* [PATCH RFC 00/11] LSM: Stacking for major security modules
@ 2017-04-05 21:39 Casey Schaufler
2017-04-05 21:52 ` [PATCH RFC 01/11] procfs: add smack subdir to attrs Casey Schaufler
` (10 more replies)
0 siblings, 11 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:39 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 00/11] LSM: Stacking for major security modules
I am again sending this as an RFC. If you stop at patch 04 you can
use any combination of modules so long as you use only one of
SELinux and Smack. Patches 05-10 take you most of the way to complete
stacking, but cannot be said to completely address all the issues.
Patch 11 provides for management of the yet unused task blob.
This patch set implements stacking for "major" security modules
that use cred and file blobs. Management of security blobs is
moved from the security modules and into the LSM infrastructure.
This has been proposed in the past by Serge Hallyn and David Howells.
This implementation owes much to their work.
The bulk of the change is in abstracting use of blobs within the
security modules. This allows the modules to share a single blob
and hides the details from the code. There is
Modules are required to declare the amount of space they require
for each blob they use. Because modules deal with blobs during their
initialization the blob sizes must be declared prior to module
initialization. The module initialization becomes a two step process.
Security module stacking is optional. If stacking is not configured,
the CONFIG_DEFAULT_SECURITY value is used, just as before. If stacking
is configured using CONFIG_SECURITY_STACKING the modules desired for
the stack are selected individually. AppArmor would be selected by
specifying CONFIG_SECURITY_APPARMOR_STACKED. The CONFIG_DEFAULT_SECURITY
is ignored. The security= boot option is still respected and has the
same behavior as before, allowing a single module to be used instead of
the specified stack.
To accommodate multiple active modules a security "context" is
defined to use a regular format:
lsmname='lsmvalue'[,lsmname='lsmvalue']...
This is not supported by any existing user space run time code.
I have tested these patches in various configurations of Ubuntu and
Fedora. I have had much better success with SELinux in permissive mode
than enforcing, but that appears to be a result of user space code
issues. Smack and SELinux together have limited success, again because
of the context format.
Patch 01 Adds a smack subdirectory in /proc/.../attr (proposed separately)
Patch 02 Move management of the cred blob to the LSM infrastructure.
Patch 03 Move management of the file blob to the LSM infrastructure.
Patch 04 Change how the security modules get selected.
Patch 05 Infrastructure blob management for IPC, keys, sockets.
Patch 06 Fixes Smack's sk_free hook.
Patch 07 Support mount options for multiple security modules.
Patch 08 Change secids from a u32 to a structure.
Patch 09 Netlabel consistency enforcment in sendmsg.
Patch 10 Fixes a compile issue in one Smack configuration.
Patch 11 Infrastructure blob management for the new task blob.
These patches can be found in git at:
https://github.com/cschaufler/smack-next.git#stacking-4.11-rc4
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/security/LSM.txt | 33 +-
drivers/usb/core/devio.c | 13 +-
fs/btrfs/super.c | 10 +-
fs/proc/base.c | 96 ++-
fs/proc/internal.h | 1 +
fs/xattr.c | 6 +-
include/linux/audit.h | 10 +-
include/linux/cred.h | 3 +-
include/linux/lsm_hooks.h | 76 ++-
include/linux/sched/signal.h | 2 +-
include/linux/security.h | 227 +++++--
include/net/flow.h | 5 +-
include/net/netlabel.h | 16 +-
include/net/scm.h | 4 +-
kernel/audit.c | 25 +-
kernel/audit.h | 9 +-
kernel/auditfilter.c | 4 +-
kernel/auditsc.c | 42 +-
kernel/cred.c | 19 +-
kernel/signal.c | 6 +-
net/ipv4/cipso_ipv4.c | 5 +-
net/ipv4/ip_sockglue.c | 6 +-
net/netfilter/nf_conntrack_netlink.c | 12 +-
net/netfilter/nf_conntrack_standalone.c | 6 +-
net/netfilter/nfnetlink_queue.c | 9 +-
net/netfilter/xt_AUDIT.c | 9 +-
net/netfilter/xt_SECMARK.c | 6 +-
net/netlabel/netlabel_kapi.c | 56 +-
net/netlabel/netlabel_unlabeled.c | 30 +-
net/netlabel/netlabel_unlabeled.h | 2 +-
net/netlabel/netlabel_user.c | 4 +-
net/unix/af_unix.c | 6 +-
net/xfrm/xfrm_policy.c | 6 +-
net/xfrm/xfrm_state.c | 3 +-
security/Kconfig | 86 +++
security/apparmor/context.c | 2 -
security/apparmor/include/context.h | 25 +-
security/apparmor/lsm.c | 111 ++--
security/integrity/ima/ima_policy.c | 7 +-
security/security.c | 1046 +++++++++++++++++++++++++++++--
security/selinux/hooks.c | 720 +++++++++------------
security/selinux/include/audit.h | 2 +-
security/selinux/include/objsec.h | 87 ++-
security/selinux/include/xfrm.h | 9 +-
security/selinux/netlabel.c | 17 +-
security/selinux/selinuxfs.c | 5 +-
security/selinux/ss/services.c | 13 +-
security/selinux/xfrm.c | 29 +-
security/smack/smack.h | 95 ++-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 751 +++++++++-------------
security/smack/smack_netfilter.c | 28 +-
security/smack/smackfs.c | 28 +-
security/tomoyo/common.h | 25 +-
security/tomoyo/domain.c | 4 +-
security/tomoyo/securityfs_if.c | 13 +-
security/tomoyo/tomoyo.c | 55 +-
57 files changed, 2647 insertions(+), 1280 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH RFC 01/11] procfs: add smack subdir to attrs
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
@ 2017-04-05 21:52 ` Casey Schaufler
2017-04-05 21:52 ` [PATCH RFC 02/11] LSM: manage credential security blobs Casey Schaufler
` (9 subsequent siblings)
10 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:52 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 01/11] procfs: add smack subdir to attrs
Back in 2007 I made what turned out to be a rather serious
mistake in the implementation of the Smack security module.
The SELinux module used an interface in /proc to manipulate
the security context on processes. Rather than use a similar
interface, I used the same interface. The AppArmor team did
likewise. Now /proc/.../attr/current will tell you the
security "context" of the process, but it will be different
depending on the security module you're using.
This patch provides a subdirectory in /proc/.../attr for
Smack. Smack user space can use the "current" file in
this subdirectory and never have to worry about getting
SELinux attributes by mistake. Programs that use the
old interface will continue to work (or fail, as the case
may be) as before.
This patch does not include subdirectories for SELinux
or AppArmor. I do have a patch that provides those, and
will happily make it available should anyone see value
in it.
The original implementation is by Kees Cook.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/security/LSM.txt | 19 +++++++++----
fs/proc/base.c | 63 ++++++++++++++++++++++++++++++++++++------
fs/proc/internal.h | 1 +
include/linux/security.h | 15 ++++++----
security/security.c | 30 +++++++++++++++++---
5 files changed, 104 insertions(+), 24 deletions(-)
diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt
index c2683f2..57eafbc 100644
--- a/Documentation/security/LSM.txt
+++ b/Documentation/security/LSM.txt
@@ -16,11 +16,10 @@ MAC extensions, other extensions can be built using the LSM to provide
specific changes to system operation when these tweaks are not available
in the core functionality of Linux itself.
-Without a specific LSM built into the kernel, the default LSM will be the
-Linux capabilities system. Most LSMs choose to extend the capabilities
-system, building their checks on top of the defined capability hooks.
-For more details on capabilities, see capabilities(7) in the Linux
-man-pages project.
+The Linux capabilities modules will always be included. For more details
+on capabilities, see capabilities(7) in the Linux man-pages project.
+This may be followed by any number of "minor" modules and at most one
+"major" module.
A list of the active security modules can be found by reading
/sys/kernel/security/lsm. This is a comma separated list, and
@@ -29,6 +28,14 @@ order in which checks are made. The capability module will always
be first, followed by any "minor" modules (e.g. Yama) and then
the one "major" module (e.g. SELinux) if there is one configured.
+Process attributes associated with "major" security modules should
+be accessed and maintained using the special files in /proc/.../attr.
+A security module may maintain a module specific subdirectory there,
+named after the module. /proc/.../attr/smack is provided by the Smack
+security module and contains all its special files. The files directly
+in /proc/.../attr remain as legacy interfaces for modules that provide
+subdirectories.
+
Based on https://lkml.org/lkml/2007/10/26/215,
a new LSM is accepted into the kernel when its intent (a description of
what it tries to protect against and in what cases one would expect to
@@ -38,4 +45,4 @@ that end users and distros can make a more informed decision about which
LSMs suit their requirements.
For extensive documentation on the available LSM hook interfaces, please
-see include/linux/security.h.
+see include/linux/lsm_hooks.h.
diff --git a/fs/proc/base.c b/fs/proc/base.c
index c87b6b9..2decd2f 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -139,9 +139,13 @@ struct pid_entry {
#define REG(NAME, MODE, fops) \
NOD(NAME, (S_IFREG|(MODE)), NULL, &fops, {})
#define ONE(NAME, MODE, show) \
- NOD(NAME, (S_IFREG|(MODE)), \
+ NOD(NAME, (S_IFREG|(MODE)), \
NULL, &proc_single_file_operations, \
{ .proc_show = show } )
+#define ATTR(LSM, NAME, MODE) \
+ NOD(NAME, (S_IFREG|(MODE)), \
+ NULL, &proc_pid_attr_operations, \
+ { .lsm = LSM })
/*
* Count the number of hardlinks for the pid_entry table, excluding the .
@@ -2455,7 +2459,7 @@ static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
if (!task)
return -ESRCH;
- length = security_getprocattr(task,
+ length = security_getprocattr(task, PROC_I(inode)->op.lsm,
(char*)file->f_path.dentry->d_name.name,
&p);
put_task_struct(task);
@@ -2501,7 +2505,8 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
if (length < 0)
goto out_free;
- length = security_setprocattr(file->f_path.dentry->d_name.name,
+ length = security_setprocattr(PROC_I(inode)->op.lsm,
+ file->f_path.dentry->d_name.name,
page, count);
mutex_unlock(¤t->signal->cred_guard_mutex);
out_free:
@@ -2518,13 +2523,53 @@ static const struct file_operations proc_pid_attr_operations = {
.llseek = generic_file_llseek,
};
+#define LSM_DIR_OPS(LSM) \
+static int proc_##LSM##_attr_dir_iterate(struct file *filp, \
+ struct dir_context *ctx) \
+{ \
+ return proc_pident_readdir(filp, ctx, \
+ LSM##_attr_dir_stuff, \
+ ARRAY_SIZE(LSM##_attr_dir_stuff)); \
+} \
+\
+static const struct file_operations proc_##LSM##_attr_dir_ops = { \
+ .read = generic_read_dir, \
+ .iterate = proc_##LSM##_attr_dir_iterate, \
+ .llseek = default_llseek, \
+}; \
+\
+static struct dentry *proc_##LSM##_attr_dir_lookup(struct inode *dir, \
+ struct dentry *dentry, unsigned int flags) \
+{ \
+ return proc_pident_lookup(dir, dentry, \
+ LSM##_attr_dir_stuff, \
+ ARRAY_SIZE(LSM##_attr_dir_stuff)); \
+} \
+\
+static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \
+ .lookup = proc_##LSM##_attr_dir_lookup, \
+ .getattr = pid_getattr, \
+ .setattr = proc_setattr, \
+}
+
+#ifdef CONFIG_SECURITY_SMACK
+static const struct pid_entry smack_attr_dir_stuff[] = {
+ ATTR("smack", "current", 0666),
+};
+LSM_DIR_OPS(smack);
+#endif
+
static const struct pid_entry attr_dir_stuff[] = {
- REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("prev", S_IRUGO, proc_pid_attr_operations),
- REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ ATTR(NULL, "current", 0666),
+ ATTR(NULL, "prev", 0444),
+ ATTR(NULL, "exec", 0666),
+ ATTR(NULL, "fscreate", 0666),
+ ATTR(NULL, "keycreate", 0666),
+ ATTR(NULL, "sockcreate", 0666),
+#ifdef CONFIG_SECURITY_SMACK
+ DIR("smack", 0555,
+ proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
+#endif
};
static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
index c5ae09b..8b7d101 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -58,6 +58,7 @@ union proc_op {
int (*proc_show)(struct seq_file *m,
struct pid_namespace *ns, struct pid *pid,
struct task_struct *task);
+ const char *lsm;
};
struct proc_inode {
diff --git a/include/linux/security.h b/include/linux/security.h
index af675b5..8ee9dbd 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -365,8 +365,10 @@ int security_sem_semctl(struct sem_array *sma, int cmd);
int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
unsigned nsops, int alter);
void security_d_instantiate(struct dentry *dentry, struct inode *inode);
-int security_getprocattr(struct task_struct *p, char *name, char **value);
-int security_setprocattr(const char *name, void *value, size_t size);
+int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ char **value);
+int security_setprocattr(const char *lsm, const char *name, void *value,
+ size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
@@ -1111,15 +1113,18 @@ static inline int security_sem_semop(struct sem_array *sma,
return 0;
}
-static inline void security_d_instantiate(struct dentry *dentry, struct inode *inode)
+static inline void security_d_instantiate(struct dentry *dentry,
+ struct inode *inode)
{ }
-static inline int security_getprocattr(struct task_struct *p, char *name, char **value)
+static inline int security_getprocattr(struct task_struct *p, const char *lsm,
+ char *name, char **value)
{
return -EINVAL;
}
-static inline int security_setprocattr(char *name, void *value, size_t size)
+static inline int security_setprocattr(const char *lsm, char *name,
+ void *value, size_t size)
{
return -EINVAL;
}
diff --git a/security/security.c b/security/security.c
index 549bddc..e28bb98 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1216,14 +1216,36 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode)
}
EXPORT_SYMBOL(security_d_instantiate);
-int security_getprocattr(struct task_struct *p, char *name, char **value)
+int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ char **value)
{
- return call_int_hook(getprocattr, -EINVAL, p, name, value);
+ struct security_hook_list *hp;
+ int rc;
+
+ list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ rc = hp->hook.getprocattr(p, name, value);
+ if (rc != -ENOENT)
+ return rc;
+ }
+ return -EINVAL;
}
-int security_setprocattr(const char *name, void *value, size_t size)
+int security_setprocattr(const char *lsm, const char *name, void *value,
+ size_t size)
{
- return call_int_hook(setprocattr, -EINVAL, name, value, size);
+ struct security_hook_list *hp;
+ int rc;
+
+ list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ rc = hp->hook.setprocattr(name, value, size);
+ if (rc != -ENOENT)
+ return rc;
+ }
+ return -EINVAL;
}
int security_netlink_send(struct sock *sk, struct sk_buff *skb)
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 02/11] LSM: manage credential security blobs
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
2017-04-05 21:52 ` [PATCH RFC 01/11] procfs: add smack subdir to attrs Casey Schaufler
@ 2017-04-05 21:52 ` Casey Schaufler
2017-04-05 21:52 ` [PATCH RFC 03/11] LSM: Manage file " Casey Schaufler
` (8 subsequent siblings)
10 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:52 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 02/11] LSM: manage credential security blobs
Move the management of credential security blobs from the
individual security modules to the security infrastructure.
The security modules using credential blobs have been updated
accordingly. Modules are required to identify the space they
require at module initialization. In some cases a module no
longer needs to supply blob management hook, in which case
the hook has been removed.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 14 ++++
kernel/cred.c | 13 ----
security/Kconfig | 11 +++
security/apparmor/context.c | 2 -
security/apparmor/include/context.h | 9 ++-
security/apparmor/lsm.c | 44 ++++--------
security/security.c | 98 +++++++++++++++++++++++++-
security/selinux/hooks.c | 115 ++++++++++++-------------------
security/selinux/include/objsec.h | 9 +++
security/selinux/selinuxfs.c | 1 +
security/selinux/xfrm.c | 4 +-
security/smack/smack.h | 15 +++-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 134 +++++++++++++++---------------------
security/smack/smackfs.c | 18 ++---
security/tomoyo/common.h | 20 +++++-
security/tomoyo/domain.c | 4 +-
security/tomoyo/securityfs_if.c | 13 ++--
security/tomoyo/tomoyo.c | 49 ++++++++++---
19 files changed, 346 insertions(+), 229 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 080f34e..41f01e2 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1890,6 +1890,13 @@ struct security_hook_list {
};
/*
+ * Security blob size or offset data.
+ */
+struct lsm_blob_sizes {
+ int lbs_cred;
+};
+
+/*
* Initializing a security_hook_list structure takes
* up a lot of space in a source file. This macro takes
* care of the common case and reduces the amount of
@@ -1901,6 +1908,7 @@ struct security_hook_list {
extern struct security_hook_heads security_hook_heads;
extern char *lsm_names;
+extern void security_add_blobs(struct lsm_blob_sizes *needed);
extern void security_add_hooks(struct security_hook_list *hooks, int count,
char *lsm);
@@ -1947,4 +1955,10 @@ void __init loadpin_add_hooks(void);
static inline void loadpin_add_hooks(void) { };
#endif
+extern int lsm_cred_alloc(struct cred *cred, gfp_t gfp);
+
+#ifdef CONFIG_SECURITY
+void lsm_early_cred(struct cred *cred);
+#endif
+
#endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/kernel/cred.c b/kernel/cred.c
index 2bc6607..ac73851 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -704,19 +704,6 @@ bool creds_are_invalid(const struct cred *cred)
{
if (cred->magic != CRED_MAGIC)
return true;
-#ifdef CONFIG_SECURITY_SELINUX
- /*
- * cred->security == NULL if security_cred_alloc_blank() or
- * security_prepare_creds() returned an error.
- */
- if (selinux_is_enabled() && cred->security) {
- if ((unsigned long) cred->security < PAGE_SIZE)
- return true;
- if ((*(u32 *)cred->security & 0xffffff00) ==
- (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
- return true;
- }
-#endif
return false;
}
EXPORT_SYMBOL(creds_are_invalid);
diff --git a/security/Kconfig b/security/Kconfig
index 3ff1bf9..84e13c0 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -36,6 +36,17 @@ config SECURITY_WRITABLE_HOOKS
bool
default n
+config SECURITY_LSM_DEBUG
+ bool "Enable debugging of the LSM infrastructure"
+ depends on SECURITY
+ help
+ This allows you to choose debug messages related to
+ security modules configured into your kernel. These
+ messages may be helpful in determining how a security
+ module is using security blobs.
+
+ If you are unsure how to answer this question, answer N.
+
config SECURITYFS
bool "Enable the securityfs filesystem"
help
diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index 1fc16b8..140bdce 100644
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -50,8 +50,6 @@ void aa_free_task_context(struct aa_task_ctx *ctx)
aa_put_profile(ctx->profile);
aa_put_profile(ctx->previous);
aa_put_profile(ctx->onexec);
-
- kzfree(ctx);
}
}
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 5b18fed..f35ad39 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -18,11 +18,12 @@
#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/sched.h>
+#include <linux/lsm_hooks.h>
#include "policy.h"
#include "policy_ns.h"
-#define cred_ctx(X) ((X)->security)
+#define cred_ctx(X) apparmor_cred(X)
#define current_ctx() cred_ctx(current_cred())
/* struct aa_file_ctx - the AppArmor context the file was opened in
@@ -86,6 +87,10 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token);
int aa_restore_previous_profile(u64 cookie);
struct aa_profile *aa_get_task_profile(struct task_struct *task);
+static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
+{
+ return cred->security;
+}
/**
* aa_cred_profile - obtain cred's profiles
@@ -97,7 +102,7 @@ struct aa_profile *aa_get_task_profile(struct task_struct *task);
*/
static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
{
- struct aa_task_ctx *ctx = cred_ctx(cred);
+ struct aa_task_ctx *ctx = apparmor_cred(cred);
AA_BUG(!ctx || !ctx->profile);
return ctx->profile;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e287b69..56a8fd9 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -54,22 +54,6 @@ DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
static void apparmor_cred_free(struct cred *cred)
{
aa_free_task_context(cred_ctx(cred));
- cred_ctx(cred) = NULL;
-}
-
-/*
- * allocate the apparmor part of blank credentials
- */
-static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
-{
- /* freed by apparmor_cred_free */
- struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
-
- if (!ctx)
- return -ENOMEM;
-
- cred_ctx(cred) = ctx;
- return 0;
}
/*
@@ -78,14 +62,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- /* freed by apparmor_cred_free */
- struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
-
- if (!ctx)
- return -ENOMEM;
-
- aa_dup_task_context(ctx, cred_ctx(old));
- cred_ctx(new) = ctx;
+ aa_dup_task_context(cred_ctx(new), cred_ctx(old));
return 0;
}
@@ -587,6 +564,10 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
+struct lsm_blob_sizes apparmor_blob_sizes = {
+ .lbs_cred = sizeof(struct aa_task_ctx),
+};
+
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
@@ -616,7 +597,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
- LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
LSM_HOOK_INIT(cred_free, apparmor_cred_free),
LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
@@ -868,12 +848,10 @@ static int __init set_init_ctx(void)
struct cred *cred = (struct cred *)current->real_cred;
struct aa_task_ctx *ctx;
- ctx = aa_alloc_task_context(GFP_KERNEL);
- if (!ctx)
- return -ENOMEM;
+ lsm_early_cred(cred);
+ ctx = apparmor_cred(cred);
ctx->profile = aa_get_profile(root_ns->unconfined);
- cred_ctx(cred) = ctx;
return 0;
}
@@ -957,8 +935,16 @@ static inline int apparmor_init_sysctl(void)
static int __init apparmor_init(void)
{
+ static int finish;
int error;
+ if (!finish) {
+ if (apparmor_enabled && security_module_enable("apparmor"))
+ security_add_blobs(&apparmor_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
if (!apparmor_enabled || !security_module_enable("apparmor")) {
aa_info_message("AppArmor disabled by boot time parameter");
apparmor_enabled = 0;
diff --git a/security/security.c b/security/security.c
index e28bb98..5160a52 100644
--- a/security/security.c
+++ b/security/security.c
@@ -34,6 +34,8 @@
struct security_hook_heads security_hook_heads __lsm_ro_after_init;
char *lsm_names;
+static struct lsm_blob_sizes blob_sizes;
+
/* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY;
@@ -71,10 +73,22 @@ int __init security_init(void)
loadpin_add_hooks();
/*
- * Load all the remaining security modules.
