return call_int_hook(kernel_act_as, 0, new, secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = 0;
> > +
> > + lsm_token_to_secids(secid, &secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.kernel_act_as,
> > list) {
> > + rc = hp->hook.kernel_act_as(new, secids.secid[hp-
> > > lsm_index]);
> >
> > + if (rc)
> > + break;
> > + }
> > + return rc;
> > ?}
> > ?
> > ?int security_kernel_create_files_as(struct cred *new, struct inode
> > *inode)
> > @@ -1465,8 +1494,15 @@ int security_task_getsid(struct task_struct
> > *p)
> > ?
> > ?void security_task_getsecid(struct task_struct *p, u32 *secid)
> > ?{
> > - *secid = 0;
> > - call_void_hook(task_getsecid, p, secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > +
> > + lsm_secids_init(&secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.task_getsecid,
> > list)
> > + hp->hook.task_getsecid(p, &secids.secid[hp-
> > > lsm_index]);
> >
> > +
> > + *secid = lsm_secids_to_token(&secids);
> > ?}
> > ?EXPORT_SYMBOL(security_task_getsecid);
> > ?
> > @@ -1515,7 +1551,19 @@ int security_task_movememory(struct
> > task_struct *p)
> > ?int security_task_kill(struct task_struct *p, struct siginfo
> > *info,
> > ? int sig, u32 secid)
> > ?{
> > - return call_int_hook(task_kill, 0, p, info, sig, secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = 0;
> > +
> > + lsm_token_to_secids(secid, &secids);
> > +
> > + list_for_each_entry(hp, &security_hook_heads.task_kill,
> > list) {
> > + rc = hp->hook.task_kill(p, info, sig,
> > + secids.secid[hp-
> > > lsm_index]);
> >
> > + if (rc)
> > + break;
> > + }
> > + return rc;
> > ?}
> > ?
> > ?int security_task_prctl(int option, unsigned long arg2, unsigned
> > long arg3,
> > @@ -1548,8 +1596,15 @@ int security_ipc_permission(struct
> > kern_ipc_perm *ipcp, short flag)
> > ?
> > ?void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
> > ?{
> > - *secid = 0;
> > - call_void_hook(ipc_getsecid, ipcp, secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > +
> > + lsm_secids_init(&secids);
> > +
> > + list_for_each_entry(hp, &security_hook_heads.ipc_getsecid,
> > list)
> > + hp->hook.ipc_getsecid(ipcp, &secids.secid[hp-
> > > lsm_index]);
> >
> > +
> > + *secid = lsm_secids_to_token(&secids);
> > ?}
> > ?
> > ?int security_msg_msg_alloc(struct msg_msg *msg)
> > @@ -1840,15 +1895,42 @@ EXPORT_SYMBOL(security_ismaclabel);
> > ?
> > ?int security_secid_to_secctx(u32 secid, char **secdata, u32
> > *seclen)
> > ?{
> > - return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid,
> > secdata,
> > - seclen);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = -EOPNOTSUPP;
> > +
> > + lsm_token_to_secids(secid, &secids);
> > +
> > + /*
> > + ?* CBS - Return the first result regardless.
> > + ?*/
> > + list_for_each_entry(hp,
> > &security_hook_heads.secid_to_secctx, list) {
> > + rc = hp->hook.secid_to_secctx(secids.secid[hp-
> > > lsm_index],
> >
> > + secdata, seclen);
> > + if (rc != -EOPNOTSUPP)
> > + break;
> > + }
> > + return rc;
> > ?}
> > ?EXPORT_SYMBOL(security_secid_to_secctx);
> > ?
> > ?int security_secctx_to_secid(const char *secdata, u32 seclen, u32
> > *secid)
> > ?{
> > - *secid = 0;
> > - return call_int_hook(secctx_to_secid, 0, secdata, seclen,
> > secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = 0;
> > +
> > + lsm_secids_init(&secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.secctx_to_secid, list) {
> > + rc = hp->hook.secctx_to_secid(secdata, seclen,
> > + &secids.secid[hp-
> > > lsm_index]);
> >
> > + if (rc)
> > + break;
> > + }
> > +
> > + *secid = lsm_secids_to_token(&secids);
> > + return rc;
> > ?}
> > ?EXPORT_SYMBOL(security_secctx_to_secid);
> > ?
> > @@ -1977,10 +2059,26 @@ int
> > security_socket_getpeersec_stream(struct
> > socket *sock, char __user *optval,
> > ? optval, optlen, len);
> > ?}
> > ?
> > -int security_socket_getpeersec_dgram(struct socket *sock, struct
> > sk_buff *skb, u32 *secid)
> > +int security_socket_getpeersec_dgram(struct socket *sock, struct
> > sk_buff *skb,
> > + ?????u32 *secid)
> > ?{
> > - return call_int_hook(socket_getpeersec_dgram,
> > -ENOPROTOOPT,
> > sock,
> > - ?????skb, secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = -ENOPROTOOPT;
> > +
> > + lsm_secids_init(&secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.socket_getpeersec_dgram,
> > +
> > list) {
> > + rc = hp->hook.socket_getpeersec_dgram(sock, skb,
> > + &secids.secid[hp-
> > > lsm_index]);
> >
> > + if (rc)
> > + break;
> > + }
> > +
> > + if (!rc)
> > + *secid = lsm_secids_to_token(&secids);
> > + return rc;
> > ?}
> > ?EXPORT_SYMBOL(security_socket_getpeersec_dgram);
> > ?
> > @@ -2008,13 +2106,30 @@ EXPORT_SYMBOL(security_sk_clone);
> > ?
> > ?void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
> > ?{
> > - call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > +
> > + lsm_secids_init(&secids);
> > +
> > + list_for_each_entry(hp, &security_hook_heads.sk_getsecid,
> > list)
> > + hp->hook.sk_getsecid(sk, &secids.secid[hp-
> > > lsm_index]);
> >
> > +
> > + fl->flowi_secid = lsm_secids_to_token(&secids);
> > ?}
> > ?EXPORT_SYMBOL(security_sk_classify_flow);
> > ?
> > -void security_req_classify_flow(const struct request_sock *req,
> > struct flowi *fl)
> > +void security_req_classify_flow(const struct request_sock *req,
> > + struct flowi *fl)
> > ?{
> > - call_void_hook(req_classify_flow, req, fl);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > +
> > + lsm_secids_init(&secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.req_classify_flow, list)
> > + hp->hook.req_classify_flow(req, &secids.secid[hp-
> > > lsm_index]);
> >
> > +
> > + fl->flowi_secid = lsm_secids_to_token(&secids);
> > ?}
> > ?EXPORT_SYMBOL(security_req_classify_flow);
> > ?
> > @@ -2045,7 +2160,20 @@ void security_inet_conn_established(struct
> > sock *sk,
> > ?
> > ?int security_secmark_relabel_packet(u32 secid)
> > ?{
> > - return call_int_hook(secmark_relabel_packet, 0, secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = 0;
> > +
> > + lsm_token_to_secids(secid, &secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.secmark_relabel_packet,
> > +
> > list) {
> > + rc = hp->hook.secmark_relabel_packet(
> > + secids.secid[hp-
> > > lsm_index]);
> >
> > + if (rc)
> > + break;
> > + }
> > + return rc;
> > ?}
> > ?EXPORT_SYMBOL(security_secmark_relabel_packet);
> > ?
> > @@ -2163,7 +2291,20 @@ EXPORT_SYMBOL(security_xfrm_state_alloc);
> > ?int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
> > ? ??????struct xfrm_sec_ctx *polsec,
> > u32 secid)
> > ?{
> > - return call_int_hook(xfrm_state_alloc_acquire, 0, x,
> > polsec,
> > secid);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = 0;
> > +
> > + lsm_token_to_secids(secid, &secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.xfrm_state_alloc_acquire,
> > +
> > list) {
> > + rc = hp->hook.xfrm_state_alloc_acquire(x, polsec,
> > + secids.secid[hp-
> > > lsm_index]);
> >
> > + if (rc)
> > + break;
> > + }
> > + return rc;
> > ?}
> > ?
> > ?int security_xfrm_state_delete(struct xfrm_state *x)
> > @@ -2179,7 +2320,19 @@ void security_xfrm_state_free(struct
> > xfrm_state *x)
> > ?
> > ?int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32
> > fl_secid, u8 dir)
> > ?{
> > - return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid,
> > dir);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = 0;
> > +
> > + lsm_token_to_secids(fl_secid, &secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.xfrm_policy_lookup, list) {
> > + rc = hp->hook.xfrm_policy_lookup(ctx,
> > + secids.secid[hp-
> > >lsm_index],?
> > dir);
> > + if (rc)
> > + break;
> > + }
> > + return rc;
> > ?}
> > ?
> > ?int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
> > @@ -2187,6 +2340,7 @@ int security_xfrm_state_pol_flow_match(struct
> > xfrm_state *x,
> > ? ???????const struct flowi *fl)
> > ?{
> > ? struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > ? int rc = 1;
> > ?
> > ? /*
> > @@ -2198,9 +2352,12 @@ int
> > security_xfrm_state_pol_flow_match(struct
> > xfrm_state *x,
> > ? ?* For speed optimization, we explicitly break the loop
> > rather than
> > ? ?* using the macro
> > ? ?*/
> > + lsm_token_to_secids(fl->flowi_secid, &secids);
> > +
> > ? list_for_each_entry(hp,
> > &security_hook_heads.xfrm_state_pol_flow_match,
> > - list) {
> > - rc = hp->hook.xfrm_state_pol_flow_match(x, xp,
> > fl);
> > +
> > list) {
> > + rc = hp->hook.xfrm_state_pol_flow_match(x, xp,
> > + secids.secid[hp->lsm_index]);
> > ? break;
> > ? }
> > ? return rc;
> > @@ -2208,15 +2365,41 @@ int
> > security_xfrm_state_pol_flow_match(struct
> > xfrm_state *x,
> > ?