+ * The first call to a module specific init function
+ * updates the blob size requirements.
+ */
+ do_security_initcalls();
+
+ /*
+ * The second call to a module specific init function
+ * adds hooks to the hook lists and does any other early
+ * initializations required.
*/
do_security_initcalls();
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
+#endif
+
return 0;
}
@@ -142,6 +156,75 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
panic("%s - Cannot get early memory.\n", __func__);
}
+/**
+ * lsm_cred_alloc - allocate a composite cred blob
+ * @cred: the cred that needs a blob
+ * @gfp: allocation type
+ *
+ * Allocate the cred blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (cred->security)
+ pr_info("%s: Inbound cred blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_cred == 0)
+ return 0;
+
+ cred->security = kzalloc(blob_sizes.lbs_cred, gfp);
+ if (cred->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_early_cred - during initialization allocate a composite cred blob
+ * @cred: the cred that needs a blob
+ *
+ * Allocate the cred blob for all the modules if it's not already there
+ */
+void lsm_early_cred(struct cred *cred)
+{
+ int rc;
+
+ if (cred == NULL)
+ panic("%s: NULL cred.\n", __func__);
+ if (cred->security != NULL)
+ return;
+ rc = lsm_cred_alloc(cred, GFP_KERNEL);
+ if (rc)
+ panic("%s: Early cred alloc failed.\n", __func__);
+}
+
+static void __init lsm_set_size(int *need, int *lbs)
+{
+ int offset;
+
+ if (*need > 0) {
+ offset = *lbs;
+ *lbs += *need;
+ *need = offset;
+ }
+}
+
+/**
+ * security_add_blobs - Report blob sizes
+ * @needed: the size of blobs needed by the module
+ *
+ * Each LSM has to register its blobs with the infrastructure.
+ * The "needed" data tells the infrastructure how much memory
+ * the module requires for each of its blobs. On return the
+ * structure is filled with the offset that module should use
+ * from the blob pointer.
+ */
+void __init security_add_blobs(struct lsm_blob_sizes *needed)
+{
+ lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
+}
+
/*
* Hook list operation macros.
*
@@ -949,16 +1032,29 @@ void security_task_free(struct task_struct *task)
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
+ int rc = lsm_cred_alloc(cred, gfp);
+
+ if (rc)
+ return rc;
+
return call_int_hook(cred_alloc_blank, 0, cred, gfp);
}
void security_cred_free(struct cred *cred)
{
call_void_hook(cred_free, cred);
+
+ kfree(cred->security);
+ cred->security = NULL;
}
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
{
+ int rc = lsm_cred_alloc(new, gfp);
+
+ if (rc)
+ return rc;
+
return call_int_hook(cred_prepare, 0, new, old, gfp);
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d37a723..dee7ea7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -179,12 +179,9 @@ static void cred_init_security(void)
struct cred *cred = (struct cred *) current->real_cred;
struct task_security_struct *tsec;
- tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
- if (!tsec)
- panic("SELinux: Failed to initialize initial task.\n");
-
+ lsm_early_cred(cred);
+ tsec = selinux_cred(cred);
tsec->osid = tsec->sid = SECINITSID_KERNEL;
- cred->security = tsec;
}
/*
@@ -194,7 +191,7 @@ static inline u32 cred_sid(const struct cred *cred)
{
const struct task_security_struct *tsec;
- tsec = cred->security;
+ tsec = selinux_cred(cred);
return tsec->sid;
}
@@ -442,7 +439,7 @@ static int may_context_mount_sb_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
@@ -459,7 +456,7 @@ static int may_context_mount_inode_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
@@ -1854,7 +1851,7 @@ static int may_create(struct inode *dir,
struct dentry *dentry,
u16 tclass)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
u32 sid, newsid;
@@ -1875,7 +1872,7 @@ static int may_create(struct inode *dir,
if (rc)
return rc;
- rc = selinux_determine_inode_label(current_security(), dir,
+ rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
&dentry->d_name, tclass, &newsid);
if (rc)
return rc;
@@ -2331,8 +2328,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->cred_prepared)
return 0;
- old_tsec = current_security();
- new_tsec = bprm->cred->security;
+ old_tsec = selinux_cred(current_cred());
+ new_tsec = selinux_cred(bprm->cred);
isec = inode_security(inode);
/* Default to the current task SID. */
@@ -2421,7 +2418,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
static int selinux_bprm_secureexec(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
u32 sid, osid;
int atsecure = 0;
@@ -2503,7 +2500,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
struct rlimit *rlim, *initrlim;
int rc, i;
- new_tsec = bprm->cred->security;
+ new_tsec = selinux_cred(bprm->cred);
if (new_tsec->sid == new_tsec->osid)
return;
@@ -2545,7 +2542,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
*/
static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct itimerval itimer;
u32 osid, sid;
int rc, i;
@@ -2845,7 +2842,7 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
u32 newsid;
int rc;
- rc = selinux_determine_inode_label(current_security(),
+ rc = selinux_determine_inode_label(selinux_cred(current_cred()),
d_inode(dentry->d_parent), name,
inode_mode_to_security_class(mode),
&newsid);
@@ -2864,14 +2861,14 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
int rc;
struct task_security_struct *tsec;
- rc = selinux_determine_inode_label(old->security,
+ rc = selinux_determine_inode_label(selinux_cred(old),
d_inode(dentry->d_parent), name,
inode_mode_to_security_class(mode),
&newsid);
if (rc)
return rc;
- tsec = new->security;
+ tsec = selinux_cred(new);
tsec->create_sid = newsid;
return 0;
}
@@ -2881,7 +2878,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
const char **name,
void **value, size_t *len)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct superblock_security_struct *sbsec;
u32 sid, newsid, clen;
int rc;
@@ -2892,7 +2889,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
sid = tsec->sid;
newsid = tsec->create_sid;
- rc = selinux_determine_inode_label(current_security(),
+ rc = selinux_determine_inode_label(selinux_cred(current_cred()),
dir, qstr,
inode_mode_to_security_class(inode->i_mode),
&newsid);
@@ -3338,7 +3335,7 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
return -ENOMEM;
}
- tsec = new_creds->security;
+ tsec = selinux_cred(new_creds);
/* Get label from overlay inode and set it in create_sid */
selinux_inode_getsecid(d_inode(src), &sid);
tsec->create_sid = sid;
@@ -3718,52 +3715,16 @@ static int selinux_task_create(unsigned long clone_flags)
}
/*
- * allocate the SELinux part of blank credentials
- */
-static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
-{
- struct task_security_struct *tsec;
-
- tsec = kzalloc(sizeof(struct task_security_struct), gfp);
- if (!tsec)
- return -ENOMEM;
-
- cred->security = tsec;
- return 0;
-}
-
-/*
- * detach and free the LSM part of a set of credentials
- */
-static void selinux_cred_free(struct cred *cred)
-{
- struct task_security_struct *tsec = cred->security;
-
- /*
- * cred->security == NULL if security_cred_alloc_blank() or
- * security_prepare_creds() returned an error.
- */
- BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
- cred->security = (void *) 0x7UL;
- kfree(tsec);
-}
-
-/*
* prepare a new set of credentials for modification
*/
static int selinux_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- const struct task_security_struct *old_tsec;
- struct task_security_struct *tsec;
+ const struct task_security_struct *old_tsec = selinux_cred(old);
+ struct task_security_struct *tsec = selinux_cred(new);
- old_tsec = old->security;
-
- tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
- if (!tsec)
- return -ENOMEM;
+ *tsec = *old_tsec;
- new->security = tsec;
return 0;
}
@@ -3772,8 +3733,8 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
*/
static void selinux_cred_transfer(struct cred *new, const struct cred *old)
{
- const struct task_security_struct *old_tsec = old->security;
- struct task_security_struct *tsec = new->security;
+ const struct task_security_struct *old_tsec = selinux_cred(old);
+ struct task_security_struct *tsec = selinux_cred(new);
*tsec = *old_tsec;
}
@@ -3784,7 +3745,7 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
*/
static int selinux_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_security_struct *tsec = new->security;
+ struct task_security_struct *tsec = selinux_cred(new);
u32 sid = current_sid();
int ret;
@@ -3808,7 +3769,7 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
{
struct inode_security_struct *isec = inode_security(inode);
- struct task_security_struct *tsec = new->security;
+ struct task_security_struct *tsec = selinux_cred(new);
u32 sid = current_sid();
int ret;
@@ -4290,7 +4251,7 @@ static int sock_has_perm(struct sock *sk, u32 perms)
static int selinux_socket_create(int family, int type,
int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
u32 newsid;
u16 secclass;
int rc;
@@ -4309,7 +4270,7 @@ static int selinux_socket_create(int family, int type,
static int selinux_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
struct sk_security_struct *sksec;
u16 sclass = socket_type_to_security_class(family, type, protocol);
@@ -4924,7 +4885,7 @@ static int selinux_secmark_relabel_packet(u32 sid)
const struct task_security_struct *__tsec;
u32 tsid;
- __tsec = current_security();
+ __tsec = selinux_cred(current_cred());
tsid = __tsec->sid;
return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
@@ -5831,7 +5792,7 @@ static int selinux_getprocattr(struct task_struct *p,
unsigned len;
rcu_read_lock();
- __tsec = __task_cred(p)->security;
+ __tsec = selinux_cred(__task_cred(p));
if (current != p) {
error = avc_has_perm(current_sid(), __tsec->sid,
@@ -5944,7 +5905,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
operation. See selinux_bprm_set_creds for the execve
checks and may_create for the file creation checks. The
operation will then fail if the context is not permitted. */
- tsec = new->security;
+ tsec = selinux_cred(new);
if (!strcmp(name, "exec")) {
tsec->exec_sid = sid;
} else if (!strcmp(name, "fscreate")) {
@@ -6067,7 +6028,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
if (!ksec)
return -ENOMEM;
- tsec = cred->security;
+ tsec = selinux_cred(cred);
if (tsec->keycreate_sid)
ksec->sid = tsec->keycreate_sid;
else
@@ -6123,6 +6084,10 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
+struct lsm_blob_sizes selinux_blob_sizes = {
+ .lbs_cred = sizeof(struct task_security_struct),
+};
+
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
@@ -6206,8 +6171,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(file_open, selinux_file_open),
LSM_HOOK_INIT(task_create, selinux_task_create),
- LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
- LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
@@ -6341,11 +6304,19 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
static __init int selinux_init(void)
{
+ static int finish;
+
if (!security_module_enable("selinux")) {
selinux_enabled = 0;
return 0;
}
+ if (!finish) {
+ security_add_blobs(&selinux_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
if (!selinux_enabled) {
printk(KERN_INFO "SELinux: Disabled at boot.\n");
return 0;
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index c03cdcd..48132cc 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -24,6 +24,9 @@
#include <linux/binfmts.h>
#include <linux/in.h>
#include <linux/spinlock.h>
+#include <linux/lsm_hooks.h>
+#include <linux/msg.h>
+#include <net/sock.h>
#include <net/net_namespace.h>
#include "flask.h"
#include "avc.h"
@@ -140,5 +143,11 @@ struct key_security_struct {
};
extern unsigned int selinux_checkreqprot;
+extern struct lsm_blob_sizes selinux_blob_sizes;
+
+static inline struct task_security_struct *selinux_cred(const struct cred *cred)
+{
+ return cred->security;
+}
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index cb3fd98..645beb1 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -30,6 +30,7 @@
#include <linux/uaccess.h>
#include <linux/kobject.h>
#include <linux/ctype.h>
+#include <linux/lsm_hooks.h>
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs/nfsd/nfsctl.c code. */
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 56e354f..789d07b 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -79,7 +79,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
gfp_t gfp)
{
int rc;
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct xfrm_sec_ctx *ctx = NULL;
u32 str_len;
@@ -136,7 +136,7 @@ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
*/
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
if (!ctx)
return 0;
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 612b810..17949ec 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -24,6 +24,7 @@
#include <linux/list.h>
#include <linux/rculist.h>
#include <linux/lsm_audit.h>
+#include <linux/msg.h>
/*
* Use IPv6 port labeling if IPv6 is enabled and secmarks
@@ -355,6 +356,11 @@ extern struct list_head smack_onlycap_list;
#define SMACK_HASH_SLOTS 16
extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
+static inline struct task_smack *smack_cred(const struct cred *cred)
+{
+ return cred->security;
+}
+
/*
* Is the directory transmuting?
*/
@@ -381,13 +387,16 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
return tsp->smk_task;
}
-static inline struct smack_known *smk_of_task_struct(const struct task_struct *t)
+static inline struct smack_known *smk_of_task_struct(
+ const struct task_struct *t)
{
struct smack_known *skp;
+ const struct cred *cred;
rcu_read_lock();
- skp = smk_of_task(__task_cred(t)->security);
+ cred = __task_cred(t);
rcu_read_unlock();
+ skp = smk_of_task(smack_cred(cred));
return skp;
}
@@ -404,7 +413,7 @@ static inline struct smack_known *smk_of_forked(const struct task_smack *tsp)
*/
static inline struct smack_known *smk_of_current(void)
{
- return smk_of_task(current_security());
+ return smk_of_task(smack_cred(current_cred()));
}
/*
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 356e376..204dddb 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -275,7 +275,7 @@ int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known,
int smk_curacc(struct smack_known *obj_known,
u32 mode, struct smk_audit_info *a)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_tskacc(tsp, obj_known, mode, a);
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 927e60e..6ce81ac 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -121,7 +121,7 @@ static int smk_bu_note(char *note, struct smack_known *sskp,
static int smk_bu_current(char *note, struct smack_known *oskp,
int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (rc <= 0)
@@ -142,7 +142,7 @@ static int smk_bu_current(char *note, struct smack_known *oskp,
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_task(struct task_struct *otp, int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *smk_task = smk_of_task_struct(otp);
char acc[SMK_NUM_ACCESS_TYPE + 1];
@@ -164,7 +164,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc)
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_inode(struct inode *inode, int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct inode_smack *isp = inode->i_security;
char acc[SMK_NUM_ACCESS_TYPE + 1];
@@ -194,7 +194,7 @@ static int smk_bu_inode(struct inode *inode, int mode, int rc)
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_file(struct file *file, int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
struct inode_smack *isp = inode->i_security;
@@ -224,7 +224,7 @@ static int smk_bu_file(struct file *file, int mode, int rc)
static int smk_bu_credfile(const struct cred *cred, struct file *file,
int mode, int rc)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = smack_cred(cred);
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
struct inode_smack *isp = inode->i_security;
@@ -308,29 +308,20 @@ static struct inode_smack *new_inode_smack(struct smack_known *skp)
}
/**
- * new_task_smack - allocate a task security blob
+ * init_task_smack - initialize a task security blob
+ * @tsp: blob to initialize
* @task: a pointer to the Smack label for the running task
* @forked: a pointer to the Smack label for the forked task
- * @gfp: type of the memory for the allocation
*
- * Returns the new blob or NULL if there's no memory available
*/
-static struct task_smack *new_task_smack(struct smack_known *task,
- struct smack_known *forked, gfp_t gfp)
+static void init_task_smack(struct task_smack *tsp, struct smack_known *task,
+ struct smack_known *forked)
{
- struct task_smack *tsp;
-
- tsp = kzalloc(sizeof(struct task_smack), gfp);
- if (tsp == NULL)
- return NULL;
-
tsp->smk_task = task;
tsp->smk_forked = forked;
INIT_LIST_HEAD(&tsp->smk_rules);
INIT_LIST_HEAD(&tsp->smk_relabel);
mutex_init(&tsp->smk_rules_lock);
-
- return tsp;
}
/**
@@ -428,7 +419,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
}
rcu_read_lock();
- tsp = __task_cred(tracer)->security;
+ tsp = smack_cred(__task_cred(tracer));
tracer_known = smk_of_task(tsp);
if ((mode & PTRACE_MODE_ATTACH) &&
@@ -495,7 +486,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
int rc;
struct smack_known *skp;
- skp = smk_of_task(current_security());
+ skp = smk_of_task(smack_cred(current_cred()));
rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
return rc;
@@ -914,7 +905,7 @@ static int smack_sb_statfs(struct dentry *dentry)
static int smack_bprm_set_creds(struct linux_binprm *bprm)
{
struct inode *inode = file_inode(bprm->file);
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = smack_cred(bprm->cred);
struct inode_smack *isp;
struct superblock_smack *sbsp;
int rc;
@@ -963,7 +954,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
*/
static void smack_bprm_committing_creds(struct linux_binprm *bprm)
{
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = smack_cred(bprm->cred);
if (bsp->smk_task != bsp->smk_forked)
current->pdeath_signal = 0;
@@ -977,7 +968,7 @@ static void smack_bprm_committing_creds(struct linux_binprm *bprm)
*/
static int smack_bprm_secureexec(struct linux_binprm *bprm)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
if (tsp->smk_task != tsp->smk_forked)
return 1;
@@ -1776,7 +1767,7 @@ static int smack_mmap_file(struct file *file,
return -EACCES;
mkp = isp->smk_mmap;
- tsp = current_security();
+ tsp = smack_cred(current_cred());
skp = smk_of_current();
rc = 0;
@@ -1872,7 +1863,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum)
{
struct smack_known *skp;
- struct smack_known *tkp = smk_of_task(tsk->cred->security);
+ struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
struct file *file;
int rc;
struct smk_audit_info ad;
@@ -1920,7 +1911,7 @@ static int smack_file_receive(struct file *file)
if (S_ISSOCK(inode->i_mode)) {
sock = SOCKET_I(inode);
ssp = sock->sk->sk_security;
- tsp = current_security();
+ tsp = smack_cred(current_cred());
/*
* If the receiving process can't write to the
* passed socket or if the passed socket can't
@@ -1962,7 +1953,7 @@ static int smack_file_receive(struct file *file)
*/
static int smack_file_open(struct file *file, const struct cred *cred)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = smack_cred(cred);
struct inode *inode = file_inode(file);
struct smk_audit_info ad;
int rc;
@@ -1990,14 +1981,7 @@ static int smack_file_open(struct file *file, const struct cred *cred)
*/
static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
- struct task_smack *tsp;
-
- tsp = new_task_smack(NULL, NULL, gfp);
- if (tsp == NULL)
- return -ENOMEM;
-
- cred->security = tsp;
-
+ init_task_smack(smack_cred(cred), NULL, NULL);
return 0;
}
@@ -2009,15 +1993,11 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/
static void smack_cred_free(struct cred *cred)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = smack_cred(cred);
struct smack_rule *rp;
struct list_head *l;
struct list_head *n;
- if (tsp == NULL)
- return;
- cred->security = NULL;
-
smk_destroy_label_list(&tsp->smk_relabel);
list_for_each_safe(l, n, &tsp->smk_rules) {
@@ -2025,7 +2005,6 @@ static void smack_cred_free(struct cred *cred)
list_del(&rp->list);
kfree(rp);
}
- kfree(tsp);
}
/**
@@ -2039,15 +2018,11 @@ static void smack_cred_free(struct cred *cred)
static int smack_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct task_smack *old_tsp = old->security;
- struct task_smack *new_tsp;
+ struct task_smack *old_tsp = smack_cred(old);
+ struct task_smack *new_tsp = smack_cred(new);
int rc;
- new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp);
- if (new_tsp == NULL)
- return -ENOMEM;
-
- new->security = new_tsp;
+ init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task);
rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp);
if (rc != 0)
@@ -2055,10 +2030,7 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel,
gfp);
- if (rc != 0)
- return rc;
-
- return 0;
+ return rc;
}
/**
@@ -2070,15 +2042,14 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
*/
static void smack_cred_transfer(struct cred *new, const struct cred *old)
{
- struct task_smack *old_tsp = old->security;
- struct task_smack *new_tsp = new->security;
+ struct task_smack *old_tsp = smack_cred(old);
+ struct task_smack *new_tsp = smack_cred(new);
new_tsp->smk_task = old_tsp->smk_task;
new_tsp->smk_forked = old_tsp->smk_task;
mutex_init(&new_tsp->smk_rules_lock);
INIT_LIST_HEAD(&new_tsp->smk_rules);
-
/* cbs copy rule list */
}
@@ -2091,7 +2062,7 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
*/
static int smack_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_smack *new_tsp = new->security;
+ struct task_smack *new_tsp = smack_cred(new);
new_tsp->smk_task = smack_from_secid(secid);
return 0;
@@ -2109,7 +2080,7 @@ static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode)
{
struct inode_smack *isp = inode->i_security;
- struct task_smack *tsp = new->security;
+ struct task_smack *tsp = smack_cred(new);
tsp->smk_forked = isp->smk_inode;
tsp->smk_task = tsp->smk_forked;
@@ -3672,7 +3643,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
*/
static int smack_setprocattr(const char *name, void *value, size_t size)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct cred *new;
struct smack_known *skp;
struct smack_known_list_elem *sklep;
@@ -3713,7 +3684,7 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
if (new == NULL)
return -ENOMEM;
- tsp = new->security;
+ tsp = smack_cred(new);
tsp->smk_task = skp;
/*
* process can change its label only once
@@ -4349,7 +4320,7 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- struct smack_known *skp = smk_of_task(cred->security);
+ struct smack_known *skp = smk_of_task(smack_cred(cred));
key->security = skp;
return 0;
@@ -4380,7 +4351,7 @@ static int smack_key_permission(key_ref_t key_ref,
{
struct key *keyp;
struct smk_audit_info ad;
- struct smack_known *tkp = smk_of_task(cred->security);
+ struct smack_known *tkp = smk_of_task(smack_cred(cred));
int request = 0;
int rc;
@@ -4633,6 +4604,10 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
return 0;
}
+struct lsm_blob_sizes smack_blob_sizes = {
+ .lbs_cred = sizeof(struct task_smack),
+};
+
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
@@ -4808,23 +4783,35 @@ static __init void init_smack_known_list(void)
*/
static __init int smack_init(void)
{
- struct cred *cred;
+ static int finish;
+ struct cred *cred = (struct cred *) current->cred;
struct task_smack *tsp;
if (!security_module_enable("smack"))
return 0;
+ if (!finish) {
+ security_add_blobs(&smack_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
smack_inode_cache = KMEM_CACHE(inode_smack, 0);
if (!smack_inode_cache)
return -ENOMEM;
- tsp = new_task_smack(&smack_known_floor, &smack_known_floor,
- GFP_KERNEL);
- if (tsp == NULL) {
- kmem_cache_destroy(smack_inode_cache);
- return -ENOMEM;
- }
+ lsm_early_cred(cred);
+ /*
+ * Set the security state for the initial task.
+ */
+ tsp = smack_cred(cred);
+ init_task_smack(tsp, &smack_known_floor, &smack_known_floor);
+
+ /*
+ * Register with LSM
+ */
+ security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
smack_enabled = 1;
pr_info("Smack: Initializing.\n");
@@ -4838,20 +4825,9 @@ static __init int smack_init(void)
pr_info("Smack: IPv6 Netfilter enabled.\n");
#endif
- /*
- * Set the security state for the initial task.
- */
- cred = (struct cred *) current->cred;
- cred->security = tsp;
-
/* initialize the smack_known_list */
init_smack_known_list();
- /*
- * Register with LSM
- */
- security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
-
return 0;
}
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 366b835..0942737 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -2208,14 +2208,14 @@ static const struct file_operations smk_logging_ops = {
static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -2262,7 +2262,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_FIXED24_FMT);
@@ -2414,14 +2414,14 @@ static const struct file_operations smk_load2_ops = {
static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -2467,7 +2467,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_LONG_FMT);
@@ -2681,14 +2681,14 @@ static const struct file_operations smk_syslog_ops = {
static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_relabel);
}
static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_relabel);
}
@@ -2736,7 +2736,7 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file)
static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
char *data;
int rc;
LIST_HEAD(list_tmp);
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 361e7a2..cbcfccc 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -28,6 +28,7 @@
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/un.h>
+#include <linux/lsm_hooks.h>
#include <net/sock.h>
#include <net/af_unix.h>
#include <net/ip.h>
@@ -1196,13 +1197,26 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
}
/**
+ * tomoyo_cred - Get a pointer to the tomoyo cred security blob
+ * @cred - the relevant cred
+ *
+ * Returns pointer to the tomoyo cred blob.
+ */
+static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred)
+{
+ return cred->security;
+}
+
+/**
* tomoyo_domain - Get "struct tomoyo_domain_info" for current thread.
*
* Returns pointer to "struct tomoyo_domain_info" for current thread.
*/
static inline struct tomoyo_domain_info *tomoyo_domain(void)
{
- return current_cred()->security;
+ struct tomoyo_domain_info **blob = tomoyo_cred(current_cred());
+
+ return *blob;
}
/**
@@ -1215,7 +1229,9 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void)
static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
*task)
{
- return task_cred_xxx(task, security);
+ struct tomoyo_domain_info **blob = tomoyo_cred(get_task_cred(task));
+
+ return *blob;
}
/**
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 00d223e..80ebb42 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -677,6 +677,7 @@ static int tomoyo_environ(struct tomoyo_execve *ee)
*/
int tomoyo_find_next_domain(struct linux_binprm *bprm)
{
+ struct tomoyo_domain_info **blob;
struct tomoyo_domain_info *old_domain = tomoyo_domain();
struct tomoyo_domain_info *domain = NULL;
const char *original_name = bprm->filename;
@@ -842,7 +843,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
domain = old_domain;
/* Update reference count on "struct tomoyo_domain_info". */
atomic_inc(&domain->users);
- bprm->cred->security = domain;
+ blob = tomoyo_cred(bprm->cred);
+ *blob = domain;
kfree(exename.name);
if (!retval) {
ee->r.domain = domain;
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 06ab41b1..9289f2a 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -70,9 +70,12 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
if (!cred) {
error = -ENOMEM;
} else {
- struct tomoyo_domain_info *old_domain =
- cred->security;
- cred->security = new_domain;
+ struct tomoyo_domain_info **blob;
+ struct tomoyo_domain_info *old_domain;
+
+ blob = tomoyo_cred(cred);
+ old_domain = *blob;
+ *blob = new_domain;
atomic_inc(&new_domain->users);
atomic_dec(&old_domain->users);
commit_creds(cred);
@@ -233,10 +236,12 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode,
*/
static int __init tomoyo_initerface_init(void)
{
+ struct tomoyo_domain_info *domain;
struct dentry *tomoyo_dir;
+ domain = tomoyo_domain();
/* Don't create securityfs entries unless registered. */
- if (current_cred()->security != &tomoyo_kernel_domain)
+ if (domain != &tomoyo_kernel_domain)
return 0;
tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index b5fb930..be075b4 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -17,7 +17,9 @@
*/
static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
{
- new->security = NULL;
+ struct tomoyo_domain_info **blob = tomoyo_cred(new);
+
+ *blob = NULL;
return 0;
}
@@ -33,8 +35,13 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct tomoyo_domain_info *domain = old->security;
- new->security = domain;
+ struct tomoyo_domain_info **old_blob = tomoyo_cred(old);
+ struct tomoyo_domain_info **new_blob = tomoyo_cred(new);
+ struct tomoyo_domain_info *domain;
+
+ domain = *old_blob;
+ *new_blob = domain;
+
if (domain)
atomic_inc(&domain->users);
return 0;
@@ -58,7 +65,9 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
*/
static void tomoyo_cred_free(struct cred *cred)
{
- struct tomoyo_domain_info *domain = cred->security;
+ struct tomoyo_domain_info **blob = tomoyo_cred(cred);
+ struct tomoyo_domain_info *domain = *blob;
+
if (domain)
atomic_dec(&domain->users);
}
@@ -72,6 +81,9 @@ static void tomoyo_cred_free(struct cred *cred)
*/
static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
{
+ struct tomoyo_domain_info **blob;
+ struct tomoyo_domain_info *domain;
+
/*
* Do only if this function is called for the first time of an execve
* operation.
@@ -92,13 +104,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
* stored inside "bprm->cred->security" will be acquired later inside
* tomoyo_find_next_domain().
*/
- atomic_dec(&((struct tomoyo_domain_info *)
- bprm->cred->security)->users);
+ blob = tomoyo_cred(bprm->cred);
+ domain = *blob;
+ atomic_dec(&domain->users);
/*
* Tell tomoyo_bprm_check_security() is called for the first time of an
* execve operation.
*/
- bprm->cred->security = NULL;
+ *blob = NULL;
return 0;
}
@@ -111,8 +124,11 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
*/
static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
{
- struct tomoyo_domain_info *domain = bprm->cred->security;
+ struct tomoyo_domain_info **blob;
+ struct tomoyo_domain_info *domain;
+ blob = tomoyo_cred(bprm->cred);
+ domain = *blob;
/*
* Execute permission is checked against pathname passed to do_execve()
* using current domain.
@@ -492,6 +508,10 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
return tomoyo_socket_sendmsg_permission(sock, msg, size);
}
+struct lsm_blob_sizes tomoyo_blob_sizes = {
+ .lbs_cred = sizeof(struct tomoyo_domain_info *),
+};
+
/*
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
@@ -537,14 +557,25 @@ DEFINE_SRCU(tomoyo_ss);
*/
static int __init tomoyo_init(void)
{
+ static int finish;
struct cred *cred = (struct cred *) current_cred();
+ struct tomoyo_domain_info **blob;
if (!security_module_enable("tomoyo"))
return 0;
+
+ if (!finish) {
+ security_add_blobs(&tomoyo_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
/* register ourselves with the security framework */
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
printk(KERN_INFO "TOMOYO Linux initialized\n");
- cred->security = &tomoyo_kernel_domain;
+ lsm_early_cred(cred);
+ blob = tomoyo_cred(cred);
+ *blob = &tomoyo_kernel_domain;
tomoyo_mm_init();
return 0;
}
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 03/11] LSM: Manage file security blobs
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
2017-04-05 21:52 ` [PATCH RFC 01/11] procfs: add smack subdir to attrs Casey Schaufler
2017-04-05 21:52 ` [PATCH RFC 02/11] LSM: manage credential security blobs Casey Schaufler
@ 2017-04-05 21:52 ` Casey Schaufler
2017-04-05 21:53 ` [PATCH RFC 04/11] LSM: general but not extreme module stacking Casey Schaufler
` (7 subsequent siblings)
10 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:52 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 03/11] LSM: Manage file security blobs
Move the management of file security blobs from the individual
security modules to the security infrastructure. The security modules
using file blobs have been updated accordingly. Modules are required
to identify the space they need at module initialization. In some
cases a module no longer needs to supply a blob management hook, in
which case the hook has been removed.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/apparmor/include/context.h | 6 ++++++
security/apparmor/lsm.c | 26 ++++-------------------
security/security.c | 32 +++++++++++++++++++++++++++++
security/selinux/hooks.c | 41 +++++++++----------------------------
security/selinux/include/objsec.h | 5 +++++
security/smack/smack.h | 5 +++++
security/smack/smack_lsm.c | 26 ++++++++---------------
8 files changed, 72 insertions(+), 70 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 41f01e2..dc012eb 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1894,6 +1894,7 @@ struct security_hook_list {
*/
struct lsm_blob_sizes {
int lbs_cred;
+ int lbs_file;
};
/*
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index f35ad39..3ff3879 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -25,6 +25,7 @@
#define cred_ctx(X) apparmor_cred(X)
#define current_ctx() cred_ctx(current_cred())
+#define file_ctx(X) apparmor_file(X)
/* struct aa_file_ctx - the AppArmor context the file was opened in
* @perms: the permission the file was opened with
@@ -92,6 +93,11 @@ static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
return cred->security;
}
+static inline struct aa_file_ctx *apparmor_file(const struct file *file)
+{
+ return file->f_security;
+}
+
/**
* aa_cred_profile - obtain cred's profiles
* @cred: cred to obtain profiles from (NOT NULL)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 56a8fd9..ff0010f 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -329,7 +329,7 @@ static int apparmor_inode_getattr(const struct path *path)
static int apparmor_file_open(struct file *file, const struct cred *cred)
{
- struct aa_file_ctx *fctx = file->f_security;
+ struct aa_file_ctx *fctx = file_ctx(file);
struct aa_profile *profile;
int error = 0;
@@ -360,26 +360,9 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
return error;
}
-static int apparmor_file_alloc_security(struct file *file)
-{
- /* freed by apparmor_file_free_security */
- file->f_security = aa_alloc_file_context(GFP_KERNEL);
- if (!file->f_security)
- return -ENOMEM;
- return 0;
-
-}
-
-static void apparmor_file_free_security(struct file *file)
-{
- struct aa_file_ctx *ctx = file->f_security;
-
- aa_free_file_context(ctx);
-}
-
static int common_file_perm(const char *op, struct file *file, u32 mask)
{
- struct aa_file_ctx *fctx = file->f_security;
+ struct aa_file_ctx *fctx = file_ctx(file);
struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
int error = 0;
@@ -425,7 +408,7 @@ static int common_mmap(const char *op, struct file *file, unsigned long prot,
{
int mask = 0;
- if (!file || !file->f_security)
+ if (!file || file_ctx(file) == NULL)
return 0;
if (prot & PROT_READ)
@@ -566,6 +549,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
struct lsm_blob_sizes apparmor_blob_sizes = {
.lbs_cred = sizeof(struct aa_task_ctx),
+ .lbs_file = sizeof(struct aa_file_ctx),
};
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
@@ -588,8 +572,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(file_open, apparmor_file_open),
LSM_HOOK_INIT(file_permission, apparmor_file_permission),
- LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
- LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
LSM_HOOK_INIT(file_lock, apparmor_file_lock),
diff --git a/security/security.c b/security/security.c
index 5160a52..86c6796 100644
--- a/security/security.c
+++ b/security/security.c
@@ -87,6 +87,7 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
+ pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
#endif
return 0;
@@ -223,6 +224,30 @@ static void __init lsm_set_size(int *need, int *lbs)
void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
+ lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+}
+
+/**
+ * lsm_file_alloc - allocate a composite file blob
+ * @file: the file that needs a blob
+ *
+ * Allocate the file blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_file_alloc(struct file *file)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (file->f_security)
+ pr_info("%s: Inbound file blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_file == 0)
+ return 0;
+
+ file->f_security = kzalloc(blob_sizes.lbs_file, GFP_KERNEL);
+ if (file->f_security == NULL)
+ return -ENOMEM;
+ return 0;
}
/*
@@ -910,12 +935,19 @@ int security_file_permission(struct file *file, int mask)
int security_file_alloc(struct file *file)
{
+ int rc = lsm_file_alloc(file);
+
+ if (rc)
+ return rc;
return call_int_hook(file_alloc_security, 0, file);
}
void security_file_free(struct file *file)
{
call_void_hook(file_free_security, file);
+
+ kfree(file->f_security);
+ file->f_security = NULL;
}
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index dee7ea7..e1e0f4e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -127,7 +127,6 @@ int selinux_enabled = 1;
#endif
static struct kmem_cache *sel_inode_cache;
-static struct kmem_cache *file_security_cache;
/**
* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
@@ -347,27 +346,15 @@ static void inode_free_security(struct inode *inode)
static int file_alloc_security(struct file *file)
{
- struct file_security_struct *fsec;
+ struct file_security_struct *fsec = selinux_file(file);
u32 sid = current_sid();
- fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
- if (!fsec)
- return -ENOMEM;
-
fsec->sid = sid;
fsec->fown_sid = sid;
- file->f_security = fsec;
return 0;
}
-static void file_free_security(struct file *file)
-{
- struct file_security_struct *fsec = file->f_security;
- file->f_security = NULL;
- kmem_cache_free(file_security_cache, fsec);
-}
-
static int superblock_alloc_security(struct super_block *sb)
{
struct superblock_security_struct *sbsec;
@@ -1793,7 +1780,7 @@ static int file_has_perm(const struct cred *cred,
struct file *file,
u32 av)
{
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct inode *inode = file_inode(file);
struct common_audit_data ad;
u32 sid = cred_sid(cred);
@@ -2112,7 +2099,7 @@ static int selinux_binder_transfer_file(struct task_struct *from,
struct file *file)
{
u32 sid = task_sid(to);
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct dentry *dentry = file->f_path.dentry;
struct inode_security_struct *isec;
struct common_audit_data ad;
@@ -3376,7 +3363,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
static int selinux_file_permission(struct file *file, int mask)
{
struct inode *inode = file_inode(file);
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct inode_security_struct *isec;
u32 sid = current_sid();
@@ -3398,11 +3385,6 @@ static int selinux_file_alloc_security(struct file *file)
return file_alloc_security(file);
}
-static void selinux_file_free_security(struct file *file)
-{
- file_free_security(file);
-}
-
/*
* Check whether a task has the ioctl permission and cmd
* operation to an inode.
@@ -3411,7 +3393,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
u32 requested, u16 cmd)
{
struct common_audit_data ad;
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct inode *inode = file_inode(file);
struct inode_security_struct *isec;
struct lsm_ioctlop_audit ioctl;
@@ -3645,7 +3627,7 @@ static void selinux_file_set_fowner(struct file *file)
{
struct file_security_struct *fsec;
- fsec = file->f_security;
+ fsec = selinux_file(file);
fsec->fown_sid = current_sid();
}
@@ -3660,7 +3642,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
/* struct fown_struct is never outside the context of a struct file */
file = container_of(fown, struct file, f_owner);
- fsec = file->f_security;
+ fsec = selinux_file(file);
if (!signum)
perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
@@ -3683,7 +3665,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
struct file_security_struct *fsec;
struct inode_security_struct *isec;
- fsec = file->f_security;
+ fsec = selinux_file(file);
isec = inode_security(file_inode(file));
/*
* Save inode label and policy sequence number
@@ -3812,7 +3794,7 @@ static int selinux_kernel_module_from_file(struct file *file)
ad.type = LSM_AUDIT_DATA_FILE;
ad.u.file = file;
- fsec = file->f_security;
+ fsec = selinux_file(file);
if (sid != fsec->sid) {
rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
if (rc)
@@ -6086,6 +6068,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
struct lsm_blob_sizes selinux_blob_sizes = {
.lbs_cred = sizeof(struct task_security_struct),
+ .lbs_file = sizeof(struct file_security_struct),
};
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
@@ -6157,7 +6140,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
- LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
@@ -6332,9 +6314,6 @@ static __init int selinux_init(void)
sel_inode_cache = kmem_cache_create("selinux_inode_security",
sizeof(struct inode_security_struct),
0, SLAB_PANIC, NULL);
- file_security_cache = kmem_cache_create("selinux_file_security",
- sizeof(struct file_security_struct),
- 0, SLAB_PANIC, NULL);
avc_init();
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 48132cc..6a638da 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -150,4 +150,9 @@ static inline struct task_security_struct *selinux_cred(const struct cred *cred)
return cred->security;
}
+static inline struct file_security_struct *selinux_file(const struct file *file)
+{
+ return file->f_security;
+}
+
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 17949ec..9e704a6 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -361,6 +361,11 @@ static inline struct task_smack *smack_cred(const struct cred *cred)
return cred->security;
}
+static inline struct smack_known **smack_file(const struct file *file)
+{
+ return file->f_security;
+}
+
/*
* Is the directory transmuting?
*/
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6ce81ac..74957d7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1603,25 +1603,13 @@ static void smack_inode_getsecid(struct inode *inode, u32 *secid)
*/
static int smack_file_alloc_security(struct file *file)
{
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_file(file);
- file->f_security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_file_free_security - clear a file security blob
- * @file: the object
- *
- * The security blob for a file is a pointer to the master
- * label list, so no memory is freed.
- */
-static void smack_file_free_security(struct file *file)
-{
- file->f_security = NULL;
-}
-
-/**
* smack_file_ioctl - Smack check on ioctls
* @file: the object
* @cmd: what to do
@@ -1845,7 +1833,9 @@ static int smack_mmap_file(struct file *file,
*/
static void smack_file_set_fowner(struct file *file)
{
- file->f_security = smk_of_current();
+ struct smack_known **blob = smack_file(file);
+
+ *blob = smk_of_current();
}
/**
@@ -1862,6 +1852,7 @@ static void smack_file_set_fowner(struct file *file)
static int smack_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum)
{
+ struct smack_known **blob;
struct smack_known *skp;
struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
struct file *file;
@@ -1874,7 +1865,8 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
file = container_of(fown, struct file, f_owner);
/* we don't log here as rc can be overriden */
- skp = file->f_security;
+ blob = smack_file(file);
+ skp = *blob;
rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
@@ -4606,6 +4598,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
struct lsm_blob_sizes smack_blob_sizes = {
.lbs_cred = sizeof(struct task_smack),
+ .lbs_file = sizeof(struct smack_known *),
};
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
@@ -4645,7 +4638,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
- LSM_HOOK_INIT(file_free_security, smack_file_free_security),
LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
LSM_HOOK_INIT(file_lock, smack_file_lock),
LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 04/11] LSM: general but not extreme module stacking
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (2 preceding siblings ...)
2017-04-05 21:52 ` [PATCH RFC 03/11] LSM: Manage file " Casey Schaufler
@ 2017-04-05 21:53 ` Casey Schaufler
2017-04-10 22:07 ` Tetsuo Handa
2017-04-05 21:53 ` [PATCH RFC 05/11] LSM: Infrastructure management of the remaining blobs Casey Schaufler
` (6 subsequent siblings)
10 siblings, 1 reply; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:53 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 04/11] LSM: general but not extreme module stacking
Leverage the infrastructure management of the credential and
file security blobs to allow stacking of security modules in
all but the most extreme case. Security modules are informed
of the location of their data within the blobs at module
initialization.
Stacking is optional. If stacking is not configured the old
limit of one "major" security module applies. If stacking is
configured any combination that does not include both SELinux
and Smack is allowed.
A subdirectory has been added to /proc/.../attr for each of
SELinux and AppArmor (Smack introduced such a subdirectory earlier)
to disambiguate what data is provided in the proc/.../attr
interfaces. An entry "context" is added to /proc/.../attr and
to each of the subdirectories. The "context" entry provides
process attribute information in the form:
lsm-name='lsm-data'[,lsm-name='lsm-data']...
Data returned with SO_PEERSEC and SCM_SECURITY will be
in "context" format when stacking is configured.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/security/LSM.txt | 18 ++++-
fs/proc/base.c | 33 +++++++++
include/linux/lsm_hooks.h | 2 +-
security/Kconfig | 94 ++++++++++++++++++++++++
security/apparmor/include/context.h | 10 +++
security/apparmor/lsm.c | 43 +++++++++--
security/security.c | 142 +++++++++++++++++++++++++++++++++++-
security/selinux/hooks.c | 24 +++++-
security/selinux/include/objsec.h | 8 ++
security/smack/smack.h | 9 +++
security/smack/smack_lsm.c | 23 +++---
security/tomoyo/common.h | 5 ++
security/tomoyo/tomoyo.c | 3 +-
13 files changed, 389 insertions(+), 25 deletions(-)
diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt
index 57eafbc..23664b7 100644
--- a/Documentation/security/LSM.txt
+++ b/Documentation/security/LSM.txt
@@ -18,8 +18,14 @@ in the core functionality of Linux itself.
The Linux capabilities modules will always be included. For more details
on capabilities, see capabilities(7) in the Linux man-pages project.