> > ?int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
> > ?{
> > - return call_int_hook(xfrm_decode_session, 0, skb, secid,
> > 1);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = 0;
> > +
> > + lsm_secids_init(&secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.xfrm_decode_session,
> > +
> > list) {
> > + rc = hp->hook.xfrm_decode_session(skb,
> > + &secids.secid[hp-
> > > lsm_index], 1);
> >
> > + if (rc)
> > + break;
> > + }
> > + if (!rc)
> > + *secid = lsm_secids_to_token(&secids);
> > + return rc;
> > ?}
> > ?
> > ?void security_skb_classify_flow(struct sk_buff *skb, struct flowi
> > *fl)
> > ?{
> > - int rc = call_int_hook(xfrm_decode_session, 0, skb, &fl-
> > > flowi_secid,
> >
> > - 0);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = 0;
> > +
> > + lsm_secids_init(&secids);
> > ?
> > + list_for_each_entry(hp,
> > &security_hook_heads.xfrm_decode_session,
> > +
> > list) {
> > + rc = hp->hook.xfrm_decode_session(skb,
> > + &secids.secid[hp-
> > > lsm_index], 0);
> >
> > + if (rc)
> > + break;
> > + }
> > ? BUG_ON(rc);
> > + fl->flowi_secid = lsm_secids_to_token(&secids);
> > ?}
> > ?EXPORT_SYMBOL(security_skb_classify_flow);
> > ?
> > @@ -2275,7 +2458,18 @@ void security_audit_rule_free(void *lsmrule)
> > ?int security_audit_rule_match(u32 secid, u32 field, u32 op, void
> > *lsmrule,
> > ? ??????struct audit_context *actx)
> > ?{
> > - return call_int_hook(audit_rule_match, 0, secid, field,
> > op,
> > lsmrule,
> > - actx);
> > + struct security_hook_list *hp;
> > + struct lsm_secids secids;
> > + int rc = 0;
> > +
> > + lsm_token_to_secids(secid, &secids);
> > +
> > + list_for_each_entry(hp,
> > &security_hook_heads.audit_rule_match, list) {
> > + rc = hp->hook.audit_rule_match(secids.secid[hp-
> > > lsm_index],
> >
> > + field, op,
> > lsmrule,
> > actx);
> > + if (rc)
> > + break;
> > + }
> > + return rc;
> > ?}
> > ?#endif /* CONFIG_AUDIT */
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 84d533335924..389f09ebd374 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -100,6 +100,9 @@
> > ?/* SECMARK reference count */
> > ?static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
> > ?
> > +/* Index into lsm_secids */
> > +static int selinux_secids_index;
> > +
> > ?#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
> > ?int selinux_enforcing;
> > ?
> > @@ -4610,6 +4613,11 @@ static int selinux_inet_sys_rcv_skb(struct
> > net
> > *ns, int ifindex,
> > ? ????SECCLASS_NODE, NODE__RECVFROM, ad);
> > ?}
> > ?
> > +static u32 selinux_secmark_to_secid(u32 token)
> > +{
> > + return lsm_token_to_module_secid(token,
> > selinux_secids_index);
> > +}
> > +
> > ?static int selinux_sock_rcv_skb_compat(struct sock *sk, struct
> > sk_buff *skb,
> > ? ???????u16 family)
> > ?{
> > @@ -4629,7 +4637,9 @@ static int selinux_sock_rcv_skb_compat(struct
> > sock *sk, struct sk_buff *skb,
> > ? return err;
> > ?
> > ? if (selinux_secmark_enabled()) {
> > - err = avc_has_perm(sk_sid, skb->secmark,
> > SECCLASS_PACKET,
> > + err = avc_has_perm(sk_sid,
> > + ???selinux_secmark_to_secid(skb-
> > > secmark),
> >
> > + ???SECCLASS_PACKET,
> > ? ???PACKET__RECV, &ad);
> > ? if (err)
> > ? return err;
> > @@ -4703,7 +4713,9 @@ static int selinux_socket_sock_rcv_skb(struct
> > sock *sk, struct sk_buff *skb)
> > ? }
> > ?
> > ? if (secmark_active) {
> > - err = avc_has_perm(sk_sid, skb->secmark,
> > SECCLASS_PACKET,
> > + err = avc_has_perm(sk_sid,
> > + ???selinux_secmark_to_secid(skb-
> > > secmark),
> >
> > + ???SECCLASS_PACKET,
> > ? ???PACKET__RECV, &ad);
> > ? if (err)
> > ? return err;
> > @@ -4902,9 +4914,9 @@ static void
> > selinux_secmark_refcount_dec(void)
> > ?}
> > ?
> > ?static void selinux_req_classify_flow(const struct request_sock
> > *req,
> > - ??????struct flowi *fl)
> > + ??????u32 *fl_secid)
> > ?{
> > - fl->flowi_secid = req->secid;
> > + *fl_secid = req->secid;
> > ?}
> > ?
> > ?static int selinux_tun_dev_alloc_security(void **security)
> > @@ -5066,7 +5078,8 @@ static unsigned int selinux_ip_forward(struct
> > sk_buff *skb,
> > ? }
> > ?
> > ? if (secmark_active)
> > - if (avc_has_perm(peer_sid, skb->secmark,
> > + if (avc_has_perm(peer_sid,
> > + ?selinux_secmark_to_secid(skb-
> > > secmark),
> >
> > ? ?SECCLASS_PACKET,
> > PACKET__FORWARD_IN, &ad))
> > ? return NF_DROP;
> > ?
> > @@ -5178,7 +5191,8 @@ static unsigned int
> > selinux_ip_postroute_compat(struct sk_buff *skb,
> > ? return NF_DROP;
> > ?
> > ? if (selinux_secmark_enabled())
> > - if (avc_has_perm(sksec->sid, skb->secmark,
> > + if (avc_has_perm(sksec->sid,
> > + ?selinux_secmark_to_secid(skb-
> > > secmark),
> >
> > ? ?SECCLASS_PACKET, PACKET__SEND,
> > &ad))
> > ? return NF_DROP_ERR(-ECONNREFUSED);
> > ?
> > @@ -5301,7 +5315,8 @@ static unsigned int
> > selinux_ip_postroute(struct
> > sk_buff *skb,
> > ? return NF_DROP;
> > ?
> > ? if (secmark_active)
> > - if (avc_has_perm(peer_sid, skb->secmark,
> > + if (avc_has_perm(peer_sid,
> > + ?selinux_secmark_to_secid(skb-
> > > secmark),
> >
> > ? ?SECCLASS_PACKET, secmark_perm,
> > &ad))
> > ? return NF_DROP_ERR(-ECONNREFUSED);
> > ?
> > @@ -6339,6 +6354,8 @@ static __init int selinux_init(void)
> > ?
> > ? security_add_hooks(selinux_hooks,
> > ARRAY_SIZE(selinux_hooks),
> > "selinux");
> > ?
> > + selinux_secids_index = selinux_hooks[0].lsm_index;
> > +
> > ? if (avc_add_callback(selinux_netcache_avc_callback,
> > AVC_CALLBACK_RESET))
> > ? panic("SELinux: Unable to register AVC netcache
> > callback\n");
> > ?
> > diff --git a/security/selinux/include/xfrm.h
> > b/security/selinux/include/xfrm.h
> > index 1450f85b946d..475a328248b3 100644
> > --- a/security/selinux/include/xfrm.h
> > +++ b/security/selinux/include/xfrm.h
> > @@ -25,7 +25,7 @@ int selinux_xfrm_state_delete(struct xfrm_state
> > *x);
> > ?int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32
> > fl_secid, u8 dir);
> > ?int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
> > ? ??????struct xfrm_policy *xp,
> > - ??????const struct flowi *fl);
> > + ??????u32 fl_secid);
> > ?
> > ?#ifdef CONFIG_SECURITY_NETWORK_XFRM
> > ?extern atomic_t selinux_xfrm_refcount;
> > diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
> > index 789d07bd900f..d71e2c32b5da 100644
> > --- a/security/selinux/xfrm.c
> > +++ b/security/selinux/xfrm.c
> > @@ -174,7 +174,7 @@ int selinux_xfrm_policy_lookup(struct
> > xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
> > ? */
> > ?int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
> > ? ??????struct xfrm_policy *xp,
> > - ??????const struct flowi *fl)
> > + ??????u32 fl_secid)
> > ?{
> > ? u32 state_sid;
> > ?
> > @@ -196,13 +196,13 @@ int selinux_xfrm_state_pol_flow_match(struct
> > xfrm_state *x,
> > ?
> > ? state_sid = x->security->ctx_sid;
> > ?
> > - if (fl->flowi_secid != state_sid)
> > + if (fl_secid != state_sid)
> > ? return 0;
> > ?
> > ? /* We don't need a separate SA Vs. policy polmatch check
> > since the SA
> > ? ?* is now of the same label as the flow and a flow Vs.
> > policy polmatch
> > ? ?* check had already happened in
> > selinux_xfrm_policy_lookup() above. */
> > - return (avc_has_perm(fl->flowi_secid, state_sid,
> > + return (avc_has_perm(fl_secid, state_sid,
> > ? ????SECCLASS_ASSOCIATION,
> > ASSOCIATION__SENDTO,
> > ? ????NULL) ? 0 : 1);
> > ?}
> > diff --git a/security/smack/smack.h b/security/smack/smack.h
> > index e7611de071f1..e9fd586e0ec1 100644
> > --- a/security/smack/smack.h
> > +++ b/security/smack/smack.h
> > @@ -328,6 +328,7 @@ void smk_destroy_label_list(struct list_head
> > *list);
> > ? * Shared data.
> > ? */
> > ?extern int smack_enabled;
> > +extern int smack_secids_index;
> > ?extern int smack_cipso_direct;
> > ?extern int smack_cipso_mapped;
> > ?extern struct smack_known *smack_net_ambient;
> > diff --git a/security/smack/smack_lsm.c
> > b/security/smack/smack_lsm.c
> > index 1e9ab7bdaf55..51daf9b05f17 100644
> > --- a/security/smack/smack_lsm.c
> > +++ b/security/smack/smack_lsm.c
> > @@ -57,6 +57,7 @@ static LIST_HEAD(smk_ipv6_port_list);
> > ?#endif
> > ?static struct kmem_cache *smack_inode_cache;
> > ?int smack_enabled;
> > +int smack_secids_index;
> > ?
> > ?static const match_table_t smk_mount_tokens = {
> > ? {Opt_fsdefault, SMK_FSDEFAULT "%s"},
> > @@ -3788,6 +3789,13 @@ static int smk_skb_to_addr_ipv6(struct
> > sk_buff
> > *skb, struct sockaddr_in6 *sip)
> > ?}
> > ?#endif /* CONFIG_IPV6 */
> > ?
> > +#ifdef CONFIG_SECURITY_SMACK_NETFILTER
> > +static u32 smk_of_secmark(u32 secmark)
> > +{
> > + return lsm_token_to_module_secid(secmark,
> > smack_secids_index);
> > +}
> > +#endif
> > +
> > ?/**
> > ? * smack_socket_sock_rcv_skb - Smack packet delivery access check
> > ? * @sk: socket
> > @@ -3819,7 +3827,7 @@ static int smack_socket_sock_rcv_skb(struct
> > sock *sk, struct sk_buff *skb)
> > ? ?* The secmark is assumed to reflect policy
> > better.
> > ? ?*/
> > ? if (skb && skb->secmark != 0) {
> > - skp = smack_from_secid(skb->secmark);
> > + skp = smack_from_secid(smk_of_secmark(skb-
> > > secmark));
> >
> > ? goto access_check;
> > ? }
> > ?#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
> > @@ -3864,7 +3872,7 @@ static int smack_socket_sock_rcv_skb(struct
> > sock *sk, struct sk_buff *skb)
> > ? break;
> > ?#ifdef SMACK_IPV6_SECMARK_LABELING
> > ? if (skb && skb->secmark != 0)
> > - skp = smack_from_secid(skb->secmark);
> > + skp = smack_from_secid(smk_of_secmark(skb-
> > > secmark));
> >
> > ? else
> > ? skp = smack_ipv6host_label(&sadd);
> > ? if (skp == NULL)
> > @@ -3962,7 +3970,7 @@ static int
> > smack_socket_getpeersec_dgram(struct
> > socket *sock,
> > ? break;
> > ? case PF_INET:
> > ?#ifdef CONFIG_SECURITY_SMACK_NETFILTER
> > - s = skb->secmark;
> > + s = smk_of_secmark(skb->secmark);
> > ? if (s != 0)
> > ? break;
> > ?#endif
> > @@ -3981,7 +3989,7 @@ static int
> > smack_socket_getpeersec_dgram(struct
> > socket *sock,
> > ? break;
> > ? case PF_INET6:
> > ?#ifdef SMACK_IPV6_SECMARK_LABELING
> > - s = skb->secmark;
> > + s = smk_of_secmark(skb->secmark);
> > ?#endif
> > ? break;
> > ? }
> > @@ -4060,7 +4068,7 @@ static int smack_inet_conn_request(struct
> > sock
> > *sk, struct sk_buff *skb,
> > ? ?* The secmark is assumed to reflect policy better.
> > ? ?*/
> > ? if (skb && skb->secmark != 0) {
> > - skp = smack_from_secid(skb->secmark);
> > + skp = smack_from_secid(smk_of_secmark(skb-
> > > secmark));
> >
> > ? goto access_check;
> > ? }
> > ?#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
> > @@ -4650,6 +4658,7 @@ static __init int smack_init(void)
> > ? ?* Register with LSM
> > ? ?*/
> > ? security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks),
> > "smack");
> > + smack_secids_index = smack_hooks[0].lsm_index;
> > ? smack_enabled = 1;
> > ?
> > ? pr_info("Smack:??Initializing.\n");
> > diff --git a/security/smack/smack_netfilter.c
> > b/security/smack/smack_netfilter.c
> > index a5155295551f..510661ba6c16 100644
> > --- a/security/smack/smack_netfilter.c
> > +++ b/security/smack/smack_netfilter.c
> > @@ -23,6 +23,19 @@
> > ?
> > ?#if IS_ENABLED(CONFIG_IPV6)
> > ?
> > +/*
> > + * Reinvestigate this soon?
> > + *
> > + */
> > +static u32 smack_to_secmark(u32 secid)
> > +{
> > + struct lsm_secids secids;
> > +
> > + lsm_secids_init(&secids);
> > + secids.secid[smack_secids_index] = secid;
> > + return lsm_secids_to_token(&secids);
> > +}
> > +
> > ?static unsigned int smack_ipv6_output(void *priv,
> > ? struct sk_buff *skb,
> > ? const struct nf_hook_state
> > *state)
> > @@ -34,7 +47,7 @@ static unsigned int smack_ipv6_output(void *priv,
> > ? if (sk && smack_sock(sk)) {
> > ? ssp = smack_sock(sk);
> > ? skp = ssp->smk_out;
> > - skb->secmark = skp->smk_secid;
> > + skb->secmark = smack_to_secmark(skp->smk_secid);
> > ? }
> > ?
> > ? return NF_ACCEPT;
> > @@ -52,7 +65,7 @@ static unsigned int smack_ipv4_output(void *priv,
> > ? if (sk && smack_sock(sk)) {
> > ? ssp = smack_sock(sk);
> > ? skp = ssp->smk_out;
> > - skb->secmark = skp->smk_secid;
> > + skb->secmark = smack_to_secmark(skp->smk_secid);
> > ? }
> > ?
> > ? return NF_ACCEPT;
> > diff --git a/security/stacking.c b/security/stacking.c
> > new file mode 100644
> > index 000000000000..65276cd695de
> > --- /dev/null
> > +++ b/security/stacking.c
> > @@ -0,0 +1,165 @@
> > +/*
> > + *??Maintain a mapping between the secid used in networking
> > + *??and the set of secids used by the security modules.
> > + *
> > + *??Author:
> > + * Casey Schaufler <casey@schaufler-ca.com>
> > + *
> > + *??Copyright (C) 2017 Casey Schaufler <casey@schaufler-ca.com>
> > + *??Copyright (C) 2017 Intel Corporation.
> > + *
> > + * This program is free software; you can redistribute it
> > and/or modify
> > + * it under the terms of the GNU General Public License
> > version 2,
> > + *??????as published by the Free Software Foundation.
> > + */
> > +
> > +#include <linux/lsm_hooks.h>
> > +
> > +struct token_entry {
> > + int used; /* relative age of
> > the entry */
> > + u32 token; /* token value */
> > + struct lsm_secids secids; /* secids mapped
> > to
> > this token */
> > +};
> > +
> > +/*
> > + * Add an entry to the table when asked for a mapping that
> > + * isn't already present. If the table is full throw away the
> > + * least recently used entry. If the entry is present undate
> > + * when it was used.
> > + */
> > +#define TOKEN_AGE_LIMIT (MAX_INT >> 2)
> > +#define TOKEN_LIMIT 0x20000000
> > +#define TOKEN_SET_SIZE 200
> > +#define TOKEN_BIT 0x80000000
> > +int token_used;
> > +u32 token_next;
> > +struct lsm_secids null_secids;
> > +struct token_entry token_set[TOKEN_SET_SIZE];
> > +
> > +#ifdef CONFIG_SECURITY_LSM_DEBUG
> > +static void report_token(const char *msg, const struct token_entry
> > *te)
> > +{
> > + int i;
> > +
> > + pr_info("LSM: %s token=%08x %u,%u,%u,%u,%u,%u,%u,%u\n",
> > msg,
> > te->token,
> > + te->secids.secid[0], te->secids.secid[1], te-
> > > secids.secid[2],
> >
> > + te->secids.secid[3], te->secids.secid[4], te-
> > > secids.secid[5],
> >
> > + te->secids.secid[6], te->secids.secid[7]);
> > + for (i = 0; i < LSM_MAX_MAJOR; i++)
> > + if (te->secids.secid[i] & TOKEN_BIT)
> > + pr_info("LSM: module %d provided a
> > token.\n", i);
> > +}
> > +#else
> > +static inline void report_token(const char *msg, const struct
> > token_entry *te)
> > +{
> > +}
> > +#endif
> > +
> > +static int next_used(void)
> > +{
> > + if (token_next >= TOKEN_LIMIT) {
> > + pr_info("LSM: Security token use overflow - safe
> > reset\n");
> > + token_used = 0;
> > + }
> > + return ++token_used;
> > +}
> > +
> > +static u32 next_token(void)
> > +{
> > + if (token_next >= TOKEN_LIMIT) {
> > + pr_info("LSM: Security token overflow - safe
> > reset\n");
> > + token_next = 0;
> > + }
> > + return ++token_next | TOKEN_BIT;
> > +}
> > +
> > +u32 lsm_secids_to_token(const struct lsm_secids *secids)
> > +{
> > + int i;
> > + int j;
> > + int old;
> > +
> > +#ifdef CONFIG_SECURITY_LSM_DEBUG
> > + for (i = 0; i < LSM_MAX_MAJOR; i++)
> > + if (secids->secid[i] & TOKEN_BIT)
> > + pr_info("LSM: %s secid[%d]=%08x has token
> > bit\n",
> > + __func__, i, secids->secid[i]);
> > +#endif
> > +
> > + /*
> > + ?* If none of the secids are set whoever sent this here
> > + ?* was thinking "0".