-This may be followed by any number of "minor" modules and at most one
-"major" module.
+
+Security modules that do not use the security data blobs maintained
+by the LSM infrastructure are considered "minor" modules. These may be
+included at compile time and stacked explicitly. Security modules that
+use the LSM maintained security blobs are considered "major" modules.
+These may only be stacked if the CONFIG_LSM_STACKED configuration
+option is used. If this is chosen all of the security modules selected
+will be used.
A list of the active security modules can be found by reading
/sys/kernel/security/lsm. This is a comma separated list, and
@@ -36,6 +42,14 @@ security module and contains all its special files. The files directly
in /proc/.../attr remain as legacy interfaces for modules that provide
subdirectories.
+The files named "context" in the attr directories contain the
+same information as the "current" files, but formatted to
+identify the module it comes from.
+
+if selinux is the active security module:
+ /proc/self/attr/context could contain selinux='unconfined_t'
+ /proc/self/attr/selinux/context could contain selinux='unconfined_t'
+
Based on https://lkml.org/lkml/2007/10/26/215,
a new LSM is accepted into the kernel when its intent (a description of
what it tries to protect against and in what cases one would expect to
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 2decd2f..9a5dde4 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2552,13 +2552,37 @@ static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \
.setattr = proc_setattr, \
}
+#ifdef CONFIG_SECURITY_SELINUX
+static const struct pid_entry selinux_attr_dir_stuff[] = {
+ ATTR("selinux", "current", 0666),
+ ATTR("selinux", "prev", 0444),
+ ATTR("selinux", "exec", 0666),
+ ATTR("selinux", "fscreate", 0666),
+ ATTR("selinux", "keycreate", 0666),
+ ATTR("selinux", "sockcreate", 0666),
+ ATTR("selinux", "context", 0666),
+};
+LSM_DIR_OPS(selinux);
+#endif
+
#ifdef CONFIG_SECURITY_SMACK
static const struct pid_entry smack_attr_dir_stuff[] = {
ATTR("smack", "current", 0666),
+ ATTR("smack", "context", 0666),
};
LSM_DIR_OPS(smack);
#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+static const struct pid_entry apparmor_attr_dir_stuff[] = {
+ ATTR("apparmor", "current", 0666),
+ ATTR("apparmor", "prev", 0444),
+ ATTR("apparmor", "exec", 0666),
+ ATTR("apparmor", "context", 0666),
+};
+LSM_DIR_OPS(apparmor);
+#endif
+
static const struct pid_entry attr_dir_stuff[] = {
ATTR(NULL, "current", 0666),
ATTR(NULL, "prev", 0444),
@@ -2566,10 +2590,19 @@ static const struct pid_entry attr_dir_stuff[] = {
ATTR(NULL, "fscreate", 0666),
ATTR(NULL, "keycreate", 0666),
ATTR(NULL, "sockcreate", 0666),
+ ATTR(NULL, "context", 0666),
+#ifdef CONFIG_SECURITY_SELINUX
+ DIR("selinux", 0555,
+ proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops),
+#endif
#ifdef CONFIG_SECURITY_SMACK
DIR("smack", 0555,
proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+ DIR("apparmor", 0555,
+ proc_apparmor_attr_dir_inode_ops, proc_apparmor_attr_dir_ops),
+#endif
};
static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index dc012eb..0c3767c 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1943,7 +1943,7 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
#define __lsm_ro_after_init __ro_after_init
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
-extern int __init security_module_enable(const char *module);
+extern bool __init security_module_enable(const char *lsm, const bool stacked);
extern void __init capability_add_hooks(void);
#ifdef CONFIG_SECURITY_YAMA
extern void __init yama_add_hooks(void);
diff --git a/security/Kconfig b/security/Kconfig
index 84e13c0..e99cc20 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -36,6 +36,28 @@ config SECURITY_WRITABLE_HOOKS
bool
default n
+config SECURITY_STACKING
+ bool "Security module stacking"
+ depends on SECURITY
+ help
+ Allows multiple major security modules to be stacked.
+ Modules are invoked in the order registered with a
+ "bail on fail" policy, in which the infrastructure
+ will stop processing once a denial is detected. Not
+ all modules can be stacked. SELinux and Smack are
+ known to be incompatible. User space components may
+ have trouble identifying the security module providing
+ data in some cases.
+
+ If you select this option you will have to select which
+ of the stackable modules you wish to be active. The
+ "Default security module" will be ignored. The boot line
+ "security=" option can be used to specify that one of
+ the modules identifed for stacking should be used instead
+ of the entire stack.
+
+ If you are unsure how to answer this question, answer N.
+
config SECURITY_LSM_DEBUG
bool "Enable debugging of the LSM infrastructure"
depends on SECURITY
@@ -218,6 +240,9 @@ source security/yama/Kconfig
source security/integrity/Kconfig
+menu "Security Module Selection"
+ visible if !SECURITY_STACKING
+
choice
prompt "Default security module"
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
@@ -257,3 +282,72 @@ config DEFAULT_SECURITY
endmenu
+menu "Security Module Stack"
+ visible if SECURITY_STACKING
+
+choice
+ prompt "Stacked 'extreme' security module"
+ default SECURITY_SELINUX_STACKED if SECURITY_SELINUX
+ default SECURITY_SMACK_STACKED if SECURITY_SMACK
+
+ help
+ Enable an extreme security module. These modules cannot
+ be used at the same time.
+
+ config SECURITY_SELINUX_STACKED
+ bool "SELinux" if SECURITY_SELINUX=y
+ help
+ Add the SELinux security module to the stack. At this
+ time the Smack security module is incompatible with this
+ module.
+ Please be sure your user space code is accomodating of
+ this security module.
+
+ config SECURITY_SMACK_STACKED
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+ help
+ Add the Smack security module to the stack. At this
+ time the SELinux security module is incompatible with this
+ module.
+ Please be sure your user space code is accomodating of
+ this security module.
+
+ config SECURITY_NOTHING_STACKED
+ bool "Use no 'extreme' security module"
+ help
+ Add neither the SELinux security module nor the Smack security
+ module to the stack.
+ Please be sure your user space code does not require either of
+ these security modules.
+
+endchoice
+
+config SECURITY_TOMOYO_STACKED
+ bool "TOMOYO support is enabled by default"
+ depends on SECURITY_TOMOYO && SECURITY_STACKING
+ default n
+ help
+ This option instructs the system to use the TOMOYO checks.
+ If not selected the module will not be invoked.
+ Stacked security modules may interact in unexpected ways.
+ Please be sure your user space code is accomodating of
+ multiple security modules.
+
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_APPARMOR_STACKED
+ bool "AppArmor support is enabled by default"
+ depends on SECURITY_APPARMOR && SECURITY_STACKING
+ default n
+ help
+ This option instructs the system to use the AppArmor checks.
+ If not selected the module will not be invoked.
+ Stacked security modules may interact in unexpected ways.
+ Please be sure your user space code is accomodating of
+ multiple security modules.
+
+ If you are unsure how to answer this question, answer N.
+
+endmenu
+
+endmenu
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 3ff3879..de3c4b8 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -88,14 +88,24 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token);
int aa_restore_previous_profile(u64 cookie);
struct aa_profile *aa_get_task_profile(struct task_struct *task);
+extern struct lsm_blob_sizes apparmor_blob_sizes;
+
static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + apparmor_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
static inline struct aa_file_ctx *apparmor_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + apparmor_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
/**
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index ff0010f..0d286fc 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -446,9 +446,13 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
const struct cred *cred = get_task_cred(task);
struct aa_task_ctx *ctx = cred_ctx(cred);
struct aa_profile *profile = NULL;
+ char *vp;
+ char *np;
if (strcmp(name, "current") == 0)
profile = aa_get_newest_profile(ctx->profile);
+ else if (strcmp(name, "context") == 0)
+ profile = aa_get_newest_profile(ctx->profile);
else if (strcmp(name, "prev") == 0 && ctx->previous)
profile = aa_get_newest_profile(ctx->previous);
else if (strcmp(name, "exec") == 0 && ctx->onexec)
@@ -456,9 +460,29 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
else
error = -EINVAL;
- if (profile)
- error = aa_getprocattr(profile, value);
+ if (profile == NULL)
+ goto put_out;
+
+ error = aa_getprocattr(profile, &vp);
+ if (error < 0)
+ goto put_out;
+
+ if (strcmp(name, "context") == 0) {
+ *value = kasprintf(GFP_KERNEL, "apparmor='%s'", vp);
+ if (*value == NULL) {
+ error = -ENOMEM;
+ goto put_out;
+ }
+ np = strchr(*value, '\n');
+ if (np != NULL) {
+ np[0] = '\'';
+ np[1] = '\0';
+ }
+ error = strlen(*value);
+ } else
+ *value = vp;
+put_out:
aa_put_profile(profile);
put_cred(cred);
@@ -496,7 +520,7 @@ static int apparmor_setprocattr(const char *name, void *value,
goto out;
arg_size = size - (args - (largs ? largs : (char *) value));
- if (strcmp(name, "current") == 0) {
+ if (strcmp(name, "current") == 0 || strcmp(name, "context") == 0) {
if (strcmp(command, "changehat") == 0) {
error = aa_setprocattr_changehat(args, arg_size,
!AA_DO_TEST);
@@ -518,7 +542,10 @@ static int apparmor_setprocattr(const char *name, void *value,
else
goto fail;
} else
- /* only support the "current" and "exec" process attributes */
+ /*
+ * only support the "current", "context" and "exec"
+ * process attributes
+ */
goto fail;
if (!error)
@@ -921,13 +948,17 @@ static int __init apparmor_init(void)
int error;
if (!finish) {
- if (apparmor_enabled && security_module_enable("apparmor"))
+ if (apparmor_enabled &&
+ security_module_enable("apparmor",
+ IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED)))
security_add_blobs(&apparmor_blob_sizes);
finish = 1;
return 0;
}
- if (!apparmor_enabled || !security_module_enable("apparmor")) {
+ if (!apparmor_enabled ||
+ !security_module_enable("apparmor",
+ IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED))) {
aa_info_message("AppArmor disabled by boot time parameter");
apparmor_enabled = 0;
return 0;
diff --git a/security/security.c b/security/security.c
index 86c6796..67a29a7 100644
--- a/security/security.c
+++ b/security/security.c
@@ -31,6 +31,7 @@
/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX 10
+#define MODULE_STACK "(stacking)"
struct security_hook_heads security_hook_heads __lsm_ro_after_init;
char *lsm_names;
@@ -38,7 +39,11 @@ static struct lsm_blob_sizes blob_sizes;
/* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
+#ifdef CONFIG_SECURITY_STACKING
+ MODULE_STACK;
+#else
CONFIG_DEFAULT_SECURITY;
+#endif
static void __init do_security_initcalls(void)
{
@@ -120,6 +125,7 @@ static int lsm_append(char *new, char **result)
/**
* security_module_enable - Load given security module on boot ?
* @module: the name of the module
+ * @stacked: indicates that the module wants to be stacked
*
* Each LSM must pass this method before registering its own operations
* to avoid security registration races. This method may also be used
@@ -131,9 +137,29 @@ static int lsm_append(char *new, char **result)
* choose an alternate LSM@boot time.
* Otherwise, return false.
*/
-int __init security_module_enable(const char *module)
+bool __init security_module_enable(const char *lsm, const bool stacked)
{
- return !strcmp(module, chosen_lsm);
+#ifdef CONFIG_SECURITY_STACKING
+ /*
+ * Module defined on the command line security=XXXX
+ */
+ if (strcmp(chosen_lsm, MODULE_STACK)) {
+ if (!strcmp(lsm, chosen_lsm)) {
+ pr_info("Command line sets the %s security module.\n",
+ lsm);
+ return true;
+ }
+ return false;
+ }
+ /*
+ * Module configured as stacked.
+ */
+ return stacked;
+#else
+ if (strcmp(lsm, chosen_lsm) == 0)
+ return true;
+ return false;
+#endif
}
/**
@@ -1348,8 +1374,49 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
char **value)
{
struct security_hook_list *hp;
+ char *vp;
+ char *cp = NULL;
+ int trc;
int rc;
+ /*
+ * "context" requires work here in addition to what
+ * the modules provide.
+ */
+ if (strcmp(name, "context") == 0) {
+ *value = NULL;
+ rc = -EINVAL;
+ list_for_each_entry(hp,
+ &security_hook_heads.getprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ trc = hp->hook.getprocattr(p, "context", &vp);
+ if (trc == -ENOENT)
+ continue;
+ if (trc <= 0) {
+ kfree(*value);
+ return trc;
+ }
+ rc = trc;
+ if (*value == NULL) {
+ *value = vp;
+ } else {
+ cp = kasprintf(GFP_KERNEL, "%s,%s", *value, vp);
+ if (cp == NULL) {
+ kfree(*value);
+ kfree(vp);
+ return -ENOMEM;
+ }
+ kfree(*value);
+ kfree(vp);
+ *value = cp;
+ }
+ }
+ if (rc > 0)
+ return strlen(*value);
+ return rc;
+ }
+
list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
if (lsm != NULL && strcmp(lsm, hp->lsm))
continue;
@@ -1365,6 +1432,77 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
{
struct security_hook_list *hp;
int rc;
+ char *local;
+ char *cp;
+ int slen;
+ int failed = 0;
+
+ /*
+ * If lsm is NULL look at all the modules to find one
+ * that processes name. If lsm is not NULL only look at
+ * that module.
+ *
+ * "context" is handled directly here.
+ */
+ if (strcmp(name, "context") == 0) {
+ /*
+ * First verify that the input is acceptable.
+ * lsm1='v1'lsm2='v2'lsm3='v3'
+ *
+ * A note on the use of strncmp() below.
+ * The check is for the substring at the beginning of cp.
+ * The kzalloc of size + 1 ensures a terminated string.
+ */
+ rc = -EINVAL;
+ local = kzalloc(size + 1, GFP_KERNEL);
+ memcpy(local, value, size);
+ cp = local;
+ list_for_each_entry(hp, &security_hook_heads.setprocattr,
+ list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ if (cp[0] == ',') {
+ if (cp == local)
+ goto free_out;
+ cp++;
+ }
+ slen = strlen(hp->lsm);
+ if (strncmp(cp, hp->lsm, slen))
+ goto free_out;
+ cp += slen;
+ if (cp[0] != '=' || cp[1] != '\'' || cp[2] == '\'')
+ goto free_out;
+ for (cp += 2; cp[0] != '\''; cp++)
+ if (cp[0] == '\0')
+ goto free_out;
+ cp++;
+ }
+
+ cp = local;
+ list_for_each_entry(hp, &security_hook_heads.setprocattr,
+ list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ if (cp[0] == ',')
+ cp++;
+ cp += strlen(hp->lsm) + 2;
+ for (slen = 0; cp[slen] != '\''; slen++)
+ ;
+ cp[slen] = '\0';
+
+ rc = hp->hook.setprocattr("context", cp, slen);
+ if (rc < 0)
+ failed = rc;
+ cp += slen + 1;
+ }
+ if (failed != 0)
+ rc = failed;
+ else
+ rc = size;
+free_out:
+ kfree(local);
+ return rc;
+ }
list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
if (lsm != NULL && strcmp(lsm, hp->lsm))
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e1e0f4e..4ae75c3 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5785,6 +5785,8 @@ static int selinux_getprocattr(struct task_struct *p,
if (!strcmp(name, "current"))
sid = __tsec->sid;
+ else if (!strcmp(name, "context"))
+ sid = __tsec->sid;
else if (!strcmp(name, "prev"))
sid = __tsec->osid;
else if (!strcmp(name, "exec"))
@@ -5804,7 +5806,19 @@ static int selinux_getprocattr(struct task_struct *p,
if (!sid)
return 0;
- error = security_sid_to_context(sid, value, &len);
+ if (strcmp(name, "context")) {
+ error = security_sid_to_context(sid, value, &len);
+ } else {
+ char *vp;
+
+ error = security_sid_to_context(sid, &vp, &len);
+ if (!error) {
+ *value = kasprintf(GFP_KERNEL, "selinux='%s'", vp);
+ if (*value == NULL)
+ error = -ENOMEM;
+ }
+ }
+
if (error)
return error;
return len;
@@ -5840,6 +5854,9 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
else if (!strcmp(name, "current"))
error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
PROCESS__SETCURRENT, NULL);
+ else if (!strcmp(name, "context"))
+ error = avc_has_perm(mysid, mysid, SECCLASS_PROCESS,
+ PROCESS__SETCURRENT, NULL);
else
error = -EINVAL;
if (error)
@@ -5900,7 +5917,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
tsec->keycreate_sid = sid;
} else if (!strcmp(name, "sockcreate")) {
tsec->sockcreate_sid = sid;
- } else if (!strcmp(name, "current")) {
+ } else if (!strcmp(name, "current") || !strcmp(name, "context")) {
error = -EINVAL;
if (sid == 0)
goto abort_change;
@@ -6288,7 +6305,8 @@ static __init int selinux_init(void)
{
static int finish;
- if (!security_module_enable("selinux")) {
+ if (!security_module_enable("selinux",
+ IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED))) {
selinux_enabled = 0;
return 0;
}
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 6a638da..5be9c72 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -147,12 +147,20 @@ extern struct lsm_blob_sizes selinux_blob_sizes;
static inline struct task_security_struct *selinux_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + selinux_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
static inline struct file_security_struct *selinux_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + selinux_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 9e704a6..a84c231 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -336,6 +336,7 @@ extern struct smack_known *smack_syslog_label;
extern struct smack_known *smack_unconfined;
#endif
extern int smack_ptrace_rule;
+extern struct lsm_blob_sizes smack_blob_sizes;
extern struct smack_known smack_known_floor;
extern struct smack_known smack_known_hat;
@@ -358,12 +359,20 @@ extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
static inline struct task_smack *smack_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + smack_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
static inline struct smack_known **smack_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + smack_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
/*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 74957d7..af741fa 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3608,18 +3608,20 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
{
struct smack_known *skp = smk_of_task_struct(p);
char *cp;
- int slen;
- if (strcmp(name, "current") != 0)
+ if (strcmp(name, "current") == 0) {
+ cp = kstrdup(skp->smk_known, GFP_KERNEL);
+ if (cp == NULL)
+ return -ENOMEM;
+ } else if (strcmp(name, "context") == 0) {
+ cp = kasprintf(GFP_KERNEL, "smack='%s'", skp->smk_known);
+ if (cp == NULL)
+ return -ENOMEM;
+ } else
return -EINVAL;
- cp = kstrdup(skp->smk_known, GFP_KERNEL);
- if (cp == NULL)
- return -ENOMEM;
-
- slen = strlen(cp);
*value = cp;
- return slen;
+ return strlen(cp);
}
/**
@@ -3647,7 +3649,7 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
return -EINVAL;
- if (strcmp(name, "current") != 0)
+ if (strcmp(name, "current") != 0 && strcmp(name, "context") != 0)
return -EINVAL;
skp = smk_import_entry(value, size);
@@ -4779,7 +4781,8 @@ static __init int smack_init(void)
struct cred *cred = (struct cred *) current->cred;
struct task_smack *tsp;
- if (!security_module_enable("smack"))
+ if (!security_module_enable("smack",
+ IS_ENABLED(CONFIG_SECURITY_SMACK_STACKED)))
return 0;
if (!finish) {
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index cbcfccc..a78b354 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -1085,6 +1085,7 @@ extern struct tomoyo_domain_info tomoyo_kernel_domain;
extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];
+extern struct lsm_blob_sizes tomoyo_blob_sizes;
/********** Inlined functions. **********/
@@ -1204,7 +1205,11 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
*/
static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + tomoyo_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
/**
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index be075b4..27f1198 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -561,7 +561,8 @@ static int __init tomoyo_init(void)
struct cred *cred = (struct cred *) current_cred();
struct tomoyo_domain_info **blob;
- if (!security_module_enable("tomoyo"))
+ if (!security_module_enable("tomoyo",
+ IS_ENABLED(CONFIG_SECURITY_TOMOYO_STACKED)))
return 0;
if (!finish) {
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 05/11] LSM: Infrastructure management of the remaining blobs
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (3 preceding siblings ...)
2017-04-05 21:53 ` [PATCH RFC 04/11] LSM: general but not extreme module stacking Casey Schaufler
@ 2017-04-05 21:53 ` Casey Schaufler
2017-04-05 21:53 ` [PATCH RFC 06/11] Smack: remove socket blob free Casey Schaufler
` (5 subsequent siblings)
10 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:53 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 05/11] LSM: Infrastructure management of the remaining blobs
Move management of the inode, ipc, key, msg_msg, sock and superblock
security blobs from the security modules to the infrastructure.