> > + ?*/
> > + if (!memcmp(secids, &null_secids, sizeof(*secids)))
> > + return 0;
> > +
> > + for (i = 0; i < TOKEN_SET_SIZE; i++) {
> > + if (token_set[i].token == 0)
> > + break;
> > + if (!memcmp(secids, &token_set[i].secids,
> > sizeof(*secids))) {
> > + token_set[i].used = next_used();
> > + return token_set[i].token;
> > + }
> > + }
> > + if (i == TOKEN_SET_SIZE) {
> > + old = token_used;
> > + for (j = 0; j < TOKEN_SET_SIZE; j++) {
> > + if (token_set[j].used < old) {
> > + old = token_set[j].used;
> > + i = j;
> > + }
> > + }
> > + }
> > + token_set[i].secids = *secids;
> > + token_set[i].token = next_token();
> > + token_set[i].used = next_used();
> > +
> > + report_token("new", &token_set[i]);
> > +
> > + return token_set[i].token;
> > +}
> > +
> > +void lsm_token_to_secids(const u32 token, struct lsm_secids
> > *secids)
> > +{
> > + int i;
> > + struct lsm_secids fudge;
> > +
> > + if (token) {
> > + if (!(token & TOKEN_BIT)) {
> > +#ifdef CONFIG_SECURITY_LSM_DEBUG
> > + pr_info("LSM: %s token=%08x has no token
> > bit\n",
> > + __func__, token);
> > +#endif
> > + for (i = 0; i < LSM_MAX_MAJOR; i++)
> > + fudge.secid[i] = token;
> > + *secids = fudge;
> > + return;
> > + }
> > + for (i = 0; i < TOKEN_SET_SIZE; i++) {
> > + if (token_set[i].token == 0)
> > + break;
> > + if (token_set[i].token == token) {
> > + *secids = token_set[i].secids;
> > + token_set[i].used = next_used();
> > + return;
> > + }
> > + }
> > +#ifdef CONFIG_SECURITY_LSM_DEBUG
> > + pr_info("LSM: %s token=%u was not found\n", __func__,
> > token);
> > +#endif
> > + }
> > + *secids = null_secids;
> > +}
> > +
> > +u32 lsm_token_to_module_secid(const u32 token, int lsm)
> > +{
> > + struct lsm_secids secids;
> > +
> > +????????lsm_token_to_secids(token, &secids);
> > + return secids.secid[lsm];
> > +}
> > +
> > +void lsm_secids_init(struct lsm_secids *secids)
> > +{
> > + *secids = null_secids;
> > +}
>
> ENOLOCKING
Also, how do you know that it is safe to reclaim the least recently
used entry? Previously issued tokens/secids may have been cached in
other kernel data structures, and you have no guarantees that they are
no longer in use there.
A simple find / -ls on a Fedora system will roll over your token set
size many times.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
* [Non-DoD Source] [PATCH 03/11] LSM: Manage file security blobs
2017-08-31 15:58 ` Casey Schaufler
@ 2017-08-31 18:41 ` Stephen Smalley
0 siblings, 0 replies; 21+ messages in thread
From: Stephen Smalley @ 2017-08-31 18:41 UTC (permalink / raw)
To: linux-security-module
On Thu, 2017-08-31 at 08:58 -0700, Casey Schaufler wrote:
> On 8/31/2017 8:47 AM, Stephen Smalley wrote:
> > On Tue, 2017-08-29 at 13:57 -0700, Casey Schaufler wrote:
> > > Subject: [PATCH 03/11] LSM: Manage file security blobs
> > >
> > > Move the management of file security blobs from the individual
> > > security modules to the security infrastructure. The security
> > > modules
> > > using file blobs have been updated accordingly. Modules are
> > > required
> > > to identify the space they need at module initialization. In some
> > > cases a module no longer needs to supply a blob management hook,
> > > in
> > > which case the hook has been removed.
> > >
> > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> <SNIP>
>
> > > ?/**
> > > ? * selinux_secmark_enabled - Check to see if SECMARK is
> > > currently
> > > enabled
> > > @@ -359,27 +358,15 @@ static void inode_free_security(struct
> > > inode
> > > *inode)
> > > ?
> > > ?static int file_alloc_security(struct file *file)
> > > ?{
> > > - struct file_security_struct *fsec;
> > > + struct file_security_struct *fsec = selinux_file(file);
> > > ? u32 sid = current_sid();
> > > ?
> > > - fsec = kmem_cache_zalloc(file_security_cache,
> > > GFP_KERNEL);
> > > - if (!fsec)
> > > - return -ENOMEM;
> > > -
> >
> > NAK. See commit 63205654c0e05e5ffa1c6eef2fbef21dcabd2185 for why
> > this
> > was changed from a simple kzalloc() to using its own cache; we
> > don't
> > want to regress in this regard.
>
> I was somewhat expecting this. Is there any reason that using
> kmem_cache_zalloc() in the infrastructure would not address the
> issue? If this is a win for SELinux it should be a win for any
> module that uses file blobs.
Whether or not it will truly be a win will depend on the size of the
file security blob for that module (or module stack). But yes, you
should be able to do the same in the infrastructure.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
* [Non-DoD Source] [PATCH 07/11] LSM: Shared secids by token
2017-08-31 18:37 ` Stephen Smalley
@ 2017-08-31 22:43 ` Casey Schaufler
0 siblings, 0 replies; 21+ messages in thread
From: Casey Schaufler @ 2017-08-31 22:43 UTC (permalink / raw)
To: linux-security-module
On 8/31/2017 11:37 AM, Stephen Smalley wrote:
> On Thu, 2017-08-31 at 12:30 -0400, Stephen Smalley wrote:
>> On Tue, 2017-08-29 at 14:01 -0700, Casey Schaufler wrote:
>>> Subject: [PATCH 07/11] LSM: Shared secids by token
>>>
>>> Introduces a mechanism for mapping a set of security
>>> module secids to and from a "token". The module interfaces
>>> are changed to generally hide the mechanism from both the
>>> security modules and the callers of the security hooks.
>>>
>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>> ---
>>> ?include/linux/lsm_hooks.h????????|??54 ++++++++-
>>> ?security/Makefile????????????????|???1 +
>>> ?security/security.c??????????????| 248
>>> ++++++++++++++++++++++++++++++++++-----
>>> ?security/selinux/hooks.c?????????|??31 +++--
>>> ?security/selinux/include/xfrm.h??|???2 +-
>>> ?security/selinux/xfrm.c??????????|???6 +-
>>> ?security/smack/smack.h???????????|???1 +
>>> ?security/smack/smack_lsm.c???????|??19 ++-
>>> ?security/smack/smack_netfilter.c |??17 ++-
>>> ?security/stacking.c??????????????| 165 ++++++++++++++++++++++++++
>>> ?10 files changed, 497 insertions(+), 47 deletions(-)
>>> ?create mode 100644 security/stacking.c
>>>
>>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>>> index dfe4dab1ff8d..75d95854f2ed 100644
>>> --- a/include/linux/lsm_hooks.h
>>> +++ b/include/linux/lsm_hooks.h
>>> @@ -1627,7 +1627,7 @@ union security_list_options {
>>> ? void (*secmark_refcount_inc)(void);
>>> ? void (*secmark_refcount_dec)(void);
>>> ? void (*req_classify_flow)(const struct request_sock *req,
>>> - struct flowi *fl);
>>> + u32 *fl_secid);
>>> ? int (*tun_dev_alloc_security)(void **security);
>>> ? void (*tun_dev_free_security)(void *security);
>>> ? int (*tun_dev_create)(void);
>>> @@ -1663,7 +1663,7 @@ union security_list_options {
>>> ? u8 dir);
>>> ? int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
>>> ? struct xfrm_policy
>>> *xp,
>>> - const struct flowi
>>> *fl);
>>> + u32 fl_secid);
>>> ? int (*xfrm_decode_session)(struct sk_buff *skb, u32
>>> *secid,
>>> int ckall);
>>> ?#endif /* CONFIG_SECURITY_NETWORK_XFRM */
>>> ?
>>> @@ -1916,9 +1916,59 @@ struct security_hook_list {
>>> ? struct list_head *head;
>>> ? union security_list_options hook;
>>> ? char *lsm;
>>> + int lsm_index;
>>> ?} __randomize_layout;
>>> ?
>>> ?/*
>>> + * The maximum number of major security modules.
>>> + * Used to avoid excessive memory management while
>>> + * mapping global and module specific secids.
>>> + *
>>> + * Currently SELinux, Smack, AppArmor, TOMOYO
>>> + * Oh, but Casey needs to come up with the right way
>>> + * to identify a "major" module, so use the total number
>>> + * of modules (including minor) for now.
>>> + * Minor: Capability, Yama, LoadPin
>>> + */
>>> +#define LSM_MAX_MAJOR 8
>>> +
>>> +#ifdef CONFIG_SECURITY_STACKING
>>> +struct lsm_secids {
>>> + u32 secid[LSM_MAX_MAJOR];
>>> +};
>>> +
>>> +extern u32 lsm_secids_to_token(const struct lsm_secids *secids);
>>> +extern void lsm_token_to_secids(const u32 token, struct lsm_secids
>>> *secids);
>>> +extern u32 lsm_token_to_module_secid(const u32 token, int lsm);
>>> +extern void lsm_secids_init(struct lsm_secids *secids);
>>> +#else /* CONFIG_SECURITY_STACKING */
>>> +struct lsm_secids {
>>> + u32 secid;
>>> +};
>>> +
>>> +static inline u32 lsm_secids_to_token(const struct lsm_secids
>>> *secids)
>>> +{
>>> + return secids->secid;
>>> +}
>>> +
>>> +static inline void lsm_token_to_secids(const u32 token,
>>> + ???????struct lsm_secids *secids)
>>> +{
>>> + secids->secid = token;
>>> +}
>>> +
>>> +static inline u32 lsm_token_to_module_secid(const u32 token, int
>>> lsm)
>>> +{
>>> + return token;
>>> +}
>>> +
>>> +static inline void lsm_secids_init(struct lsm_secids *secids)
>>> +{
>>> + secids->secid = 0;
>>> +}
>>> +#endif /* CONFIG_SECURITY_STACKING */
>>> +
>>> +/*
>>> ? * Security blob size or offset data.
>>> ? */
>>> ?struct lsm_blob_sizes {
>>> diff --git a/security/Makefile b/security/Makefile
>>> index f2d71cdb8e19..05e6d525b5a1 100644
>>> --- a/security/Makefile
>>> +++ b/security/Makefile
>>> @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) +=
>>> apparmor/
>>> ?obj-$(CONFIG_SECURITY_YAMA) += yama/
>>> ?obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
>>> ?obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
>>> +obj-$(CONFIG_SECURITY_STACKING) += stacking.o
>>> ?
>>> ?# Object integrity file lists
>>> ?subdir-$(CONFIG_INTEGRITY) += integrity
>>> diff --git a/security/security.c b/security/security.c
>>> index 6b979aa769ad..9d402d954cef 100644
>>> --- a/security/security.c
>>> +++ b/security/security.c
>>> @@ -199,6 +199,11 @@ bool __init security_module_enable(const char
>>> *lsm, const bool stacked)
>>> ?#endif
>>> ?}
>>> ?
>>> +/*
>>> + * Keep the order of major modules for mapping secids.
>>> + */
>>> +static int lsm_next_major;
>>> +
>>> ?/**
>>> ? * security_add_hooks - Add a modules hooks to the hook lists.
>>> ? * @hooks: the hooks to add
>>> @@ -211,9 +216,14 @@ void __init security_add_hooks(struct
>>> security_hook_list *hooks, int count,
>>> ? char *lsm)
>>> ?{
>>> ? int i;
>>> + int lsm_index = lsm_next_major++;
>>> ?
>>> +#ifdef CONFIG_SECURITY_LSM_DEBUG
>>> + pr_info("LSM: Security module %s gets index %d\n", lsm,
>>> lsm_index);
>>> +#endif
>>> ? for (i = 0; i < count; i++) {
>>> ? hooks[i].lsm = lsm;
>>> + hooks[i].lsm_index = lsm_index;
>>> ? list_add_tail_rcu(&hooks[i].list, hooks[i].head);
>>> ? }
>>> ? if (lsm_append(lsm, &lsm_names) < 0)
>>> @@ -1218,7 +1228,15 @@ EXPORT_SYMBOL(security_inode_listsecurity);
>>> ?
>>> ?void security_inode_getsecid(struct inode *inode, u32 *secid)
>>> ?{
>>> - call_void_hook(inode_getsecid, inode, secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> +
>>> + lsm_secids_init(&secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.inode_getsecid,
>>> list)
>>> + hp->hook.inode_getsecid(inode, &secids.secid[hp-
>>>> lsm_index]);
>>> +
>>> + *secid = lsm_secids_to_token(&secids);
>>> ?}
>>> ?
>>> ?int security_inode_copy_up(struct dentry *src, struct cred **new)
>>> @@ -1406,7 +1424,18 @@ void security_transfer_creds(struct cred
>>> *new,
>>> const struct cred *old)
>>> ?
>>> ?int security_kernel_act_as(struct cred *new, u32 secid)
>>> ?{
>>> - return call_int_hook(kernel_act_as, 0, new, secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = 0;
>>> +
>>> + lsm_token_to_secids(secid, &secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.kernel_act_as,
>>> list) {
>>> + rc = hp->hook.kernel_act_as(new, secids.secid[hp-
>>>> lsm_index]);
>>> + if (rc)
>>> + break;
>>> + }
>>> + return rc;
>>> ?}
>>> ?
>>> ?int security_kernel_create_files_as(struct cred *new, struct inode
>>> *inode)
>>> @@ -1465,8 +1494,15 @@ int security_task_getsid(struct task_struct
>>> *p)
>>> ?
>>> ?void security_task_getsecid(struct task_struct *p, u32 *secid)
>>> ?{
>>> - *secid = 0;
>>> - call_void_hook(task_getsecid, p, secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> +
>>> + lsm_secids_init(&secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.task_getsecid,
>>> list)
>>> + hp->hook.task_getsecid(p, &secids.secid[hp-
>>>> lsm_index]);
>>> +
>>> + *secid = lsm_secids_to_token(&secids);
>>> ?}
>>> ?EXPORT_SYMBOL(security_task_getsecid);
>>> ?
>>> @@ -1515,7 +1551,19 @@ int security_task_movememory(struct
>>> task_struct *p)
>>> ?int security_task_kill(struct task_struct *p, struct siginfo
>>> *info,
>>> ? int sig, u32 secid)
>>> ?{
>>> - return call_int_hook(task_kill, 0, p, info, sig, secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = 0;
>>> +
>>> + lsm_token_to_secids(secid, &secids);
>>> +
>>> + list_for_each_entry(hp, &security_hook_heads.task_kill,
>>> list) {
>>> + rc = hp->hook.task_kill(p, info, sig,
>>> + secids.secid[hp-
>>>> lsm_index]);
>>> + if (rc)
>>> + break;
>>> + }
>>> + return rc;
>>> ?}
>>> ?
>>> ?int security_task_prctl(int option, unsigned long arg2, unsigned
>>> long arg3,
>>> @@ -1548,8 +1596,15 @@ int security_ipc_permission(struct
>>> kern_ipc_perm *ipcp, short flag)
>>> ?
>>> ?void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
>>> ?{
>>> - *secid = 0;
>>> - call_void_hook(ipc_getsecid, ipcp, secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> +
>>> + lsm_secids_init(&secids);
>>> +
>>> + list_for_each_entry(hp, &security_hook_heads.ipc_getsecid,
>>> list)
>>> + hp->hook.ipc_getsecid(ipcp, &secids.secid[hp-
>>>> lsm_index]);
>>> +
>>> + *secid = lsm_secids_to_token(&secids);
>>> ?}
>>> ?
>>> ?int security_msg_msg_alloc(struct msg_msg *msg)
>>> @@ -1840,15 +1895,42 @@ EXPORT_SYMBOL(security_ismaclabel);
>>> ?
>>> ?int security_secid_to_secctx(u32 secid, char **secdata, u32
>>> *seclen)
>>> ?{
>>> - return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid,
>>> secdata,
>>> - seclen);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = -EOPNOTSUPP;
>>> +
>>> + lsm_token_to_secids(secid, &secids);
>>> +
>>> + /*
>>> + ?* CBS - Return the first result regardless.
>>> + ?*/
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.secid_to_secctx, list) {
>>> + rc = hp->hook.secid_to_secctx(secids.secid[hp-
>>>> lsm_index],
>>> + secdata, seclen);
>>> + if (rc != -EOPNOTSUPP)
>>> + break;
>>> + }
>>> + return rc;
>>> ?}
>>> ?EXPORT_SYMBOL(security_secid_to_secctx);
>>> ?
>>> ?int security_secctx_to_secid(const char *secdata, u32 seclen, u32
>>> *secid)
>>> ?{
>>> - *secid = 0;
>>> - return call_int_hook(secctx_to_secid, 0, secdata, seclen,
>>> secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = 0;
>>> +
>>> + lsm_secids_init(&secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.secctx_to_secid, list) {
>>> + rc = hp->hook.secctx_to_secid(secdata, seclen,
>>> + &secids.secid[hp-
>>>> lsm_index]);
>>> + if (rc)
>>> + break;
>>> + }
>>> +
>>> + *secid = lsm_secids_to_token(&secids);
>>> + return rc;
>>> ?}
>>> ?EXPORT_SYMBOL(security_secctx_to_secid);
>>> ?
>>> @@ -1977,10 +2059,26 @@ int
>>> security_socket_getpeersec_stream(struct
>>> socket *sock, char __user *optval,
>>> ? optval, optlen, len);
>>> ?}
>>> ?
>>> -int security_socket_getpeersec_dgram(struct socket *sock, struct
>>> sk_buff *skb, u32 *secid)
>>> +int security_socket_getpeersec_dgram(struct socket *sock, struct
>>> sk_buff *skb,
>>> + ?????u32 *secid)
>>> ?{
>>> - return call_int_hook(socket_getpeersec_dgram,
>>> -ENOPROTOOPT,
>>> sock,
>>> - ?????skb, secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = -ENOPROTOOPT;
>>> +
>>> + lsm_secids_init(&secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.socket_getpeersec_dgram,
>>> +
>>> list) {
>>> + rc = hp->hook.socket_getpeersec_dgram(sock, skb,
>>> + &secids.secid[hp-
>>>> lsm_index]);
>>> + if (rc)
>>> + break;
>>> + }
>>> +
>>> + if (!rc)
>>> + *secid = lsm_secids_to_token(&secids);
>>> + return rc;
>>> ?}
>>> ?EXPORT_SYMBOL(security_socket_getpeersec_dgram);
>>> ?
>>> @@ -2008,13 +2106,30 @@ EXPORT_SYMBOL(security_sk_clone);
>>> ?
>>> ?void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>> ?{
>>> - call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> +
>>> + lsm_secids_init(&secids);
>>> +
>>> + list_for_each_entry(hp, &security_hook_heads.sk_getsecid,
>>> list)
>>> + hp->hook.sk_getsecid(sk, &secids.secid[hp-
>>>> lsm_index]);
>>> +
>>> + fl->flowi_secid = lsm_secids_to_token(&secids);
>>> ?}
>>> ?EXPORT_SYMBOL(security_sk_classify_flow);
>>> ?
>>> -void security_req_classify_flow(const struct request_sock *req,
>>> struct flowi *fl)
>>> +void security_req_classify_flow(const struct request_sock *req,
>>> + struct flowi *fl)
>>> ?{
>>> - call_void_hook(req_classify_flow, req, fl);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> +
>>> + lsm_secids_init(&secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.req_classify_flow, list)
>>> + hp->hook.req_classify_flow(req, &secids.secid[hp-
>>>> lsm_index]);
>>> +
>>> + fl->flowi_secid = lsm_secids_to_token(&secids);
>>> ?}
>>> ?EXPORT_SYMBOL(security_req_classify_flow);
>>> ?
>>> @@ -2045,7 +2160,20 @@ void security_inet_conn_established(struct
>>> sock *sk,
>>> ?