Use of the blob pointers is abstracted in the security modules.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 8 +
security/security.c | 259 ++++++++++++++++++++++++++++-
security/selinux/hooks.c | 333 ++++++++++++-------------------------
security/selinux/include/objsec.h | 65 +++++++-
security/selinux/netlabel.c | 15 +-
security/selinux/selinuxfs.c | 4 +-
security/selinux/ss/services.c | 3 +-
security/smack/smack.h | 61 ++++++-
security/smack/smack_lsm.c | 342 +++++++++++---------------------------
security/smack/smack_netfilter.c | 8 +-
10 files changed, 599 insertions(+), 499 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 0c3767c..4480ed6 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1895,6 +1895,12 @@ struct security_hook_list {
struct lsm_blob_sizes {
int lbs_cred;
int lbs_file;
+ int lbs_inode;
+ int lbs_ipc;
+ int lbs_key;
+ int lbs_msg_msg;
+ int lbs_sock;
+ int lbs_superblock;
};
/*
@@ -1957,9 +1963,11 @@ static inline void loadpin_add_hooks(void) { };
#endif
extern int lsm_cred_alloc(struct cred *cred, gfp_t gfp);
+extern int lsm_inode_alloc(struct inode *inode);
#ifdef CONFIG_SECURITY
void lsm_early_cred(struct cred *cred);
+void lsm_early_inode(struct inode *inode);
#endif
#endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/security/security.c b/security/security.c
index 67a29a7..d4b3479 100644
--- a/security/security.c
+++ b/security/security.c
@@ -25,7 +25,9 @@
#include <linux/mount.h>
#include <linux/personality.h>
#include <linux/backing-dev.h>
+#include <linux/msg.h>
#include <net/flow.h>
+#include <net/sock.h>
#define MAX_LSM_EVM_XATTR 2
@@ -93,7 +95,15 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
-#endif
+ pr_info("LSM: inode blob size = %d\n", blob_sizes.lbs_inode);
+ pr_info("LSM: ipc blob size = %d\n", blob_sizes.lbs_ipc);
+#ifdef CONFIG_KEYS
+ pr_info("LSM: key blob size = %d\n", blob_sizes.lbs_key);
+#endif /* CONFIG_KEYS */
+ pr_info("LSM: msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
+ pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock);
+ pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock);
+#endif /* CONFIG_SECURITY_LSM_DEBUG */
return 0;
}
@@ -251,6 +261,18 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+ lsm_set_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
+ lsm_set_size(&needed->lbs_key, &blob_sizes.lbs_key);
+ lsm_set_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
+ lsm_set_size(&needed->lbs_sock, &blob_sizes.lbs_sock);
+ lsm_set_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
+ /*
+ * The inode blob gets an rcu_head in addition to
+ * what the modules might need.
+ */
+ if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
+ blob_sizes.lbs_inode = sizeof(struct rcu_head);
+ lsm_set_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
}
/**
@@ -276,6 +298,166 @@ int lsm_file_alloc(struct file *file)
return 0;
}
+/**
+ * lsm_inode_alloc - allocate a composite inode blob
+ * @inode: the inode that needs a blob
+ *
+ * Allocate the inode blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_inode_alloc(struct inode *inode)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (inode->i_security)
+ pr_info("%s: Inbound inode blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_inode == 0)
+ return 0;
+
+ inode->i_security = kzalloc(blob_sizes.lbs_inode, GFP_KERNEL);
+ if (inode->i_security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_early_inode - during initialization allocate a composite inode blob
+ * @inode: the inode that needs a blob
+ *
+ * Allocate the inode blob for all the modules if it's not already there
+ */
+void lsm_early_inode(struct inode *inode)
+{
+ int rc;
+
+ if (inode == NULL)
+ panic("%s: NULL inode.\n", __func__);
+ if (inode->i_security != NULL)
+ return;
+ rc = lsm_inode_alloc(inode);
+ if (rc)
+ panic("%s: Early inode alloc failed.\n", __func__);
+}
+
+/**
+ * lsm_ipc_alloc - allocate a composite ipc blob
+ * @kip: the ipc that needs a blob
+ *
+ * Allocate the ipc blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_ipc_alloc(struct kern_ipc_perm *kip)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (kip->security)
+ pr_info("%s: Inbound ipc blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_ipc == 0)
+ return 0;
+
+ kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
+ if (kip->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+#ifdef CONFIG_KEYS
+/**
+ * lsm_key_alloc - allocate a composite key blob
+ * @key: the key that needs a blob
+ *
+ * Allocate the key blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_key_alloc(struct key *key)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (key->security)
+ pr_info("%s: Inbound key blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_key == 0)
+ return 0;
+
+ key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
+ if (key->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+#endif /* CONFIG_KEYS */
+
+/**
+ * lsm_msg_msg_alloc - allocate a composite msg_msg blob
+ * @mp: the msg_msg that needs a blob
+ *
+ * Allocate the ipc blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_msg_msg_alloc(struct msg_msg *mp)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (mp->security)
+ pr_info("%s: Inbound msg_msg blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_msg_msg == 0)
+ return 0;
+
+ mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
+ if (mp->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_sock_alloc - allocate a composite sock blob
+ * @sock: the sock that needs a blob
+ * @priority: allocation mode
+ *
+ * Allocate the sock blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_sock_alloc(struct sock *sock, gfp_t priority)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (sock->sk_security)
+ pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_sock == 0)
+ return 0;
+
+ sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
+ if (sock->sk_security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_superblock_alloc - allocate a composite superblock blob
+ * @sb: the superblock that needs a blob
+ *
+ * Allocate the superblock blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_superblock_alloc(struct super_block *sb)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (sb->s_security)
+ pr_info("%s: Inbound superblock blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_superblock == 0)
+ return 0;
+
+ sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL);
+ if (sb->s_security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
/*
* Hook list operation macros.
*
@@ -448,12 +630,18 @@ int security_bprm_secureexec(struct linux_binprm *bprm)
int security_sb_alloc(struct super_block *sb)
{
+ int rc = lsm_superblock_alloc(sb);
+
+ if (rc)
+ return rc;
return call_int_hook(sb_alloc_security, 0, sb);
}
void security_sb_free(struct super_block *sb)
{
call_void_hook(sb_free_security, sb);
+ kfree(sb->s_security);
+ sb->s_security = NULL;
}
int security_sb_copy_data(char *orig, char *copy)
@@ -524,14 +712,39 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
int security_inode_alloc(struct inode *inode)
{
- inode->i_security = NULL;
+ int rc = lsm_inode_alloc(inode);
+
+ if (rc)
+ return rc;
return call_int_hook(inode_alloc_security, 0, inode);
}
+static void inode_free_by_rcu(struct rcu_head *head)
+{
+ /*
+ * The rcu head is at the start of the inode blob
+ */
+ kfree(head);
+}
+
void security_inode_free(struct inode *inode)
{
integrity_inode_free(inode);
call_void_hook(inode_free_security, inode);
+ /*
+ * The inode may still be referenced in a path walk and
+ * a call to security_inode_permission() can be made
+ * after inode_free_security() is called. Ideally, the VFS
+ * wouldn't do this, but fixing that is a much harder
+ * job. For now, simply free the i_security via RCU, and
+ * leave the current inode->i_security pointer intact.
+ * The inode will be freed after the RCU grace period too.
+ */
+ if (inode->i_security != NULL) {
+ call_rcu((struct rcu_head *)inode->i_security,
+ inode_free_by_rcu);
+ inode->i_security = NULL;
+ }
}
int security_dentry_init_security(struct dentry *dentry, int mode,
@@ -1271,22 +1484,36 @@ void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
int security_msg_msg_alloc(struct msg_msg *msg)
{
+ int rc = lsm_msg_msg_alloc(msg);
+
+ if (rc)
+ return rc;
return call_int_hook(msg_msg_alloc_security, 0, msg);
}
void security_msg_msg_free(struct msg_msg *msg)
{
call_void_hook(msg_msg_free_security, msg);
+ kfree(msg->security);
+ msg->security = NULL;
}
int security_msg_queue_alloc(struct msg_queue *msq)
{
+ int rc = lsm_ipc_alloc(&msq->q_perm);
+
+ if (rc)
+ return rc;
return call_int_hook(msg_queue_alloc_security, 0, msq);
}
void security_msg_queue_free(struct msg_queue *msq)
{
+ struct kern_ipc_perm *kip = &msq->q_perm;
+
call_void_hook(msg_queue_free_security, msq);
+ kfree(kip->security);
+ kip->security = NULL;
}
int security_msg_queue_associate(struct msg_queue *msq, int msqflg)
@@ -1313,12 +1540,20 @@ int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
int security_shm_alloc(struct shmid_kernel *shp)
{
+ int rc = lsm_ipc_alloc(&shp->shm_perm);
+
+ if (rc)
+ return rc;
return call_int_hook(shm_alloc_security, 0, shp);
}
void security_shm_free(struct shmid_kernel *shp)
{
+ struct kern_ipc_perm *kip = &shp->shm_perm;
+
call_void_hook(shm_free_security, shp);
+ kfree(kip->security);
+ kip->security = NULL;
}
int security_shm_associate(struct shmid_kernel *shp, int shmflg)
@@ -1338,12 +1573,20 @@ int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmfl
int security_sem_alloc(struct sem_array *sma)
{
+ int rc = lsm_ipc_alloc(&sma->sem_perm);
+
+ if (rc)
+ return rc;
return call_int_hook(sem_alloc_security, 0, sma);
}
void security_sem_free(struct sem_array *sma)
{
+ struct kern_ipc_perm *kip = &sma->sem_perm;
+
call_void_hook(sem_free_security, sma);
+ kfree(kip->security);
+ kip->security = NULL;
}
int security_sem_associate(struct sem_array *sma, int semflg)
@@ -1673,12 +1916,18 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
{
+ int rc = lsm_sock_alloc(sk, priority);
+
+ if (rc)
+ return rc;
return call_int_hook(sk_alloc_security, 0, sk, family, priority);
}
void security_sk_free(struct sock *sk)
{
call_void_hook(sk_free_security, sk);
+ kfree(sk->sk_security);
+ sk->sk_security = NULL;
}
void security_sk_clone(const struct sock *sk, struct sock *newsk)
@@ -1881,12 +2130,18 @@ EXPORT_SYMBOL(security_skb_classify_flow);
int security_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
+ int rc = lsm_key_alloc(key);
+
+ if (rc)
+ return rc;
return call_int_hook(key_alloc, 0, key, cred, flags);
}
void security_key_free(struct key *key)
{
call_void_hook(key_free, key);
+ kfree(key->security);
+ key->security = NULL;
}
int security_key_permission(key_ref_t key_ref,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4ae75c3..60d9fe8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -126,8 +126,6 @@ __setup("selinux=", selinux_enabled_setup);
int selinux_enabled = 1;
#endif
-static struct kmem_cache *sel_inode_cache;
-
/**
* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
*
@@ -211,13 +209,9 @@ static inline u32 task_sid(const struct task_struct *task)
static int inode_alloc_security(struct inode *inode)
{
- struct inode_security_struct *isec;
+ struct inode_security_struct *isec = selinux_inode(inode);
u32 sid = current_sid();
- isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
- if (!isec)
- return -ENOMEM;
-
spin_lock_init(&isec->lock);
INIT_LIST_HEAD(&isec->list);
isec->inode = inode;
@@ -225,7 +219,6 @@ static int inode_alloc_security(struct inode *inode)
isec->sclass = SECCLASS_FILE;
isec->task_sid = sid;
isec->initialized = LABEL_INVALID;
- inode->i_security = isec;
return 0;
}
@@ -243,7 +236,7 @@ static int __inode_security_revalidate(struct inode *inode,
struct dentry *opt_dentry,
bool may_sleep)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
might_sleep_if(may_sleep);
@@ -263,7 +256,7 @@ static int __inode_security_revalidate(struct inode *inode,
static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
{
- return inode->i_security;
+ return selinux_inode(inode);
}
static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
@@ -273,7 +266,7 @@ static struct inode_security_struct *inode_security_rcu(struct inode *inode, boo
error = __inode_security_revalidate(inode, NULL, !rcu);
if (error)
return ERR_PTR(error);
- return inode->i_security;
+ return selinux_inode(inode);
}
/*
@@ -282,14 +275,14 @@ static struct inode_security_struct *inode_security_rcu(struct inode *inode, boo
static struct inode_security_struct *inode_security(struct inode *inode)
{
__inode_security_revalidate(inode, NULL, true);
- return inode->i_security;
+ return selinux_inode(inode);
}
static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
{
struct inode *inode = d_backing_inode(dentry);
- return inode->i_security;
+ return selinux_inode(inode);
}
/*
@@ -300,21 +293,14 @@ static struct inode_security_struct *backing_inode_security(struct dentry *dentr
struct inode *inode = d_backing_inode(dentry);
__inode_security_revalidate(inode, dentry, true);
- return inode->i_security;
-}
-
-static void inode_free_rcu(struct rcu_head *head)
-{
- struct inode_security_struct *isec;
-
- isec = container_of(head, struct inode_security_struct, rcu);
- kmem_cache_free(sel_inode_cache, isec);
+ return selinux_inode(inode);
}
static void inode_free_security(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
+ struct superblock_security_struct *sbsec =
+ selinux_superblock(inode->i_sb);
/*
* As not all inode security structures are in a list, we check for
@@ -331,17 +317,6 @@ static void inode_free_security(struct inode *inode)
list_del_init(&isec->list);
spin_unlock(&sbsec->isec_lock);
}
-
- /*
- * The inode may still be referenced in a path walk and
- * a call to selinux_inode_permission() can be made
- * after inode_free_security() is called. Ideally, the VFS
- * wouldn't do this, but fixing that is a much harder
- * job. For now, simply free the i_security via RCU, and
- * leave the current inode->i_security pointer intact.
- * The inode will be freed after the RCU grace period too.
- */
- call_rcu(&isec->rcu, inode_free_rcu);
}
static int file_alloc_security(struct file *file)
@@ -357,11 +332,7 @@ static int file_alloc_security(struct file *file)
static int superblock_alloc_security(struct super_block *sb)
{
- struct superblock_security_struct *sbsec;
-
- sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
- if (!sbsec)
- return -ENOMEM;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
mutex_init(&sbsec->lock);
INIT_LIST_HEAD(&sbsec->isec_head);
@@ -370,18 +341,10 @@ static int superblock_alloc_security(struct super_block *sb)
sbsec->sid = SECINITSID_UNLABELED;
sbsec->def_sid = SECINITSID_FILE;
sbsec->mntpoint_sid = SECINITSID_UNLABELED;
- sb->s_security = sbsec;
return 0;
}
-static void superblock_free_security(struct super_block *sb)
-{
- struct superblock_security_struct *sbsec = sb->s_security;
- sb->s_security = NULL;
- kfree(sbsec);
-}
-
/* The file system's label must be initialized prior to use. */
static const char *labeling_behaviors[7] = {
@@ -457,7 +420,7 @@ static int may_context_mount_inode_relabel(u32 sid,
static int selinux_is_sblabel_mnt(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
return sbsec->behavior == SECURITY_FS_USE_XATTR ||
sbsec->behavior == SECURITY_FS_USE_TRANS ||
@@ -476,7 +439,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
static int sb_finish_set_opts(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
struct dentry *root = sb->s_root;
struct inode *root_inode = d_backing_inode(root);
int rc = 0;
@@ -555,7 +518,7 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
struct security_mnt_opts *opts)
{
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
char *context = NULL;
u32 len;
char tmp;
@@ -618,7 +581,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct dentry *root = sbsec->sb->s_root;
- struct inode_security_struct *isec = backing_inode_security(root);
+ struct inode_security_struct *isec =
+ backing_inode_security(root);
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
@@ -671,7 +635,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
{
const struct cred *cred = current_cred();
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
const char *name = sb->s_type->name;
struct dentry *root = sbsec->sb->s_root;
struct inode_security_struct *root_isec;
@@ -919,8 +883,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
static int selinux_cmp_sb_context(const struct super_block *oldsb,
const struct super_block *newsb)
{
- struct superblock_security_struct *old = oldsb->s_security;
- struct superblock_security_struct *new = newsb->s_security;
+ struct superblock_security_struct *old = selinux_superblock(oldsb);
+ struct superblock_security_struct *new = selinux_superblock(newsb);
char oldflags = old->flags & SE_MNTMASK;
char newflags = new->flags & SE_MNTMASK;
@@ -949,8 +913,9 @@ static int selinux_cmp_sb_context(const struct super_block *oldsb,
static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
struct super_block *newsb)
{
- const struct superblock_security_struct *oldsbsec = oldsb->s_security;
- struct superblock_security_struct *newsbsec = newsb->s_security;
+ const struct superblock_security_struct *oldsbsec =
+ selinux_superblock(oldsb);
+ struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
int set_context = (oldsbsec->flags & CONTEXT_MNT);
@@ -984,14 +949,17 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
if (!set_fscontext)
newsbsec->sid = sid;
if (!set_rootcontext) {
- struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
+ struct inode_security_struct *newisec =
+ backing_inode_security(newsb->s_root);
newisec->sid = sid;
}
newsbsec->mntpoint_sid = sid;
}
if (set_rootcontext) {
- const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
- struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
+ const struct inode_security_struct *oldisec =
+ backing_inode_security(oldsb->s_root);
+ struct inode_security_struct *newisec =
+ backing_inode_security(newsb->s_root);
newisec->sid = oldisec->sid;
}
@@ -1434,7 +1402,7 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
{
struct superblock_security_struct *sbsec = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
u32 task_sid, sid = 0;
u16 sclass;
struct dentry *dentry;
@@ -1453,7 +1421,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
if (isec->sclass == SECCLASS_FILE)
isec->sclass = inode_mode_to_security_class(inode->i_mode);
- sbsec = inode->i_sb->s_security;
+ sbsec = selinux_superblock(inode->i_sb);
if (!(sbsec->flags & SE_SBINITIALIZED)) {
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
@@ -1719,7 +1687,7 @@ static int inode_has_perm(const struct cred *cred,
return 0;
sid = cred_sid(cred);
- isec = inode->i_security;
+ isec = selinux_inode(inode);
return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
}
@@ -1816,7 +1784,8 @@ selinux_determine_inode_label(const struct task_security_struct *tsec,
const struct qstr *name, u16 tclass,
u32 *_new_isid)
{
- const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
+ const struct superblock_security_struct *sbsec =
+ selinux_superblock(dir->i_sb);
if ((sbsec->flags & SE_SBINITIALIZED) &&
(sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
@@ -1846,7 +1815,7 @@ static int may_create(struct inode *dir,
int rc;
dsec = inode_security(dir);
- sbsec = dir->i_sb->s_security;
+ sbsec = selinux_superblock(dir->i_sb);
sid = tsec->sid;
@@ -1985,7 +1954,7 @@ static int superblock_has_perm(const struct cred *cred,
struct superblock_security_struct *sbsec;
u32 sid = cred_sid(cred);
- sbsec = sb->s_security;
+ sbsec = selinux_superblock(sb);
return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
}
@@ -2579,11 +2548,6 @@ static int selinux_sb_alloc_security(struct super_block *sb)
return superblock_alloc_security(sb);
}
-static void selinux_sb_free_security(struct super_block *sb)
-{
- superblock_free_security(sb);
-}
-
static inline int match_prefix(char *prefix, int plen, char *option, int olen)
{
if (plen > olen)
@@ -2680,7 +2644,7 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
int rc, i, *flags;
struct security_mnt_opts opts;
char *secdata, **mount_options;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
if (!(sbsec->flags & SE_SBINITIALIZED))
return 0;
@@ -2871,7 +2835,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
int rc;
char *context;
- sbsec = dir->i_sb->s_security;
+ sbsec = selinux_superblock(dir->i_sb);
sid = tsec->sid;
newsid = tsec->create_sid;
@@ -2885,7 +2849,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
/* Possibly defer initialization to selinux_complete_init. */
if (sbsec->flags & SE_SBINITIALIZED) {
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
isec->sclass = inode_mode_to_security_class(inode->i_mode);
isec->sid = newsid;
isec->initialized = LABEL_INITIALIZED;
@@ -2983,7 +2947,7 @@ static noinline int audit_inode_permission(struct inode *inode,
unsigned flags)
{
struct common_audit_data ad;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
int rc;
ad.type = LSM_AUDIT_DATA_INODE;
@@ -3104,7 +3068,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
- sbsec = inode->i_sb->s_security;
+ sbsec = selinux_superblock(inode->i_sb);
if (!(sbsec->flags & SBLABEL_MNT))
return -EOPNOTSUPP;
@@ -3929,7 +3893,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
static void selinux_task_to_inode(struct task_struct *p,
struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
u32 sid = task_sid(p);
spin_lock(&isec->lock);
@@ -4215,7 +4179,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
static int sock_has_perm(struct sock *sk, u32 perms)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4270,7 +4234,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
isec->initialized = LABEL_INITIALIZED;
if (sock->sk) {
- sksec = sock->sk->sk_security;
+ sksec = selinux_sock(sock->sk);
sksec->sclass = sclass;
sksec->sid = sid;
err = selinux_netlbl_socket_post_create(sock->sk, family);
@@ -4301,7 +4265,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
family = sk->sk_family;
if (family == PF_INET || family == PF_INET6) {
char *addrp;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
struct sockaddr_in *addr4 = NULL;
@@ -4386,7 +4350,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
int err;
err = sock_has_perm(sk, SOCKET__CONNECT);
@@ -4518,9 +4482,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
struct sock *other,
struct sock *newsk)
{
- struct sk_security_struct *sksec_sock = sock->sk_security;
- struct sk_security_struct *sksec_other = other->sk_security;
- struct sk_security_struct *sksec_new = newsk->sk_security;
+ struct sk_security_struct *sksec_sock = selinux_sock(sock);
+ struct sk_security_struct *sksec_other = selinux_sock(other);
+ struct sk_security_struct *sksec_new = selinux_sock(newsk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
int err;
@@ -4551,8 +4515,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
static int selinux_socket_unix_may_send(struct socket *sock,
struct socket *other)
{
- struct sk_security_struct *ssec = sock->sk->sk_security;
- struct sk_security_struct *osec = other->sk->sk_security;
+ struct sk_security_struct *ssec = selinux_sock(sock->sk);
+ struct sk_security_struct *osec = selinux_sock(other->sk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4591,7 +4555,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
u16 family)
{
int err = 0;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4623,7 +4587,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
int err;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
@@ -4689,13 +4653,15 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
return err;
}
-static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
- int __user *optlen, unsigned len)
+static int selinux_socket_getpeersec_stream(struct socket *sock,
+ __user char *optval,
+ __user int *optlen,
+ unsigned int len)
{
int err = 0;
char *scontext;
u32 scontext_len;
- struct sk_security_struct *sksec = sock->sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sock->sk);
u32 peer_sid = SECSID_NULL;
if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
@@ -4753,34 +4719,27 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
{
- struct sk_security_struct *sksec;
-
- sksec = kzalloc(sizeof(*sksec), priority);
- if (!sksec)
- return -ENOMEM;
+ struct sk_security_struct *sksec = selinux_sock(sk);
sksec->peer_sid = SECINITSID_UNLABELED;
sksec->sid = SECINITSID_UNLABELED;
sksec->sclass = SECCLASS_SOCKET;
selinux_netlbl_sk_security_reset(sksec);
- sk->sk_security = sksec;
return 0;
}