>>> ?int security_secmark_relabel_packet(u32 secid)
>>> ?{
>>> - return call_int_hook(secmark_relabel_packet, 0, secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = 0;
>>> +
>>> + lsm_token_to_secids(secid, &secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.secmark_relabel_packet,
>>> +
>>> list) {
>>> + rc = hp->hook.secmark_relabel_packet(
>>> + secids.secid[hp-
>>>> lsm_index]);
>>> + if (rc)
>>> + break;
>>> + }
>>> + return rc;
>>> ?}
>>> ?EXPORT_SYMBOL(security_secmark_relabel_packet);
>>> ?
>>> @@ -2163,7 +2291,20 @@ EXPORT_SYMBOL(security_xfrm_state_alloc);
>>> ?int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
>>> ? ??????struct xfrm_sec_ctx *polsec,
>>> u32 secid)
>>> ?{
>>> - return call_int_hook(xfrm_state_alloc_acquire, 0, x,
>>> polsec,
>>> secid);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = 0;
>>> +
>>> + lsm_token_to_secids(secid, &secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.xfrm_state_alloc_acquire,
>>> +
>>> list) {
>>> + rc = hp->hook.xfrm_state_alloc_acquire(x, polsec,
>>> + secids.secid[hp-
>>>> lsm_index]);
>>> + if (rc)
>>> + break;
>>> + }
>>> + return rc;
>>> ?}
>>> ?
>>> ?int security_xfrm_state_delete(struct xfrm_state *x)
>>> @@ -2179,7 +2320,19 @@ void security_xfrm_state_free(struct
>>> xfrm_state *x)
>>> ?
>>> ?int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32
>>> fl_secid, u8 dir)
>>> ?{
>>> - return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid,
>>> dir);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = 0;
>>> +
>>> + lsm_token_to_secids(fl_secid, &secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.xfrm_policy_lookup, list) {
>>> + rc = hp->hook.xfrm_policy_lookup(ctx,
>>> + secids.secid[hp-
>>>> lsm_index],?
>>> dir);
>>> + if (rc)
>>> + break;
>>> + }
>>> + return rc;
>>> ?}
>>> ?
>>> ?int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
>>> @@ -2187,6 +2340,7 @@ int security_xfrm_state_pol_flow_match(struct
>>> xfrm_state *x,
>>> ? ???????const struct flowi *fl)
>>> ?{
>>> ? struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> ? int rc = 1;
>>> ?
>>> ? /*
>>> @@ -2198,9 +2352,12 @@ int
>>> security_xfrm_state_pol_flow_match(struct
>>> xfrm_state *x,
>>> ? ?* For speed optimization, we explicitly break the loop
>>> rather than
>>> ? ?* using the macro
>>> ? ?*/
>>> + lsm_token_to_secids(fl->flowi_secid, &secids);
>>> +
>>> ? list_for_each_entry(hp,
>>> &security_hook_heads.xfrm_state_pol_flow_match,
>>> - list) {
>>> - rc = hp->hook.xfrm_state_pol_flow_match(x, xp,
>>> fl);
>>> +
>>> list) {
>>> + rc = hp->hook.xfrm_state_pol_flow_match(x, xp,
>>> + secids.secid[hp->lsm_index]);
>>> ? break;
>>> ? }
>>> ? return rc;
>>> @@ -2208,15 +2365,41 @@ int
>>> security_xfrm_state_pol_flow_match(struct
>>> xfrm_state *x,
>>> ?
>>> ?int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
>>> ?{
>>> - return call_int_hook(xfrm_decode_session, 0, skb, secid,
>>> 1);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = 0;
>>> +
>>> + lsm_secids_init(&secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.xfrm_decode_session,
>>> +
>>> list) {
>>> + rc = hp->hook.xfrm_decode_session(skb,
>>> + &secids.secid[hp-
>>>> lsm_index], 1);
>>> + if (rc)
>>> + break;
>>> + }
>>> + if (!rc)
>>> + *secid = lsm_secids_to_token(&secids);
>>> + return rc;
>>> ?}
>>> ?
>>> ?void security_skb_classify_flow(struct sk_buff *skb, struct flowi
>>> *fl)
>>> ?{
>>> - int rc = call_int_hook(xfrm_decode_session, 0, skb, &fl-
>>>> flowi_secid,
>>> - 0);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = 0;
>>> +
>>> + lsm_secids_init(&secids);
>>> ?
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.xfrm_decode_session,
>>> +
>>> list) {
>>> + rc = hp->hook.xfrm_decode_session(skb,
>>> + &secids.secid[hp-
>>>> lsm_index], 0);
>>> + if (rc)
>>> + break;
>>> + }
>>> ? BUG_ON(rc);
>>> + fl->flowi_secid = lsm_secids_to_token(&secids);
>>> ?}
>>> ?EXPORT_SYMBOL(security_skb_classify_flow);
>>> ?
>>> @@ -2275,7 +2458,18 @@ void security_audit_rule_free(void *lsmrule)
>>> ?int security_audit_rule_match(u32 secid, u32 field, u32 op, void
>>> *lsmrule,
>>> ? ??????struct audit_context *actx)
>>> ?{
>>> - return call_int_hook(audit_rule_match, 0, secid, field,
>>> op,
>>> lsmrule,
>>> - actx);
>>> + struct security_hook_list *hp;
>>> + struct lsm_secids secids;
>>> + int rc = 0;
>>> +
>>> + lsm_token_to_secids(secid, &secids);
>>> +
>>> + list_for_each_entry(hp,
>>> &security_hook_heads.audit_rule_match, list) {
>>> + rc = hp->hook.audit_rule_match(secids.secid[hp-
>>>> lsm_index],
>>> + field, op,
>>> lsmrule,
>>> actx);
>>> + if (rc)
>>> + break;
>>> + }
>>> + return rc;
>>> ?}
>>> ?#endif /* CONFIG_AUDIT */
>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index 84d533335924..389f09ebd374 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -100,6 +100,9 @@
>>> ?/* SECMARK reference count */
>>> ?static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
>>> ?
>>> +/* Index into lsm_secids */
>>> +static int selinux_secids_index;
>>> +
>>> ?#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
>>> ?int selinux_enforcing;
>>> ?
>>> @@ -4610,6 +4613,11 @@ static int selinux_inet_sys_rcv_skb(struct
>>> net
>>> *ns, int ifindex,
>>> ? ????SECCLASS_NODE, NODE__RECVFROM, ad);
>>> ?}
>>> ?
>>> +static u32 selinux_secmark_to_secid(u32 token)
>>> +{
>>> + return lsm_token_to_module_secid(token,
>>> selinux_secids_index);
>>> +}
>>> +
>>> ?static int selinux_sock_rcv_skb_compat(struct sock *sk, struct
>>> sk_buff *skb,
>>> ? ???????u16 family)
>>> ?{
>>> @@ -4629,7 +4637,9 @@ static int selinux_sock_rcv_skb_compat(struct
>>> sock *sk, struct sk_buff *skb,
>>> ? return err;
>>> ?
>>> ? if (selinux_secmark_enabled()) {
>>> - err = avc_has_perm(sk_sid, skb->secmark,
>>> SECCLASS_PACKET,
>>> + err = avc_has_perm(sk_sid,
>>> + ???selinux_secmark_to_secid(skb-
>>>> secmark),
>>> + ???SECCLASS_PACKET,
>>> ? ???PACKET__RECV, &ad);
>>> ? if (err)
>>> ? return err;
>>> @@ -4703,7 +4713,9 @@ static int selinux_socket_sock_rcv_skb(struct
>>> sock *sk, struct sk_buff *skb)
>>> ? }
>>> ?
>>> ? if (secmark_active) {
>>> - err = avc_has_perm(sk_sid, skb->secmark,
>>> SECCLASS_PACKET,
>>> + err = avc_has_perm(sk_sid,
>>> + ???selinux_secmark_to_secid(skb-
>>>> secmark),
>>> + ???SECCLASS_PACKET,
>>> ? ???PACKET__RECV, &ad);
>>> ? if (err)
>>> ? return err;
>>> @@ -4902,9 +4914,9 @@ static void
>>> selinux_secmark_refcount_dec(void)
>>> ?}
>>> ?
>>> ?static void selinux_req_classify_flow(const struct request_sock
>>> *req,
>>> - ??????struct flowi *fl)
>>> + ??????u32 *fl_secid)
>>> ?{
>>> - fl->flowi_secid = req->secid;
>>> + *fl_secid = req->secid;
>>> ?}
>>> ?
>>> ?static int selinux_tun_dev_alloc_security(void **security)
>>> @@ -5066,7 +5078,8 @@ static unsigned int selinux_ip_forward(struct
>>> sk_buff *skb,
>>> ? }
>>> ?
>>> ? if (secmark_active)
>>> - if (avc_has_perm(peer_sid, skb->secmark,
>>> + if (avc_has_perm(peer_sid,
>>> + ?selinux_secmark_to_secid(skb-
>>>> secmark),
>>> ? ?SECCLASS_PACKET,
>>> PACKET__FORWARD_IN, &ad))
>>> ? return NF_DROP;
>>> ?
>>> @@ -5178,7 +5191,8 @@ static unsigned int
>>> selinux_ip_postroute_compat(struct sk_buff *skb,
>>> ? return NF_DROP;
>>> ?
>>> ? if (selinux_secmark_enabled())
>>> - if (avc_has_perm(sksec->sid, skb->secmark,
>>> + if (avc_has_perm(sksec->sid,
>>> + ?selinux_secmark_to_secid(skb-
>>>> secmark),
>>> ? ?SECCLASS_PACKET, PACKET__SEND,
>>> &ad))
>>> ? return NF_DROP_ERR(-ECONNREFUSED);
>>> ?
>>> @@ -5301,7 +5315,8 @@ static unsigned int
>>> selinux_ip_postroute(struct
>>> sk_buff *skb,
>>> ? return NF_DROP;
>>> ?
>>> ? if (secmark_active)
>>> - if (avc_has_perm(peer_sid, skb->secmark,
>>> + if (avc_has_perm(peer_sid,
>>> + ?selinux_secmark_to_secid(skb-
>>>> secmark),
>>> ? ?SECCLASS_PACKET, secmark_perm,
>>> &ad))
>>> ? return NF_DROP_ERR(-ECONNREFUSED);
>>> ?
>>> @@ -6339,6 +6354,8 @@ static __init int selinux_init(void)
>>> ?
>>> ? security_add_hooks(selinux_hooks,
>>> ARRAY_SIZE(selinux_hooks),
>>> "selinux");
>>> ?
>>> + selinux_secids_index = selinux_hooks[0].lsm_index;
>>> +
>>> ? if (avc_add_callback(selinux_netcache_avc_callback,
>>> AVC_CALLBACK_RESET))
>>> ? panic("SELinux: Unable to register AVC netcache
>>> callback\n");
>>> ?
>>> diff --git a/security/selinux/include/xfrm.h
>>> b/security/selinux/include/xfrm.h
>>> index 1450f85b946d..475a328248b3 100644
>>> --- a/security/selinux/include/xfrm.h
>>> +++ b/security/selinux/include/xfrm.h
>>> @@ -25,7 +25,7 @@ int selinux_xfrm_state_delete(struct xfrm_state
>>> *x);
>>> ?int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32
>>> fl_secid, u8 dir);
>>> ?int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
>>> ? ??????struct xfrm_policy *xp,
>>> - ??????const struct flowi *fl);
>>> + ??????u32 fl_secid);
>>> ?
>>> ?#ifdef CONFIG_SECURITY_NETWORK_XFRM
>>> ?extern atomic_t selinux_xfrm_refcount;
>>> diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
>>> index 789d07bd900f..d71e2c32b5da 100644
>>> --- a/security/selinux/xfrm.c
>>> +++ b/security/selinux/xfrm.c
>>> @@ -174,7 +174,7 @@ int selinux_xfrm_policy_lookup(struct
>>> xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
>>> ? */
>>> ?int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
>>> ? ??????struct xfrm_policy *xp,
>>> - ??????const struct flowi *fl)
>>> + ??????u32 fl_secid)
>>> ?{
>>> ? u32 state_sid;
>>> ?
>>> @@ -196,13 +196,13 @@ int selinux_xfrm_state_pol_flow_match(struct
>>> xfrm_state *x,
>>> ?
>>> ? state_sid = x->security->ctx_sid;
>>> ?
>>> - if (fl->flowi_secid != state_sid)
>>> + if (fl_secid != state_sid)
>>> ? return 0;
>>> ?
>>> ? /* We don't need a separate SA Vs. policy polmatch check
>>> since the SA
>>> ? ?* is now of the same label as the flow and a flow Vs.
>>> policy polmatch
>>> ? ?* check had already happened in
>>> selinux_xfrm_policy_lookup() above. */
>>> - return (avc_has_perm(fl->flowi_secid, state_sid,
>>> + return (avc_has_perm(fl_secid, state_sid,
>>> ? ????SECCLASS_ASSOCIATION,
>>> ASSOCIATION__SENDTO,
>>> ? ????NULL) ? 0 : 1);
>>> ?}
>>> diff --git a/security/smack/smack.h b/security/smack/smack.h
>>> index e7611de071f1..e9fd586e0ec1 100644
>>> --- a/security/smack/smack.h
>>> +++ b/security/smack/smack.h
>>> @@ -328,6 +328,7 @@ void smk_destroy_label_list(struct list_head
>>> *list);
>>> ? * Shared data.
>>> ? */
>>> ?extern int smack_enabled;
>>> +extern int smack_secids_index;
>>> ?extern int smack_cipso_direct;
>>> ?extern int smack_cipso_mapped;
>>> ?extern struct smack_known *smack_net_ambient;
>>> diff --git a/security/smack/smack_lsm.c
>>> b/security/smack/smack_lsm.c
>>> index 1e9ab7bdaf55..51daf9b05f17 100644
>>> --- a/security/smack/smack_lsm.c
>>> +++ b/security/smack/smack_lsm.c
>>> @@ -57,6 +57,7 @@ static LIST_HEAD(smk_ipv6_port_list);
>>> ?#endif
>>> ?static struct kmem_cache *smack_inode_cache;
>>> ?int smack_enabled;
>>> +int smack_secids_index;
>>> ?
>>> ?static const match_table_t smk_mount_tokens = {
>>> ? {Opt_fsdefault, SMK_FSDEFAULT "%s"},
>>> @@ -3788,6 +3789,13 @@ static int smk_skb_to_addr_ipv6(struct
>>> sk_buff
>>> *skb, struct sockaddr_in6 *sip)
>>> ?}
>>> ?#endif /* CONFIG_IPV6 */
>>> ?
>>> +#ifdef CONFIG_SECURITY_SMACK_NETFILTER
>>> +static u32 smk_of_secmark(u32 secmark)
>>> +{
>>> + return lsm_token_to_module_secid(secmark,
>>> smack_secids_index);
>>> +}
>>> +#endif
>>> +
>>> ?/**
>>> ? * smack_socket_sock_rcv_skb - Smack packet delivery access check
>>> ? * @sk: socket
>>> @@ -3819,7 +3827,7 @@ static int smack_socket_sock_rcv_skb(struct
>>> sock *sk, struct sk_buff *skb)
>>> ? ?* The secmark is assumed to reflect policy
>>> better.
>>> ? ?*/
>>> ? if (skb && skb->secmark != 0) {
>>> - skp = smack_from_secid(skb->secmark);
>>> + skp = smack_from_secid(smk_of_secmark(skb-
>>>> secmark));
>>> ? goto access_check;
>>> ? }
>>> ?#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
>>> @@ -3864,7 +3872,7 @@ static int smack_socket_sock_rcv_skb(struct
>>> sock *sk, struct sk_buff *skb)
>>> ? break;
>>> ?#ifdef SMACK_IPV6_SECMARK_LABELING
>>> ? if (skb && skb->secmark != 0)
>>> - skp = smack_from_secid(skb->secmark);
>>> + skp = smack_from_secid(smk_of_secmark(skb-
>>>> secmark));
>>> ? else
>>> ? skp = smack_ipv6host_label(&sadd);
>>> ? if (skp == NULL)
>>> @@ -3962,7 +3970,7 @@ static int
>>> smack_socket_getpeersec_dgram(struct
>>> socket *sock,
>>> ? break;
>>> ? case PF_INET:
>>> ?#ifdef CONFIG_SECURITY_SMACK_NETFILTER
>>> - s = skb->secmark;
>>> + s = smk_of_secmark(skb->secmark);
>>> ? if (s != 0)
>>> ? break;
>>> ?#endif
>>> @@ -3981,7 +3989,7 @@ static int
>>> smack_socket_getpeersec_dgram(struct
>>> socket *sock,
>>> ? break;
>>> ? case PF_INET6:
>>> ?#ifdef SMACK_IPV6_SECMARK_LABELING
>>> - s = skb->secmark;
>>> + s = smk_of_secmark(skb->secmark);
>>> ?#endif
>>> ? break;
>>> ? }
>>> @@ -4060,7 +4068,7 @@ static int smack_inet_conn_request(struct
>>> sock
>>> *sk, struct sk_buff *skb,
>>> ? ?* The secmark is assumed to reflect policy better.
>>> ? ?*/
>>> ? if (skb && skb->secmark != 0) {
>>> - skp = smack_from_secid(skb->secmark);
>>> + skp = smack_from_secid(smk_of_secmark(skb-
>>>> secmark));
>>> ? goto access_check;
>>> ? }
>>> ?#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
>>> @@ -4650,6 +4658,7 @@ static __init int smack_init(void)
>>> ? ?* Register with LSM
>>> ? ?*/
>>> ? security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks),
>>> "smack");
>>> + smack_secids_index = smack_hooks[0].lsm_index;
>>> ? smack_enabled = 1;
>>> ?
>>> ? pr_info("Smack:??Initializing.\n");
>>> diff --git a/security/smack/smack_netfilter.c
>>> b/security/smack/smack_netfilter.c
>>> index a5155295551f..510661ba6c16 100644
>>> --- a/security/smack/smack_netfilter.c
>>> +++ b/security/smack/smack_netfilter.c
>>> @@ -23,6 +23,19 @@
>>> ?
>>> ?#if IS_ENABLED(CONFIG_IPV6)
>>> ?
>>> +/*
>>> + * Reinvestigate this soon?
>>> + *
>>> + */
>>> +static u32 smack_to_secmark(u32 secid)
>>> +{
>>> + struct lsm_secids secids;
>>> +
>>> + lsm_secids_init(&secids);
>>> + secids.secid[smack_secids_index] = secid;
>>> + return lsm_secids_to_token(&secids);
>>> +}
>>> +
>>> ?static unsigned int smack_ipv6_output(void *priv,
>>> ? struct sk_buff *skb,
>>> ? const struct nf_hook_state
>>> *state)
>>> @@ -34,7 +47,7 @@ static unsigned int smack_ipv6_output(void *priv,
>>> ? if (sk && smack_sock(sk)) {
>>> ? ssp = smack_sock(sk);
>>> ? skp = ssp->smk_out;
>>> - skb->secmark = skp->smk_secid;
>>> + skb->secmark = smack_to_secmark(skp->smk_secid);
>>> ? }
>>> ?
>>> ? return NF_ACCEPT;
>>> @@ -52,7 +65,7 @@ static unsigned int smack_ipv4_output(void *priv,
>>> ? if (sk && smack_sock(sk)) {
>>> ? ssp = smack_sock(sk);
>>> ? skp = ssp->smk_out;
>>> - skb->secmark = skp->smk_secid;
>>> + skb->secmark = smack_to_secmark(skp->smk_secid);
>>> ? }
>>> ?