static void selinux_sk_free_security(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
- sk->sk_security = NULL;
selinux_netlbl_sk_security_free(sksec);
- kfree(sksec);
}
static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
{
- struct sk_security_struct *sksec = sk->sk_security;
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
+ struct sk_security_struct *newsksec = selinux_sock(newsk);
newsksec->sid = sksec->sid;
newsksec->peer_sid = sksec->peer_sid;
@@ -4794,7 +4753,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
if (!sk)
*secid = SECINITSID_ANY_SOCKET;
else {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
*secid = sksec->sid;
}
@@ -4804,7 +4763,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{
struct inode_security_struct *isec =
inode_security_novalidate(SOCK_INODE(parent));
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
sk->sk_family == PF_UNIX)
@@ -4815,7 +4774,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
struct request_sock *req)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
int err;
u16 family = req->rsk_ops->family;
u32 connsid;
@@ -4836,7 +4795,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void selinux_inet_csk_clone(struct sock *newsk,
const struct request_sock *req)
{
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *newsksec = selinux_sock(newsk);
newsksec->sid = req->secid;
newsksec->peer_sid = req->peer_secid;
@@ -4853,7 +4812,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
{
u16 family = sk->sk_family;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
/* handle mapped IPv4 packets arriving via IPv6 sockets */
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -4933,7 +4892,7 @@ static int selinux_tun_dev_attach_queue(void *security)
static int selinux_tun_dev_attach(struct sock *sk, void *security)
{
struct tun_security_struct *tunsec = security;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
/* we don't currently perform any NetLabel based labeling here and it
* isn't clear that we would want to do so anyway; while we could apply
@@ -4972,7 +4931,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
int err = 0;
u32 perm;
struct nlmsghdr *nlh;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (skb->len < NLMSG_HDRLEN) {
err = -EINVAL;
@@ -5111,7 +5070,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
return NF_ACCEPT;
/* standard practice, label using the parent socket */
- sksec = sk->sk_security;
+ sksec = selinux_sock(sk);
sid = sksec->sid;
} else
sid = SECINITSID_KERNEL;
@@ -5150,7 +5109,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
if (sk == NULL)
return NF_ACCEPT;
- sksec = sk->sk_security;
+ sksec = selinux_sock(sk);
ad.type = LSM_AUDIT_DATA_NET;
ad.u.net = &net;
@@ -5241,7 +5200,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
u32 skb_sid;
struct sk_security_struct *sksec;
- sksec = sk->sk_security;
+ sksec = selinux_sock(sk);
if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
return NF_DROP;
/* At this point, if the returned skb peerlbl is SECSID_NULL
@@ -5270,7 +5229,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
} else {
/* Locally generated packet, fetch the security label from the
* associated socket. */
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
peer_sid = sksec->sid;
secmark_perm = PACKET__SEND;
}
@@ -5330,51 +5289,22 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
return selinux_nlmsg_perm(sk, skb);
}
-static int ipc_alloc_security(struct kern_ipc_perm *perm,
- u16 sclass)
+static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
{
- struct ipc_security_struct *isec;
-
- isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
- if (!isec)
- return -ENOMEM;
-
isec->sclass = sclass;
isec->sid = current_sid();
- perm->security = isec;
-
- return 0;
-}
-
-static void ipc_free_security(struct kern_ipc_perm *perm)
-{
- struct ipc_security_struct *isec = perm->security;
- perm->security = NULL;
- kfree(isec);
}
static int msg_msg_alloc_security(struct msg_msg *msg)
{
struct msg_security_struct *msec;
- msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
- if (!msec)
- return -ENOMEM;
-
+ msec = selinux_msg_msg(msg);
msec->sid = SECINITSID_UNLABELED;
- msg->security = msec;
return 0;
}
-static void msg_msg_free_security(struct msg_msg *msg)
-{
- struct msg_security_struct *msec = msg->security;
-
- msg->security = NULL;
- kfree(msec);
-}
-
static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
u32 perms)
{
@@ -5382,7 +5312,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
struct common_audit_data ad;
u32 sid = current_sid();
- isec = ipc_perms->security;
+ isec = selinux_ipc(ipc_perms);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = ipc_perms->key;
@@ -5395,11 +5325,6 @@ static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
return msg_msg_alloc_security(msg);
}
-static void selinux_msg_msg_free_security(struct msg_msg *msg)
-{
- msg_msg_free_security(msg);
-}
-
/* message queue security operations */
static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
{
@@ -5408,27 +5333,15 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
u32 sid = current_sid();
int rc;
- rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
- if (rc)
- return rc;
-
- isec = msq->q_perm.security;
+ isec = selinux_ipc(&msq->q_perm);
+ ipc_init_security(isec, SECCLASS_MSGQ);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
MSGQ__CREATE, &ad);
- if (rc) {
- ipc_free_security(&msq->q_perm);
- return rc;
- }
- return 0;
-}
-
-static void selinux_msg_queue_free_security(struct msg_queue *msq)
-{
- ipc_free_security(&msq->q_perm);
+ return rc;
}
static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
@@ -5437,7 +5350,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = msq->q_perm.security;
+ isec = selinux_ipc(&msq->q_perm);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -5483,8 +5396,8 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = current_sid();
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = selinux_ipc(&msq->q_perm);
+ msec = selinux_msg_msg(msg);
/*
* First time through, need to assign label to the message
@@ -5528,8 +5441,8 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = task_sid(target);
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = selinux_ipc(&msq->q_perm);
+ msec = selinux_msg_msg(msg);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -5550,27 +5463,15 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
u32 sid = current_sid();
int rc;
- rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
- if (rc)
- return rc;
-
- isec = shp->shm_perm.security;
+ isec = selinux_ipc(&shp->shm_perm);
+ ipc_init_security(isec, SECCLASS_SHM);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
SHM__CREATE, &ad);
- if (rc) {
- ipc_free_security(&shp->shm_perm);
- return rc;
- }
- return 0;
-}
-
-static void selinux_shm_free_security(struct shmid_kernel *shp)
-{
- ipc_free_security(&shp->shm_perm);
+ return rc;
}
static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
@@ -5579,7 +5480,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = shp->shm_perm.security;
+ isec = selinux_ipc(&shp->shm_perm);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
@@ -5643,27 +5544,15 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
u32 sid = current_sid();
int rc;
- rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
- if (rc)
- return rc;
-
- isec = sma->sem_perm.security;
+ isec = selinux_ipc(&sma->sem_perm);
+ ipc_init_security(isec, SECCLASS_SEM);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
SEM__CREATE, &ad);
- if (rc) {
- ipc_free_security(&sma->sem_perm);
- return rc;
- }
- return 0;
-}
-
-static void selinux_sem_free_security(struct sem_array *sma)
-{
- ipc_free_security(&sma->sem_perm);
+ return rc;
}
static int selinux_sem_associate(struct sem_array *sma, int semflg)
@@ -5672,7 +5561,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = sma->sem_perm.security;
+ isec = selinux_ipc(&sma->sem_perm);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
@@ -5755,7 +5644,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- struct ipc_security_struct *isec = ipcp->security;
+ struct ipc_security_struct *isec = selinux_ipc(ipcp);
*secid = isec->sid;
}
@@ -5982,7 +5871,7 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
static void selinux_inode_invalidate_secctx(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
spin_lock(&isec->lock);
isec->initialized = LABEL_INVALID;
@@ -6021,11 +5910,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
unsigned long flags)
{
const struct task_security_struct *tsec;
- struct key_security_struct *ksec;
-
- ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
- if (!ksec)
- return -ENOMEM;
+ struct key_security_struct *ksec = selinux_key(k);
tsec = selinux_cred(cred);
if (tsec->keycreate_sid)
@@ -6033,18 +5918,9 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
else
ksec->sid = tsec->sid;
- k->security = ksec;
return 0;
}
-static void selinux_key_free(struct key *k)
-{
- struct key_security_struct *ksec = k->security;
-
- k->security = NULL;
- kfree(ksec);
-}
-
static int selinux_key_permission(key_ref_t key_ref,
const struct cred *cred,
unsigned perm)
@@ -6062,14 +5938,14 @@ static int selinux_key_permission(key_ref_t key_ref,
sid = cred_sid(cred);
key = key_ref_to_ptr(key_ref);
- ksec = key->security;
+ ksec = selinux_key(key);
return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
}
static int selinux_key_getsecurity(struct key *key, char **_buffer)
{
- struct key_security_struct *ksec = key->security;
+ struct key_security_struct *ksec = selinux_key(key);
char *context = NULL;
unsigned len;
int rc;
@@ -6086,6 +5962,14 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
struct lsm_blob_sizes selinux_blob_sizes = {
.lbs_cred = sizeof(struct task_security_struct),
.lbs_file = sizeof(struct file_security_struct),
+ .lbs_inode = sizeof(struct inode_security_struct),
+ .lbs_ipc = sizeof(struct ipc_security_struct),
+#ifdef CONFIG_KEYS
+ .lbs_key = sizeof(struct key_security_struct),
+#endif /* CONFIG_KEYS */
+ .lbs_msg_msg = sizeof(struct msg_security_struct),
+ .lbs_sock = sizeof(struct sk_security_struct),
+ .lbs_superblock = sizeof(struct superblock_security_struct),
};
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
@@ -6112,7 +5996,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
- LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
@@ -6195,24 +6078,20 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
- LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
LSM_HOOK_INIT(msg_queue_alloc_security,
selinux_msg_queue_alloc_security),
- LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
- LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
- LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
@@ -6288,7 +6167,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
#ifdef CONFIG_KEYS
LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
- LSM_HOOK_INIT(key_free, selinux_key_free),
LSM_HOOK_INIT(key_permission, selinux_key_permission),
LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
#endif
@@ -6329,9 +6207,6 @@ static __init int selinux_init(void)
default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
- sel_inode_cache = kmem_cache_create("selinux_inode_security",
- sizeof(struct inode_security_struct),
- 0, SLAB_PANIC, NULL);
avc_init();
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 5be9c72..05fe04a 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -58,10 +58,7 @@ enum label_initialized {
struct inode_security_struct {
struct inode *inode; /* back pointer to inode object */
- union {
- struct list_head list; /* list of inode_security_struct */
- struct rcu_head rcu; /* for freeing the inode_security_struct */
- };
+ struct list_head list; /* list of inode_security_struct */
u32 task_sid; /* SID of creating task */
u32 sid; /* SID of this object */
u16 sclass; /* security class of this object */
@@ -163,4 +160,64 @@ static inline struct file_security_struct *selinux_file(const struct file *file)
#endif
}
+static inline struct inode_security_struct *selinux_inode(
+ const struct inode *inode)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return inode->i_security + selinux_blob_sizes.lbs_inode;
+#else
+ return inode->i_security;
+#endif
+}
+
+static inline struct superblock_security_struct *selinux_superblock(
+ const struct super_block *superblock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return superblock->s_security + selinux_blob_sizes.lbs_superblock;
+#else
+ return superblock->s_security;
+#endif
+}
+
+static inline struct msg_security_struct *selinux_msg_msg(
+ const struct msg_msg *msg_msg)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return msg_msg->security + selinux_blob_sizes.lbs_msg_msg;
+#else
+ return msg_msg->security;
+#endif
+}
+
+static inline struct ipc_security_struct *selinux_ipc(
+ const struct kern_ipc_perm *ipc)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return ipc->security + selinux_blob_sizes.lbs_ipc;
+#else
+ return ipc->security;
+#endif
+}
+
+#ifdef CONFIG_KEYS
+static inline struct key_security_struct *selinux_key(const struct key *key)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return key->security + selinux_blob_sizes.lbs_key;
+#else
+ return key->security;
+#endif
+}
+#endif /* CONFIG_KEYS */
+
+static inline struct sk_security_struct *selinux_sock(const struct sock *sock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return sock->sk_security + selinux_blob_sizes.lbs_sock;
+#else
+ return sock->sk_security;
+#endif
+}
+
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index aaba667..0b0091c 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -32,6 +32,7 @@
#include <linux/gfp.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
+#include <linux/lsm_hooks.h>
#include <net/sock.h>
#include <net/netlabel.h>
#include <net/ip.h>
@@ -82,7 +83,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_secattr != NULL)
@@ -114,7 +115,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
const struct sock *sk,
u32 sid)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr;
if (secattr == NULL)
@@ -249,7 +250,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
* being labeled by it's parent socket, if it is just exit */
sk = skb_to_full_sk(skb);
if (sk != NULL) {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (sksec->nlbl_state != NLBL_REQSKB)
return 0;
secattr = selinux_netlbl_sock_getattr(sk, sid);
@@ -311,7 +312,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
*/
void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (family == PF_INET)
sksec->nlbl_state = NLBL_LABELED;
@@ -332,7 +333,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr;
if (family != PF_INET && family != PF_INET6)
@@ -446,7 +447,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
{
int rc = 0;
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr secattr;
if (selinux_netlbl_option(level, optname) &&
@@ -482,7 +483,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_state != NLBL_REQSKB &&
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 645beb1..a3038f8 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1309,7 +1309,7 @@ static int sel_make_bools(void)
if (len >= PAGE_SIZE)
goto out;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = (struct inode_security_struct *)selinux_inode(inode);
ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
if (ret) {
pr_warn_ratelimited("SELinux: no sid found, defaulting to security isid for %s\n",
@@ -1850,7 +1850,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
goto err;
inode->i_ino = ++sel_last_ino;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = (struct inode_security_struct *)selinux_inode(inode);
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = LABEL_INITIALIZED;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b4aa491..9b617de 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -52,6 +52,7 @@
#include <linux/selinux.h>
#include <linux/flex_array.h>
#include <linux/vmalloc.h>
+#include <linux/lsm_hooks.h>
#include <net/netlabel.h>
#include "flask.h"
@@ -2546,7 +2547,7 @@ int security_fs_use(struct super_block *sb)
{
int rc = 0;
struct ocontext *c;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
const char *fstype = sb->s_type->name;
read_lock(&policy_rwlock);
diff --git a/security/smack/smack.h b/security/smack/smack.h
index a84c231..e1cd53e 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -375,12 +375,69 @@ static inline struct smack_known **smack_file(const struct file *file)
#endif
}
+static inline struct inode_smack *smack_inode(const struct inode *inode)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return inode->i_security + smack_blob_sizes.lbs_inode;
+#else
+ return inode->i_security;
+#endif
+}
+
+static inline struct socket_smack *smack_sock(const struct sock *sock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return sock->sk_security + smack_blob_sizes.lbs_sock;
+#else
+ return sock->sk_security;
+#endif
+}
+
+static inline struct superblock_smack *smack_superblock(
+ const struct super_block *superblock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return superblock->s_security + smack_blob_sizes.lbs_superblock;
+#else
+ return superblock->s_security;
+#endif
+}
+
+static inline struct smack_known **smack_msg_msg(const struct msg_msg *msg)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return msg->security + smack_blob_sizes.lbs_msg_msg;
+#else
+ return msg->security;
+#endif
+}
+
+static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return ipc->security + smack_blob_sizes.lbs_ipc;
+#else
+ return ipc->security;
+#endif
+}
+
+#ifdef CONFIG_KEYS
+static inline struct smack_known **smack_key(const struct key *key)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return key->security + smack_blob_sizes.lbs_key;
+#else
+ return key->security;
+#endif
+}
+#endif /* CONFIG_KEYS */
+
/*
* Is the directory transmuting?
*/
static inline int smk_inode_transmutable(const struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = smack_inode(isp);
return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
}
@@ -389,7 +446,7 @@ static inline int smk_inode_transmutable(const struct inode *isp)
*/
static inline struct smack_known *smk_of_inode(const struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = smack_inode(isp);
return sip->smk_inode;
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index af741fa..9233b33 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -165,7 +165,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc)
static int smk_bu_inode(struct inode *inode, int mode, int rc)
{
struct task_smack *tsp = smack_cred(current_cred());
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (isp->smk_flags & SMK_INODE_IMPURE)
@@ -197,7 +197,7 @@ static int smk_bu_file(struct file *file, int mode, int rc)
struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (isp->smk_flags & SMK_INODE_IMPURE)
@@ -227,7 +227,7 @@ static int smk_bu_credfile(const struct cred *cred, struct file *file,
struct task_smack *tsp = smack_cred(cred);
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (isp->smk_flags & SMK_INODE_IMPURE)
@@ -287,24 +287,18 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip,
}
/**
- * new_inode_smack - allocate an inode security blob
+ * init_inode_smack - initialize an inode security blob
+ * @isp: the blob to initialize
* @skp: a pointer to the Smack label entry to use in the blob
*
- * Returns the new blob or NULL if there's no memory available
*/
-static struct inode_smack *new_inode_smack(struct smack_known *skp)
+static void init_inode_smack(struct inode *inode, struct smack_known *skp)
{
- struct inode_smack *isp;
-
- isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS);
- if (isp == NULL)
- return NULL;
+ struct inode_smack *isp = smack_inode(inode);
isp->smk_inode = skp;
isp->smk_flags = 0;
mutex_init(&isp->smk_lock);
-
- return isp;
}
/**
@@ -525,12 +519,7 @@ static int smack_syslog(int typefrom_file)
*/
static int smack_sb_alloc_security(struct super_block *sb)
{
- struct superblock_smack *sbsp;
-
- sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL);
-
- if (sbsp == NULL)
- return -ENOMEM;
+ struct superblock_smack *sbsp = smack_superblock(sb);
sbsp->smk_root = &smack_known_floor;
sbsp->smk_default = &smack_known_floor;
@@ -539,23 +528,11 @@ static int smack_sb_alloc_security(struct super_block *sb)
/*
* SMK_SB_INITIALIZED will be zero from kzalloc.
*/
- sb->s_security = sbsp;
return 0;
}
/**
- * smack_sb_free_security - free a superblock blob
- * @sb: the superblock getting the blob
- *
- */
-static void smack_sb_free_security(struct super_block *sb)
-{
- kfree(sb->s_security);
- sb->s_security = NULL;
-}
-
-/**
* smack_sb_copy_data - copy mount options data for processing
* @orig: where to start
* @smackopts: mount options string
@@ -747,7 +724,7 @@ static int smack_set_mnt_opts(struct super_block *sb,
{
struct dentry *root = sb->s_root;
struct inode *inode = d_backing_inode(root);
- struct superblock_smack *sp = sb->s_security;
+ struct superblock_smack *sp = smack_superblock(sb);
struct inode_smack *isp;
struct smack_known *skp;
int i;
@@ -825,17 +802,13 @@ static int smack_set_mnt_opts(struct super_block *sb,
/*
* Initialize the root inode.
*/
- isp = inode->i_security;
- if (isp == NULL) {
- isp = new_inode_smack(sp->smk_root);
- if (isp == NULL)
- return -ENOMEM;
- inode->i_security = isp;
- } else
- isp->smk_inode = sp->smk_root;
+ lsm_early_inode(inode);
+ init_inode_smack(inode, sp->smk_root);
- if (transmute)
+ if (transmute) {
+ isp = smack_inode(inode);
isp->smk_flags |= SMK_INODE_TRANSMUTE;
+ }
return 0;
}
@@ -880,7 +853,7 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
*/
static int smack_sb_statfs(struct dentry *dentry)
{
- struct superblock_smack *sbp = dentry->d_sb->s_security;
+ struct superblock_smack *sbp = smack_superblock(dentry->d_sb);
int rc;
struct smk_audit_info ad;
@@ -913,11 +886,11 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->cred_prepared)
return 0;
- isp = inode->i_security;
+ isp = smack_inode(inode);
if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
return 0;
- sbsp = inode->i_sb->s_security;
+ sbsp = smack_superblock(inode->i_sb);
if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) &&
isp->smk_task != sbsp->smk_root)
return 0;
@@ -990,49 +963,11 @@ static int smack_inode_alloc_security(struct inode *inode)
{
struct smack_known *skp = smk_of_current();
- inode->i_security = new_inode_smack(skp);
- if (inode->i_security == NULL)
- return -ENOMEM;
+ init_inode_smack(inode, skp);
return 0;
}
/**
- * smack_inode_free_rcu - Free inode_smack blob from cache
- * @head: the rcu_head for getting inode_smack pointer
- *
- * Call back function called from call_rcu() to free
- * the i_security blob pointer in inode
- */
-static void smack_inode_free_rcu(struct rcu_head *head)
-{
- struct inode_smack *issp;
-
- issp = container_of(head, struct inode_smack, smk_rcu);
- kmem_cache_free(smack_inode_cache, issp);
-}
-
-/**
- * smack_inode_free_security - free an inode blob using call_rcu()
- * @inode: the inode with a blob
- *
- * Clears the blob pointer in inode using RCU
- */
-static void smack_inode_free_security(struct inode *inode)
-{
- struct inode_smack *issp = inode->i_security;
-
- /*
- * The inode may still be referenced in a path walk and
- * a call to smack_inode_permission() can be made
- * after smack_inode_free_security() is called.
- * To avoid race condition free the i_security via RCU
- * and leave the current inode->i_security pointer intact.
- * The inode will be freed after the RCU grace period too.
- */
- call_rcu(&issp->smk_rcu, smack_inode_free_rcu);
-}
-
-/**
* smack_inode_init_security - copy out the smack from an inode
* @inode: the newly created inode
* @dir: containing directory object
@@ -1047,7 +982,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr, const char **name,
void **value, size_t *len)
{
- struct inode_smack *issp = inode->i_security;
+ struct inode_smack *issp = smack_inode(inode);
struct smack_known *skp = smk_of_current();
struct smack_known *isp = smk_of_inode(inode);
struct smack_known *dsp = smk_of_inode(dir);
@@ -1385,7 +1320,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
struct smack_known *skp;
- struct inode_smack *isp = d_backing_inode(dentry)->i_security;
+ struct inode_smack *isp = smack_inode(d_backing_inode(dentry));
if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
isp->smk_flags |= SMK_INODE_TRANSMUTE;
@@ -1466,7 +1401,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
if (rc != 0)
return rc;
- isp = d_backing_inode(dentry)->i_security;
+ isp = smack_inode(d_backing_inode(dentry));
/*
* Don't do anything special for these.