>>> ? return NF_ACCEPT;
>>> diff --git a/security/stacking.c b/security/stacking.c
>>> new file mode 100644
>>> index 000000000000..65276cd695de
>>> --- /dev/null
>>> +++ b/security/stacking.c
>>> @@ -0,0 +1,165 @@
>>> +/*
>>> + *??Maintain a mapping between the secid used in networking
>>> + *??and the set of secids used by the security modules.
>>> + *
>>> + *??Author:
>>> + * Casey Schaufler <casey@schaufler-ca.com>
>>> + *
>>> + *??Copyright (C) 2017 Casey Schaufler <casey@schaufler-ca.com>
>>> + *??Copyright (C) 2017 Intel Corporation.
>>> + *
>>> + * This program is free software; you can redistribute it
>>> and/or modify
>>> + * it under the terms of the GNU General Public License
>>> version 2,
>>> + *??????as published by the Free Software Foundation.
>>> + */
>>> +
>>> +#include <linux/lsm_hooks.h>
>>> +
>>> +struct token_entry {
>>> + int used; /* relative age of
>>> the entry */
>>> + u32 token; /* token value */
>>> + struct lsm_secids secids; /* secids mapped
>>> to
>>> this token */
>>> +};
>>> +
>>> +/*
>>> + * Add an entry to the table when asked for a mapping that
>>> + * isn't already present. If the table is full throw away the
>>> + * least recently used entry. If the entry is present undate
>>> + * when it was used.
>>> + */
>>> +#define TOKEN_AGE_LIMIT (MAX_INT >> 2)
>>> +#define TOKEN_LIMIT 0x20000000
>>> +#define TOKEN_SET_SIZE 200
>>> +#define TOKEN_BIT 0x80000000
>>> +int token_used;
>>> +u32 token_next;
>>> +struct lsm_secids null_secids;
>>> +struct token_entry token_set[TOKEN_SET_SIZE];
>>> +
>>> +#ifdef CONFIG_SECURITY_LSM_DEBUG
>>> +static void report_token(const char *msg, const struct token_entry
>>> *te)
>>> +{
>>> + int i;
>>> +
>>> + pr_info("LSM: %s token=%08x %u,%u,%u,%u,%u,%u,%u,%u\n",
>>> msg,
>>> te->token,
>>> + te->secids.secid[0], te->secids.secid[1], te-
>>>> secids.secid[2],
>>> + te->secids.secid[3], te->secids.secid[4], te-
>>>> secids.secid[5],
>>> + te->secids.secid[6], te->secids.secid[7]);
>>> + for (i = 0; i < LSM_MAX_MAJOR; i++)
>>> + if (te->secids.secid[i] & TOKEN_BIT)
>>> + pr_info("LSM: module %d provided a
>>> token.\n", i);
>>> +}
>>> +#else
>>> +static inline void report_token(const char *msg, const struct
>>> token_entry *te)
>>> +{
>>> +}
>>> +#endif
>>> +
>>> +static int next_used(void)
>>> +{
>>> + if (token_next >= TOKEN_LIMIT) {
>>> + pr_info("LSM: Security token use overflow - safe
>>> reset\n");
>>> + token_used = 0;
>>> + }
>>> + return ++token_used;
>>> +}
>>> +
>>> +static u32 next_token(void)
>>> +{
>>> + if (token_next >= TOKEN_LIMIT) {
>>> + pr_info("LSM: Security token overflow - safe
>>> reset\n");
>>> + token_next = 0;
>>> + }
>>> + return ++token_next | TOKEN_BIT;
>>> +}
>>> +
>>> +u32 lsm_secids_to_token(const struct lsm_secids *secids)
>>> +{
>>> + int i;
>>> + int j;
>>> + int old;
>>> +
>>> +#ifdef CONFIG_SECURITY_LSM_DEBUG
>>> + for (i = 0; i < LSM_MAX_MAJOR; i++)
>>> + if (secids->secid[i] & TOKEN_BIT)
>>> + pr_info("LSM: %s secid[%d]=%08x has token
>>> bit\n",
>>> + __func__, i, secids->secid[i]);
>>> +#endif
>>> +
>>> + /*
>>> + ?* If none of the secids are set whoever sent this here
>>> + ?* was thinking "0".
>>> + ?*/
>>> + if (!memcmp(secids, &null_secids, sizeof(*secids)))
>>> + return 0;
>>> +
>>> + for (i = 0; i < TOKEN_SET_SIZE; i++) {
>>> + if (token_set[i].token == 0)
>>> + break;
>>> + if (!memcmp(secids, &token_set[i].secids,
>>> sizeof(*secids))) {
>>> + token_set[i].used = next_used();
>>> + return token_set[i].token;
>>> + }
>>> + }
>>> + if (i == TOKEN_SET_SIZE) {
>>> + old = token_used;
>>> + for (j = 0; j < TOKEN_SET_SIZE; j++) {
>>> + if (token_set[j].used < old) {
>>> + old = token_set[j].used;
>>> + i = j;
>>> + }
>>> + }
>>> + }
>>> + token_set[i].secids = *secids;
>>> + token_set[i].token = next_token();
>>> + token_set[i].used = next_used();
>>> +
>>> + report_token("new", &token_set[i]);
>>> +
>>> + return token_set[i].token;
>>> +}
>>> +
>>> +void lsm_token_to_secids(const u32 token, struct lsm_secids
>>> *secids)
>>> +{
>>> + int i;
>>> + struct lsm_secids fudge;
>>> +
>>> + if (token) {
>>> + if (!(token & TOKEN_BIT)) {
>>> +#ifdef CONFIG_SECURITY_LSM_DEBUG
>>> + pr_info("LSM: %s token=%08x has no token
>>> bit\n",
>>> + __func__, token);
>>> +#endif
>>> + for (i = 0; i < LSM_MAX_MAJOR; i++)
>>> + fudge.secid[i] = token;
>>> + *secids = fudge;
>>> + return;
>>> + }
>>> + for (i = 0; i < TOKEN_SET_SIZE; i++) {
>>> + if (token_set[i].token == 0)
>>> + break;
>>> + if (token_set[i].token == token) {
>>> + *secids = token_set[i].secids;
>>> + token_set[i].used = next_used();
>>> + return;
>>> + }
>>> + }
>>> +#ifdef CONFIG_SECURITY_LSM_DEBUG
>>> + pr_info("LSM: %s token=%u was not found\n", __func__,
>>> token);
>>> +#endif
>>> + }
>>> + *secids = null_secids;
>>> +}
>>> +
>>> +u32 lsm_token_to_module_secid(const u32 token, int lsm)
>>> +{
>>> + struct lsm_secids secids;
>>> +
>>> +????????lsm_token_to_secids(token, &secids);
>>> + return secids.secid[lsm];
>>> +}
>>> +
>>> +void lsm_secids_init(struct lsm_secids *secids)
>>> +{
>>> + *secids = null_secids;
>>> +}
>> ENOLOCKING
Indeed. I felt it better to put this out with known
issues than to hold back another release cycle. It also
provides the opportunity for some eager individual to
provide a proper implementation should they be inclined
to show me how it's done properly. :)
> Also, how do you know that it is safe to reclaim the least recently
> used entry? Previously issued tokens/secids may have been cached in
> other kernel data structures, and you have no guarantees that they are
> no longer in use there.
The reuse of secids is a problem the security modules need to address.
Smack, for example, cannot overflow the 32 bit secid limit without
running out of memory on any computer existing today or in the near future.
The reuse of tokens is another matter. But we know where they are used.
They are used in audit and network operations, and the lifetime of the
association is short. Audit gets secids or tokens from things, uses them
to create strings, and is done. Local networking only needs a token for the
time of transmission. Off-box networking is where there is likely to be
a problem. There are still issues with getting tokens into netlabel, and
it's going to be a full blown labeled network that's going to lead to
trouble.
> A simple find / -ls on a Fedora system will roll over your token set
> size many times.
Nope. I tried it, and as I expected, it introduced no new tokens.
Tokens are only allocated when they are needed, and none of the
operations involved in "find / -ls" or "find / -exec ls -Z" use
secids. It is going to require audit and/or network operations
to get more tokens created. The SELinux test suite, which changes
network configuration, does create a few new tokens.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2017-08-31 22:43 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-29 20:52 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
2017-08-29 20:55 ` [PATCH 01/11] procfs: add smack subdir to attrs Casey Schaufler
2017-08-31 9:12 ` John Johansen
2017-08-29 20:56 ` Subject: [PATCH 02/11] LSM: manage credential security blobs Casey Schaufler
2017-08-29 20:57 ` [PATCH 03/11] LSM: Manage file " Casey Schaufler
2017-08-31 15:47 ` [Non-DoD Source] " Stephen Smalley
2017-08-31 15:58 ` Casey Schaufler
2017-08-31 18:41 ` Stephen Smalley
2017-08-29 20:58 ` [PATCH 04/11] LSM: manage task " Casey Schaufler
2017-08-29 20:59 ` [PATCH 05/11] LSM: Infrastructure management of the remaining blobs Casey Schaufler
2017-08-31 16:09 ` [Non-DoD Source] " Stephen Smalley
2017-08-29 21:00 ` [PATCH 06/11] LSM: general but not extreme module stacking Casey Schaufler
2017-08-30 7:28 ` James Morris
2017-08-29 21:01 ` [PATCH 07/11] LSM: Shared secids by token Casey Schaufler
2017-08-31 16:30 ` [Non-DoD Source] " Stephen Smalley
2017-08-31 18:37 ` Stephen Smalley
2017-08-31 22:43 ` Casey Schaufler
2017-08-29 21:02 ` [PATCH 08/11] LSM: Complete abstraction of superblock blob in Smack Casey Schaufler
2017-08-29 21:03 ` [PATCH 09/11] LSM: Multiple security mount option support Casey Schaufler
2017-08-29 21:03 ` [PATCH 10/11] LSM: Complete task_alloc hook Casey Schaufler
2017-08-29 21:05 ` [PATCH 11/11] LSM: Allow stacking of all existing security Casey Schaufler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.