* XATTR_NAME_SMACKIPIN
@@ -1526,7 +1461,7 @@ static int smack_inode_getsecurity(struct inode *inode,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
isp = ssp->smk_in;
@@ -1569,7 +1504,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
*/
static void smack_inode_getsecid(struct inode *inode, u32 *secid)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
*secid = isp->smk_inode->smk_secid;
}
@@ -1746,7 +1681,7 @@ static int smack_mmap_file(struct file *file,
if (unlikely(IS_PRIVATE(file_inode(file))))
return 0;
- isp = file_inode(file)->i_security;
+ isp = smack_inode(file_inode(file));
if (isp->smk_mmap == NULL)
return 0;
sbsp = file_inode(file)->i_sb->s_security;
@@ -1902,7 +1837,7 @@ static int smack_file_receive(struct file *file)
if (S_ISSOCK(inode->i_mode)) {
sock = SOCKET_I(inode);
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
tsp = smack_cred(current_cred());
/*
* If the receiving process can't write to the
@@ -2071,7 +2006,7 @@ static int smack_kernel_act_as(struct cred *new, u32 secid)
static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
struct task_smack *tsp = smack_cred(new);
tsp->smk_forked = isp->smk_inode;
@@ -2273,7 +2208,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
*/
static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
struct smack_known *skp = smk_of_task_struct(p);
isp->smk_inode = skp;
@@ -2296,11 +2231,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
{
struct smack_known *skp = smk_of_current();
- struct socket_smack *ssp;
-
- ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
- if (ssp == NULL)
- return -ENOMEM;
+ struct socket_smack *ssp = smack_sock(sk);
/*
* Sockets created by kernel threads receive web label.
@@ -2314,11 +2245,10 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
}
ssp->smk_packet = NULL;
- sk->sk_security = ssp;
-
return 0;
}
+#ifdef SMACK_IPV6_PORT_LABELING
/**
* smack_sk_free_security - Free a socket blob
* @sk: the socket
@@ -2327,7 +2257,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
*/
static void smack_sk_free_security(struct sock *sk)
{
-#ifdef SMACK_IPV6_PORT_LABELING
struct smk_port_label *spp;
if (sk->sk_family == PF_INET6) {
@@ -2340,9 +2269,9 @@ static void smack_sk_free_security(struct sock *sk)
}
rcu_read_unlock();
}
-#endif
kfree(sk->sk_security);
}
+#endif
/**
* smack_ipv4host_label - check host based restrictions
@@ -2460,7 +2389,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
static int smack_netlabel(struct sock *sk, int labeled)
{
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
int rc = 0;
/*
@@ -2505,7 +2434,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
int rc;
int sk_lbl;
struct smack_known *hkp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smk_audit_info ad;
rcu_read_lock();
@@ -2581,7 +2510,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
{
struct sock *sk = sock->sk;
struct sockaddr_in6 *addr6;
- struct socket_smack *ssp = sock->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
struct smk_port_label *spp;
unsigned short port = 0;
@@ -2668,7 +2597,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
int act)
{
struct smk_port_label *spp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smack_known *skp = NULL;
unsigned short port;
struct smack_known *object;
@@ -2735,7 +2664,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
struct smack_known *skp;
- struct inode_smack *nsp = inode->i_security;
+ struct inode_smack *nsp = smack_inode(inode);
struct socket_smack *ssp;
struct socket *sock;
int rc = 0;
@@ -2762,7 +2691,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
ssp->smk_in = skp;
@@ -2810,7 +2739,7 @@ static int smack_socket_post_create(struct socket *sock, int family,
* Sockets created by kernel threads receive web label.
*/
if (unlikely(current->flags & PF_KTHREAD)) {
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
ssp->smk_in = &smack_known_web;
ssp->smk_out = &smack_known_web;
}
@@ -2862,7 +2791,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
#endif
#ifdef SMACK_IPV6_SECMARK_LABELING
struct smack_known *rsp;
- struct socket_smack *ssp = sock->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
#endif
if (sock->sk == NULL)
@@ -2919,35 +2848,13 @@ static int smack_flags_to_may(int flags)
*/
static int smack_msg_msg_alloc_security(struct msg_msg *msg)
{
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_msg_msg(msg);
- msg->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_msg_msg_free_security - Clear the security blob for msg_msg
- * @msg: the object
- *
- * Clears the blob pointer
- */
-static void smack_msg_msg_free_security(struct msg_msg *msg)
-{
- msg->security = NULL;
-}
-
-/**
- * smack_of_shm - the smack pointer for the shm
- * @shp: the object
- *
- * Returns a pointer to the smack value
- */
-static struct smack_known *smack_of_shm(struct shmid_kernel *shp)
-{
- return (struct smack_known *)shp->shm_perm.security;
-}
-
-/**
* smack_shm_alloc_security - Set the security blob for shm
* @shp: the object
*
@@ -2955,27 +2862,13 @@ static struct smack_known *smack_of_shm(struct shmid_kernel *shp)
*/
static int smack_shm_alloc_security(struct shmid_kernel *shp)
{
- struct kern_ipc_perm *isp = &shp->shm_perm;
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_ipc(&shp->shm_perm);
- isp->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_shm_free_security - Clear the security blob for shm
- * @shp: the object
- *
- * Clears the blob pointer
- */
-static void smack_shm_free_security(struct shmid_kernel *shp)
-{
- struct kern_ipc_perm *isp = &shp->shm_perm;
-
- isp->security = NULL;
-}
-
-/**
* smk_curacc_shm : check if current has access on shm
* @shp : the object
* @access : access requested
@@ -2984,7 +2877,8 @@ static void smack_shm_free_security(struct shmid_kernel *shp)
*/
static int smk_curacc_shm(struct shmid_kernel *shp, int access)
{
- struct smack_known *ssp = smack_of_shm(shp);
+ struct smack_known **blob = smack_ipc(&shp->shm_perm);
+ struct smack_known *ssp = *blob;
struct smk_audit_info ad;
int rc;
@@ -3064,17 +2958,6 @@ static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
}
/**
- * smack_of_sem - the smack pointer for the sem
- * @sma: the object
- *
- * Returns a pointer to the smack value
- */
-static struct smack_known *smack_of_sem(struct sem_array *sma)
-{
- return (struct smack_known *)sma->sem_perm.security;
-}
-
-/**
* smack_sem_alloc_security - Set the security blob for sem
* @sma: the object
*
@@ -3082,27 +2965,13 @@ static struct smack_known *smack_of_sem(struct sem_array *sma)
*/
static int smack_sem_alloc_security(struct sem_array *sma)
{
- struct kern_ipc_perm *isp = &sma->sem_perm;
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_ipc(&sma->sem_perm);
- isp->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_sem_free_security - Clear the security blob for sem
- * @sma: the object
- *
- * Clears the blob pointer
- */
-static void smack_sem_free_security(struct sem_array *sma)
-{
- struct kern_ipc_perm *isp = &sma->sem_perm;
-
- isp->security = NULL;
-}
-
-/**
* smk_curacc_sem : check if current has access on sem
* @sma : the object
* @access : access requested
@@ -3111,7 +2980,8 @@ static void smack_sem_free_security(struct sem_array *sma)
*/
static int smk_curacc_sem(struct sem_array *sma, int access)
{
- struct smack_known *ssp = smack_of_sem(sma);
+ struct smack_known **blob = smack_ipc(&sma->sem_perm);
+ struct smack_known *ssp = *blob;
struct smk_audit_info ad;
int rc;
@@ -3197,45 +3067,20 @@ static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
}
/**
- * smack_msg_alloc_security - Set the security blob for msg
+ * smack_msg_queue_alloc_security - Set the security blob for msg
* @msq: the object
*
* Returns 0
*/
static int smack_msg_queue_alloc_security(struct msg_queue *msq)
{
- struct kern_ipc_perm *kisp = &msq->q_perm;
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_ipc(&msq->q_perm);
- kisp->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_msg_free_security - Clear the security blob for msg
- * @msq: the object
- *
- * Clears the blob pointer
- */
-static void smack_msg_queue_free_security(struct msg_queue *msq)
-{
- struct kern_ipc_perm *kisp = &msq->q_perm;
-
- kisp->security = NULL;
-}
-
-/**
- * smack_of_msq - the smack pointer for the msq
- * @msq: the object
- *
- * Returns a pointer to the smack label entry
- */
-static struct smack_known *smack_of_msq(struct msg_queue *msq)
-{
- return (struct smack_known *)msq->q_perm.security;
-}
-
-/**
* smk_curacc_msq : helper to check if current has access on msq
* @msq : the msq
* @access : access requested
@@ -3244,7 +3089,8 @@ static struct smack_known *smack_of_msq(struct msg_queue *msq)
*/
static int smk_curacc_msq(struct msg_queue *msq, int access)
{
- struct smack_known *msp = smack_of_msq(msq);
+ struct smack_known **blob = smack_ipc(&msq->q_perm);
+ struct smack_known *msp = *blob;
struct smk_audit_info ad;
int rc;
@@ -3347,7 +3193,8 @@ static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
*/
static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
{
- struct smack_known *iskp = ipp->security;
+ struct smack_known **blob = smack_ipc(ipp);
+ struct smack_known *iskp = *blob;
int may = smack_flags_to_may(flag);
struct smk_audit_info ad;
int rc;
@@ -3368,7 +3215,8 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
*/
static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
{
- struct smack_known *iskp = ipp->security;
+ struct smack_known **blob = smack_ipc(ipp);
+ struct smack_known *iskp = *blob;
*secid = iskp->smk_secid;
}
@@ -3396,7 +3244,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
if (inode == NULL)
return;
- isp = inode->i_security;
+ isp = smack_inode(inode);
mutex_lock(&isp->smk_lock);
/*
@@ -3407,7 +3255,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
goto unlockandout;
sbp = inode->i_sb;
- sbsp = sbp->s_security;
+ sbsp = smack_superblock(sbp);
/*
* We're going to use the superblock default label
* if there's no label on the file.
@@ -3703,9 +3551,9 @@ static int smack_unix_stream_connect(struct sock *sock,
{
struct smack_known *skp;
struct smack_known *okp;
- struct socket_smack *ssp = sock->sk_security;
- struct socket_smack *osp = other->sk_security;
- struct socket_smack *nsp = newsk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock);
+ struct socket_smack *osp = smack_sock(other);
+ struct socket_smack *nsp = smack_sock(newsk);
struct smk_audit_info ad;
int rc = 0;
#ifdef CONFIG_AUDIT
@@ -3751,8 +3599,8 @@ static int smack_unix_stream_connect(struct sock *sock,
*/
static int smack_unix_may_send(struct socket *sock, struct socket *other)
{
- struct socket_smack *ssp = sock->sk->sk_security;
- struct socket_smack *osp = other->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
+ struct socket_smack *osp = smack_sock(other->sk);
struct smk_audit_info ad;
int rc;
@@ -3789,7 +3637,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
#endif
#ifdef SMACK_IPV6_SECMARK_LABELING
- struct socket_smack *ssp = sock->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
struct smack_known *rsp;
#endif
int rc = 0;
@@ -3953,7 +3801,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct netlbl_lsm_secattr secattr;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smack_known *skp = NULL;
int rc = 0;
struct smk_audit_info ad;
@@ -4062,7 +3910,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
int slen = 1;
int rc = 0;
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
if (ssp->smk_packet != NULL) {
rcp = ssp->smk_packet->smk_known;
slen = strlen(rcp) + 1;
@@ -4112,7 +3960,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
switch (family) {
case PF_UNIX:
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
s = ssp->smk_out->smk_secid;
break;
case PF_INET:
@@ -4125,7 +3973,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
* Translate what netlabel gave us.
*/
if (sock != NULL && sock->sk != NULL)
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0) {
@@ -4163,7 +4011,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
(sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
return;
- ssp = sk->sk_security;
+ ssp = smack_sock(sk);
ssp->smk_in = skp;
ssp->smk_out = skp;
/* cssp->smk_packet is already set in smack_inet_csk_clone() */
@@ -4183,7 +4031,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
{
u16 family = sk->sk_family;
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct netlbl_lsm_secattr secattr;
struct sockaddr_in addr;
struct iphdr *hdr;
@@ -4282,7 +4130,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void smack_inet_csk_clone(struct sock *sk,
const struct request_sock *req)
{
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smack_known *skp;
if (req->peer_secid != 0) {
@@ -4314,24 +4162,14 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
+ struct smack_known **blob = smack_key(key);
struct smack_known *skp = smk_of_task(smack_cred(cred));
- key->security = skp;
+ *blob = skp;
return 0;
}
/**
- * smack_key_free - Clear the key security blob
- * @key: the object
- *
- * Clear the blob pointer
- */
-static void smack_key_free(struct key *key)
-{
- key->security = NULL;
-}
-
-/**
* smack_key_permission - Smack access on a key
* @key_ref: gets to the object
* @cred: the credentials to use
@@ -4343,6 +4181,8 @@ static void smack_key_free(struct key *key)
static int smack_key_permission(key_ref_t key_ref,
const struct cred *cred, unsigned perm)
{
+ struct smack_known **blob;
+ struct smack_known *skp;
struct key *keyp;
struct smk_audit_info ad;
struct smack_known *tkp = smk_of_task(smack_cred(cred));
@@ -4356,7 +4196,9 @@ static int smack_key_permission(key_ref_t key_ref,
* If the key hasn't been initialized give it access so that
* it may do so.
*/
- if (keyp->security == NULL)
+ blob = smack_key(keyp);
+ skp = *blob;
+ if (skp == NULL)
return 0;
/*
* This should not occur
@@ -4372,8 +4214,8 @@ static int smack_key_permission(key_ref_t key_ref,
request = MAY_READ;
if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
request = MAY_WRITE;
- rc = smk_access(tkp, keyp->security, request, &ad);
- rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
+ rc = smk_access(tkp, skp, request, &ad);
+ rc = smk_bu_note("key access", tkp, skp, request, rc);
return rc;
}
@@ -4388,11 +4230,12 @@ static int smack_key_permission(key_ref_t key_ref,
*/
static int smack_key_getsecurity(struct key *key, char **_buffer)
{
- struct smack_known *skp = key->security;
+ struct smack_known **blob = smack_key(key);
+ struct smack_known *skp = *blob;
size_t length;
char *copy;
- if (key->security == NULL) {
+ if (skp == NULL) {
*_buffer = NULL;
return 0;
}
@@ -4601,6 +4444,14 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
struct lsm_blob_sizes smack_blob_sizes = {
.lbs_cred = sizeof(struct task_smack),
.lbs_file = sizeof(struct smack_known *),
+ .lbs_inode = sizeof(struct inode_smack),
+ .lbs_ipc = sizeof(struct smack_known *),
+#ifdef CONFIG_KEYS
+ .lbs_key = sizeof(struct smack_known *),
+#endif /* CONFIG_KEYS */
+ .lbs_msg_msg = sizeof(struct smack_known *),
+ .lbs_sock = sizeof(struct socket_smack),
+ .lbs_superblock = sizeof(struct superblock_smack),
};
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
@@ -4609,7 +4460,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(syslog, smack_syslog),
LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security),
- LSM_HOOK_INIT(sb_free_security, smack_sb_free_security),
LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data),
LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount),
LSM_HOOK_INIT(sb_statfs, smack_sb_statfs),
@@ -4621,7 +4471,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec),
LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security),
- LSM_HOOK_INIT(inode_free_security, smack_inode_free_security),
LSM_HOOK_INIT(inode_init_security, smack_inode_init_security),
LSM_HOOK_INIT(inode_link, smack_inode_link),
LSM_HOOK_INIT(inode_unlink, smack_inode_unlink),
@@ -4674,23 +4523,19 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
- LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security),
LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security),
- LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security),
LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl),
LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd),
LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv),
LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security),
- LSM_HOOK_INIT(shm_free_security, smack_shm_free_security),
LSM_HOOK_INIT(shm_associate, smack_shm_associate),
LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl),
LSM_HOOK_INIT(shm_shmat, smack_shm_shmat),
LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security),
- LSM_HOOK_INIT(sem_free_security, smack_sem_free_security),
LSM_HOOK_INIT(sem_associate, smack_sem_associate),
LSM_HOOK_INIT(sem_semctl, smack_sem_semctl),
LSM_HOOK_INIT(sem_semop, smack_sem_semop),
@@ -4713,7 +4558,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream),
LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram),
LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security),
+#ifdef SMACK_IPV6_PORT_LABELING
LSM_HOOK_INIT(sk_free_security, smack_sk_free_security),
+#endif
LSM_HOOK_INIT(sock_graft, smack_sock_graft),
LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request),
LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone),
@@ -4721,7 +4568,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
/* key management security hooks */
#ifdef CONFIG_KEYS
LSM_HOOK_INIT(key_alloc, smack_key_alloc),
- LSM_HOOK_INIT(key_free, smack_key_free),
LSM_HOOK_INIT(key_permission, smack_key_permission),
LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity),
#endif /* CONFIG_KEYS */
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 205b785..1c6c9b0 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -30,8 +30,8 @@ static unsigned int smack_ipv6_output(void *priv,
struct socket_smack *ssp;
struct smack_known *skp;
- if (sk && sk->sk_security) {
- ssp = sk->sk_security;
+ if (sk && smack_sock(sk)) {
+ ssp = smack_sock(sk);
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
}
@@ -48,8 +48,8 @@ static unsigned int smack_ipv4_output(void *priv,
struct socket_smack *ssp;
struct smack_known *skp;
- if (sk && sk->sk_security) {
- ssp = sk->sk_security;
+ if (sk && smack_sock(sk)) {
+ ssp = smack_sock(sk);
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
}
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 06/11] Smack: remove socket blob free
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (4 preceding siblings ...)
2017-04-05 21:53 ` [PATCH RFC 05/11] LSM: Infrastructure management of the remaining blobs Casey Schaufler
@ 2017-04-05 21:53 ` Casey Schaufler
2017-04-05 21:53 ` [PATCH RFC 07/11] LSM: Mount option data for extreme stacking Casey Schaufler
` (4 subsequent siblings)
10 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:53 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 06/11] Smack: remove socket blob free.
With stacking in place the infrastructure releases the
socket blob, so the module shouldn't.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/smack/smack_lsm.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7c8ffe4..e1264b9 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2272,7 +2272,6 @@ static void smack_sk_free_security(struct sock *sk)
}
rcu_read_unlock();
}
- kfree(sk->sk_security);
}
#endif
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 07/11] LSM: Mount option data for extreme stacking
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (5 preceding siblings ...)
2017-04-05 21:53 ` [PATCH RFC 06/11] Smack: remove socket blob free Casey Schaufler
@ 2017-04-05 21:53 ` Casey Schaufler
2017-04-05 21:54 ` [PATCH RFC 09/11] netlabel agreement checking Casey Schaufler
` (3 subsequent siblings)
10 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:53 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 07/11] LSM: Mount option data for extreme stacking
Each security module that supports mount options needs its
own instance of the semi-processed data. The two security
modules that support this, SELinux and Smack, are provided
their own instance when necessary.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/btrfs/super.c | 10 ++---
include/linux/security.h | 69 ++++++++++++++++++++++++++++------
security/security.c | 15 ++++++--
security/selinux/hooks.c | 93 +++++++++++++++++++++++-----------------------
security/smack/smack_lsm.c | 51 ++++++++++++-------------
5 files changed, 147 insertions(+), 91 deletions(-)
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index da687dc..541cf4e 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1501,15 +1501,15 @@ static int setup_security_options(struct btrfs_fs_info *fs_info,
return ret;
#ifdef CONFIG_SECURITY
- if (!fs_info->security_opts.num_mnt_opts) {
+ if (fs_info->security_opts.selinux.num_mnt_opts != 0 ||
+ fs_info->security_opts.smack.num_mnt_opts != 0) {
/* first time security setup, copy sec_opts to fs_info */
memcpy(&fs_info->security_opts, sec_opts, sizeof(*sec_opts));
} else {
/*
- * Since SELinux (the only one supporting security_mnt_opts)
- * does NOT support changing context during remount/mount of
- * the same sb, this must be the same or part of the same
- * security options, just free it.
+ * Since no modules support changing context during
+ * remount/mount of the same sb, this must be the same
+ * or part of the same security options, just free it.
*/
security_free_mnt_opts(sec_opts);
}
diff --git a/include/linux/security.h b/include/linux/security.h
index 8ee9dbd..fdf35d2 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -68,6 +68,17 @@ struct audit_krule;
struct user_namespace;
struct timezone;
+/*
+ * Certain data elements need to be replicated when
+ * multiple security modules use them.
+ * This mechanism does not scale well beyond two modules.
+ */
+#if defined(CONFIG_SECURITY_STACKING) && \
+ defined(CONFIG_SECURITY_SELINUX) && \
+ defined(CONFIG_SECURITY_SMACK)
+#define SECURITY_EXTREME_STACKING
+#endif
+
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit);
@@ -157,30 +168,64 @@ typedef int (*initxattrs) (struct inode *inode,
#ifdef CONFIG_SECURITY
-struct security_mnt_opts {
+struct lsm_mnt_opts {
char **mnt_opts;
int *mnt_opts_flags;
int num_mnt_opts;
};
+#ifdef SECURITY_EXTREME_STACKING
+
+struct security_mnt_opts {
+ struct lsm_mnt_opts selinux;
+ struct lsm_mnt_opts smack;
+};
+
+#else
+
+struct security_mnt_opts {
+ union {
+ struct lsm_mnt_opts selinux;
+ struct lsm_mnt_opts smack;
+ };
+};
+
+#endif
+
static inline void security_init_mnt_opts(struct security_mnt_opts *opts)
{
- opts->mnt_opts = NULL;
- opts->mnt_opts_flags = NULL;
- opts->num_mnt_opts = 0;
+ opts->selinux.mnt_opts = NULL;
+ opts->selinux.mnt_opts_flags = NULL;
+ opts->selinux.num_mnt_opts = 0;
+#ifdef SECURITY_EXTREME_STACKING
+ opts->smack.mnt_opts = NULL;
+ opts->smack.mnt_opts_flags = NULL;
+ opts->smack.num_mnt_opts = 0;
+#endif
}
static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
{
int i;
- if (opts->mnt_opts)
- for (i = 0; i < opts->num_mnt_opts; i++)
- kfree(opts->mnt_opts[i]);
- kfree(opts->mnt_opts);
- opts->mnt_opts = NULL;
- kfree(opts->mnt_opts_flags);
- opts->mnt_opts_flags = NULL;
- opts->num_mnt_opts = 0;
+
+ if (opts->selinux.mnt_opts)
+ for (i = 0; i < opts->selinux.num_mnt_opts; i++)
+ kfree(opts->selinux.mnt_opts[i]);
+ kfree(opts->selinux.mnt_opts);
+ opts->selinux.mnt_opts = NULL;
+ kfree(opts->selinux.mnt_opts_flags);
+ opts->selinux.mnt_opts_flags = NULL;
+ opts->selinux.num_mnt_opts = 0;
+#ifdef SECURITY_EXTREME_STACKING
+ if (opts->smack.mnt_opts)
+ for (i = 0; i < opts->smack.num_mnt_opts; i++)
+ kfree(opts->smack.mnt_opts[i]);
+ kfree(opts->smack.mnt_opts);
+ opts->smack.mnt_opts = NULL;
+ kfree(opts->smack.mnt_opts_flags);
+ opts->smack.mnt_opts_flags = NULL;
+ opts->smack.num_mnt_opts = 0;
+#endif
}
/* prototypes */
diff --git a/security/security.c b/security/security.c
index d4b3479..0e31e91 100644
--- a/security/security.c
+++ b/security/security.c
@@ -691,9 +691,18 @@ int security_sb_set_mnt_opts(struct super_block *sb,
unsigned long kern_flags,
unsigned long *set_kern_flags)
{
- return call_int_hook(sb_set_mnt_opts,
- opts->num_mnt_opts ? -EOPNOTSUPP : 0, sb,
- opts, kern_flags, set_kern_flags);
+ int nobody = 0;
+
+#ifdef SECURITY_EXTREME_STACKING
+ if (opts->selinux.num_mnt_opts != 0 || opts->smack.num_mnt_opts != 0)
+ nobody = -EOPNOTSUPP;
+#else
+ if (opts->selinux.num_mnt_opts != 0)
+ nobody = -EOPNOTSUPP;
+#endif
+
+ return call_int_hook(sb_set_mnt_opts, nobody, sb, opts, kern_flags,
+ set_kern_flags);
}
EXPORT_SYMBOL(security_sb_set_mnt_opts);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 60d9fe8..341b3da 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -538,21 +538,23 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
/* count the number of mount options for this sb */
for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
if (tmp & 0x01)
- opts->num_mnt_opts++;
+ opts->selinux.num_mnt_opts++;
tmp >>= 1;
}
/* Check if the Label support flag is set */
if (sbsec->flags & SBLABEL_MNT)
- opts->num_mnt_opts++;
+ opts->selinux.num_mnt_opts++;
- opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
- if (!opts->mnt_opts) {
+ opts->selinux.mnt_opts = kcalloc(opts->selinux.num_mnt_opts,
+ sizeof(char *), GFP_ATOMIC);
+ if (!opts->selinux.mnt_opts) {
rc = -ENOMEM;
goto out_free;
}
- opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
- if (!opts->mnt_opts_flags) {
+ opts->selinux.mnt_opts_flags = kcalloc(opts->selinux.num_mnt_opts,
+ sizeof(int), GFP_ATOMIC);
+ if (!opts->selinux.mnt_opts_flags) {
rc = -ENOMEM;
goto out_free;
}
@@ -562,22 +564,22 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
rc = security_sid_to_context(sbsec->sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = FSCONTEXT_MNT;
}
if (sbsec->flags & CONTEXT_MNT) {
rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = CONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = CONTEXT_MNT;
}
if (sbsec->flags & DEFCONTEXT_MNT) {
rc = security_sid_to_context(sbsec->def_sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = DEFCONTEXT_MNT;
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct dentry *root = sbsec->sb->s_root;
@@ -587,15 +589,15 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
}
if (sbsec->flags & SBLABEL_MNT) {
- opts->mnt_opts[i] = NULL;
- opts->mnt_opts_flags[i++] = SBLABEL_MNT;
+ opts->selinux.mnt_opts[i] = NULL;
+ opts->selinux.mnt_opts_flags[i++] = SBLABEL_MNT;
}
- BUG_ON(i != opts->num_mnt_opts);
+ BUG_ON(i != opts->selinux.num_mnt_opts);
return 0;
@@ -641,9 +643,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
struct inode_security_struct *root_isec;
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0;
- char **mount_options = opts->mnt_opts;
- int *flags = opts->mnt_opts_flags;
- int num_opts = opts->num_mnt_opts;
+ char **mount_options = opts->selinux.mnt_opts;
+ int *flags = opts->selinux.mnt_opts_flags;
+ int num_opts = opts->selinux.num_mnt_opts;
mutex_lock(&sbsec->lock);
@@ -977,7 +979,7 @@ static int selinux_parse_opts_str(char *options,
char *fscontext = NULL, *rootcontext = NULL;
int rc, num_mnt_opts = 0;
- opts->num_mnt_opts = 0;
+ opts->selinux.num_mnt_opts = 0;
/* Standard string-based options. */
while ((p = strsep(&options, "|")) != NULL) {
@@ -1044,43 +1046,42 @@ static int selinux_parse_opts_str(char *options,
case Opt_labelsupport:
break;
default:
- rc = -EINVAL;
printk(KERN_WARNING "SELinux: unknown mount option\n");
- goto out_err;
-
+ break;
}
}
rc = -ENOMEM;
- opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
- if (!opts->mnt_opts)
+ opts->selinux.mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *),
+ GFP_KERNEL);
+ if (!opts->selinux.mnt_opts)
goto out_err;
- opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
+ opts->selinux.mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
GFP_KERNEL);
- if (!opts->mnt_opts_flags) {
- kfree(opts->mnt_opts);
+ if (!opts->selinux.mnt_opts_flags) {
+ kfree(opts->selinux.mnt_opts);
goto out_err;
}
if (fscontext) {
- opts->mnt_opts[num_mnt_opts] = fscontext;
- opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = fscontext;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
}
if (context) {
- opts->mnt_opts[num_mnt_opts] = context;
- opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = context;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
}
if (rootcontext) {
- opts->mnt_opts[num_mnt_opts] = rootcontext;
- opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = rootcontext;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
}
if (defcontext) {
- opts->mnt_opts[num_mnt_opts] = defcontext;
- opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = defcontext;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
}
- opts->num_mnt_opts = num_mnt_opts;
+ opts->selinux.num_mnt_opts = num_mnt_opts;
return 0;
out_err:
@@ -1124,15 +1125,15 @@ static void selinux_write_opts(struct seq_file *m,
int i;
char *prefix;
- for (i = 0; i < opts->num_mnt_opts; i++) {
+ for (i = 0; i < opts->selinux.num_mnt_opts; i++) {
char *has_comma;
- if (opts->mnt_opts[i])
- has_comma = strchr(opts->mnt_opts[i], ',');
+ if (opts->selinux.mnt_opts[i])
+ has_comma = strchr(opts->selinux.mnt_opts[i], ',');
else
has_comma = NULL;
- switch (opts->mnt_opts_flags[i]) {
+ switch (opts->selinux.mnt_opts_flags[i]) {
case CONTEXT_MNT:
prefix = CONTEXT_STR;
break;
@@ -1158,7 +1159,7 @@ static void selinux_write_opts(struct seq_file *m,
seq_puts(m, prefix);
if (has_comma)
seq_putc(m, '\"');
- seq_escape(m, opts->mnt_opts[i], "\"\n\\");
+ seq_escape(m, opts->selinux.mnt_opts[i], "\"\n\\");
if (has_comma)
seq_putc(m, '\"');
}
@@ -2667,10 +2668,10 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
if (rc)
goto out_free_secdata;
- mount_options = opts.mnt_opts;
- flags = opts.mnt_opts_flags;
+ mount_options = opts.selinux.mnt_opts;
+ flags = opts.selinux.mnt_opts_flags;
- for (i = 0; i < opts.num_mnt_opts; i++) {
+ for (i = 0; i < opts.selinux.num_mnt_opts; i++) {
u32 sid;
if (flags[i] == SBLABEL_MNT)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 9233b33..3d63c92 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -601,7 +601,7 @@ static int smack_parse_opts_str(char *options,
int num_mnt_opts = 0;
int token;
- opts->num_mnt_opts = 0;
+ opts->smack.num_mnt_opts = 0;
if (!options)
return 0;
@@ -657,39 +657,40 @@ static int smack_parse_opts_str(char *options,
}
}
- opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_KERNEL);
- if (!opts->mnt_opts)
+ opts->smack.mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *),
+ GFP_KERNEL);
+ if (!opts->smack.mnt_opts)
goto out_err;
- opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int),
- GFP_KERNEL);
- if (!opts->mnt_opts_flags) {
- kfree(opts->mnt_opts);
+ opts->smack.mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int),
+ GFP_KERNEL);
+ if (!opts->smack.mnt_opts_flags) {
+ kfree(opts->smack.mnt_opts);
goto out_err;
}
if (fsdefault) {
- opts->mnt_opts[num_mnt_opts] = fsdefault;
- opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fsdefault;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT;
}
if (fsfloor) {
- opts->mnt_opts[num_mnt_opts] = fsfloor;
- opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fsfloor;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT;
}
if (fshat) {
- opts->mnt_opts[num_mnt_opts] = fshat;
- opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fshat;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT;
}
if (fsroot) {
- opts->mnt_opts[num_mnt_opts] = fsroot;
- opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fsroot;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT;
}
if (fstransmute) {
- opts->mnt_opts[num_mnt_opts] = fstransmute;
- opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fstransmute;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT;
}
- opts->num_mnt_opts = num_mnt_opts;
+ opts->smack.num_mnt_opts = num_mnt_opts;
return 0;
out_opt_err:
@@ -728,7 +729,7 @@ static int smack_set_mnt_opts(struct super_block *sb,
struct inode_smack *isp;
struct smack_known *skp;
int i;
- int num_opts = opts->num_mnt_opts;
+ int num_opts = opts->smack.num_mnt_opts;
int transmute = 0;
if (sp->smk_flags & SMK_SB_INITIALIZED)
@@ -762,33 +763,33 @@ static int smack_set_mnt_opts(struct super_block *sb,
sp->smk_flags |= SMK_SB_INITIALIZED;
for (i = 0; i < num_opts; i++) {
- switch (opts->mnt_opts_flags[i]) {
+ switch (opts->smack.mnt_opts_flags[i]) {
case FSDEFAULT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_default = skp;
break;
case FSFLOOR_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_floor = skp;
break;
case FSHAT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_hat = skp;
break;
case FSROOT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_root = skp;
break;
case FSTRANS_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_root = skp;
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 09/11] netlabel agreement checking
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (6 preceding siblings ...)
2017-04-05 21:53 ` [PATCH RFC 07/11] LSM: Mount option data for extreme stacking Casey Schaufler
@ 2017-04-05 21:54 ` Casey Schaufler
2017-04-05 21:54 ` [PATCH RFC 10/11] Smack: sendmsg compile error fix Casey Schaufler
` (2 subsequent siblings)
10 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:54 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 09/11] netlabel agreement checking
If multiple security modules are using netlabel
to pass security attributes they must agree on the
labeling for each packet. Because a module may
decide on the labeling based on a number of factors
the check needs to be done at send time.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 5 +++-
include/net/netlabel.h | 8 +++++++
net/netlabel/netlabel_kapi.c | 54 ++++++++++++++++++++++++++++++++++++++++++++
security/security.c | 23 ++++++++++++++++++-
security/selinux/hooks.c | 7 +++++-
security/smack/smack_lsm.c | 4 +++-
security/tomoyo/tomoyo.c | 3 ++-
7 files changed, 99 insertions(+), 5 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 6b0ede2..d848a0a 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -28,6 +28,8 @@
#include <linux/init.h>
#include <linux/rculist.h>
+struct netlbl_lsm_secattr;
+
/**
* Security hooks for program execution operations.
*
@@ -789,6 +791,7 @@
* @sock contains the socket structure.
* @msg contains the message to be transmitted.
* @size contains the size of message.
+ * @attrs points to the network attributes on return.
* Return 0 if permission is granted.
* @socket_recvmsg:
* Check permission before receiving a message from a socket.
@@ -1584,7 +1587,7 @@ union security_list_options {
int (*socket_listen)(struct socket *sock, int backlog);
int (*socket_accept)(struct socket *sock, struct socket *newsock);
int (*socket_sendmsg)(struct socket *sock, struct msghdr *msg,
- int size);
+ int size, struct netlbl_lsm_secattr **attrs);
int (*socket_recvmsg)(struct socket *sock, struct msghdr *msg,
int size, int flags);
int (*socket_getsockname)(struct socket *sock);
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 8cdd2d6..3cda2f3 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -472,6 +472,8 @@ int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
u32 offset,
unsigned long bitmap,
gfp_t flags);
+bool netlbl_secattr_equal(const struct netlbl_lsm_secattr *secattr_a,
+ const struct netlbl_lsm_secattr *secattr_b);
/* Bitmap functions
*/
@@ -623,6 +625,12 @@ static inline int netlbl_catmap_setlong(struct netlbl_lsm_catmap **catmap,
{
return 0;
}
+static inline bool netlbl_secattr_equal(
+ const struct netlbl_lsm_secattr *secattr_a,
+ const struct netlbl_lsm_secattr *secattr_b)
+{
+ return true;
+}
static inline int netlbl_enabled(void)
{
return 0;
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index cb8a2c7..5692d92 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1461,6 +1461,60 @@ int netlbl_cache_add(const struct sk_buff *skb, u16 family,
return -ENOMSG;
}
+/**
+ * netlbl_secattr_equal - Compare two lsm secattrs
+ * @secattr_a: one security attribute
+ * @secattr_b: the other security attribute
+ *
+ * Description:
+ * Compare two lsm security attribute structures. Returns true
+ * if they are the same, false otherwise.
+ *
+ */
+bool netlbl_secattr_equal(const struct netlbl_lsm_secattr *secattr_a,
+ const struct netlbl_lsm_secattr *secattr_b)
+{
+ struct netlbl_lsm_catmap *iter_a;
+ struct netlbl_lsm_catmap *iter_b;
+
+ if (secattr_a == secattr_b)
+ return true;
+ if (!secattr_a || !secattr_b)
+ return false;
+
+ if ((secattr_a->flags & NETLBL_SECATTR_SECID) &&
+ (secattr_b->flags & NETLBL_SECATTR_SECID))
+ return secattr_a->attr.secid.common ==
+ secattr_b->attr.secid.common;
+
+ if ((secattr_a->flags & NETLBL_SECATTR_MLS_LVL) !=
+ (secattr_b->flags & NETLBL_SECATTR_MLS_LVL))
+ return false;
+
+ if ((secattr_a->flags & NETLBL_SECATTR_MLS_LVL) &&
+ secattr_a->attr.mls.lvl != secattr_b->attr.mls.lvl)
+ return false;
+
+ if ((secattr_a->flags & NETLBL_SECATTR_MLS_CAT) !=
+ (secattr_b->flags & NETLBL_SECATTR_MLS_CAT))
+ return false;
+
+ iter_a = secattr_a->attr.mls.cat;
+ iter_b = secattr_b->attr.mls.cat;
+
+ while (iter_a && iter_b) {
+ if (iter_a->startbit != iter_b->startbit)
+ return false;
+ if (memcmp(iter_a->bitmap, iter_b->bitmap,
+ sizeof(iter_a->bitmap)))
+ return false;
+ iter_a = iter_a->next;
+ iter_b = iter_b->next;
+ }
+
+ return !iter_a && !iter_b;
+}
+
/*
* Protocol Engine Functions
*/
diff --git a/security/security.c b/security/security.c
index 35ccc81..5cf3214 100644
--- a/security/security.c
+++ b/security/security.c
@@ -28,6 +28,7 @@
#include <linux/msg.h>
#include <net/flow.h>
#include <net/sock.h>
+#include <net/netlabel.h>
#define MAX_LSM_EVM_XATTR 2
@@ -2134,7 +2135,27 @@ int security_socket_accept(struct socket *sock, struct socket *newsock)
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
- return call_int_hook(socket_sendmsg, 0, sock, msg, size);
+ struct security_hook_list *hp;
+ int rc;
+ struct netlbl_lsm_secattr *pattrs = NULL;
+ struct netlbl_lsm_secattr *attrs = NULL;
+
+ list_for_each_entry(hp, &security_hook_heads.socket_sendmsg, list) {
+ rc = hp->hook.socket_sendmsg(sock, msg, size, &attrs);
+ if (rc)
+ return rc;
+ /*
+ * Only do the check if the current module reports
+ * an attribute, and there is something to compare it to.
+ */
+ if (attrs) {
+ if (!pattrs)
+ pattrs = attrs;
+ else if (!netlbl_secattr_equal(pattrs, attrs))
+ return -EACCES;
+ }
+ }
+ return 0;
}
int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d5c8868..6c493b8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4437,8 +4437,13 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
}
static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
- int size)
+ int size, struct netlbl_lsm_secattr **attrs)
{
+#ifdef CONFIG_NETLABEL
+ struct sk_security_struct *sksec = selinux_sock(sock->sk);
+
+ *attrs = sksec->nlbl_secattr;
+#endif
return sock_has_perm(sock->sk, SOCKET__WRITE);
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 0034365..7c8ffe4 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3635,7 +3635,7 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
* For IPv6 this is a check against the label of the port.
*/
static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
- int size)
+ int size, struct netlbl_lsm_secattr **attrs)
{
struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
#if IS_ENABLED(CONFIG_IPV6)
@@ -3647,6 +3647,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
#endif
int rc = 0;
+ *attrs = NULL;
/*
* Perfectly reasonable for this to be NULL
*/
@@ -3656,6 +3657,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
switch (sock->sk->sk_family) {
case AF_INET:
rc = smack_netlabel_send(sock->sk, sip);
+ *attrs = &ssp->smk_out->smk_netlabel;
break;
case AF_INET6:
#ifdef SMACK_IPV6_SECMARK_LABELING
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 27f1198..914eab3 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -499,11 +499,12 @@ static int tomoyo_socket_bind(struct socket *sock, struct sockaddr *addr,
* @sock: Pointer to "struct socket".
* @msg: Pointer to "struct msghdr".
* @size: Size of message.
+ * @attrs: unused
*
* Returns 0 on success, negative value otherwise.
*/
static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
- int size)
+ int size, struct netlbl_lsm_secattr **attrs)
{
return tomoyo_socket_sendmsg_permission(sock, msg, size);
}
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 10/11] Smack: sendmsg compile error fix
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (7 preceding siblings ...)
2017-04-05 21:54 ` [PATCH RFC 09/11] netlabel agreement checking Casey Schaufler
@ 2017-04-05 21:54 ` Casey Schaufler
2017-04-05 21:54 ` [PATCH RFC 11/11] LSM: manage task security blobs Casey Schaufler
2017-04-06 18:26 ` [PATCH RFC 00/11] LSM: Stacking for major security modules Stephen Smalley
10 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:54 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 10/11] Smack: sendmsg compile error fix
Move the declaration of ssp out of ifdefs as it's now
always required.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/smack/smack_lsm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index e1264b9..2ac6d33 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3637,11 +3637,11 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
int size, struct netlbl_lsm_secattr **attrs)
{
struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
+ struct socket_smack *ssp = smack_sock(sock->sk);
#if IS_ENABLED(CONFIG_IPV6)
struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
#endif
#ifdef SMACK_IPV6_SECMARK_LABELING
- struct socket_smack *ssp = smack_sock(sock->sk);
struct smack_known *rsp;
#endif
int rc = 0;
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 11/11] LSM: manage task security blobs
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (8 preceding siblings ...)
2017-04-05 21:54 ` [PATCH RFC 10/11] Smack: sendmsg compile error fix Casey Schaufler
@ 2017-04-05 21:54 ` Casey Schaufler
2017-04-06 18:26 ` [PATCH RFC 00/11] LSM: Stacking for major security modules Stephen Smalley
10 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-05 21:54 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH RFC 11/11] LSM: manage task security blobs
Move management of task security blobs into the security
infrastructure. Modules are required to identify the space
they require. At this time there are no modules that use
task blobs.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/security.c | 28 ++++++++++++++++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index d848a0a..f36b73f 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1907,6 +1907,7 @@ struct lsm_blob_sizes {
int lbs_msg_msg;
int lbs_sock;
int lbs_superblock;
+ int lbs_task;
};
/*
diff --git a/security/security.c b/security/security.c
index 5cf3214..f8943da 100644
--- a/security/security.c
+++ b/security/security.c
@@ -104,6 +104,7 @@ int __init security_init(void)
pr_info("LSM: msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock);
pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock);
+ pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task);
pr_info("LSM: secid size = %zu\n", sizeof(struct secids));
#endif /* CONFIG_SECURITY_LSM_DEBUG */
@@ -268,6 +269,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
lsm_set_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
lsm_set_size(&needed->lbs_sock, &blob_sizes.lbs_sock);
lsm_set_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
+ lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task);
/*
* The inode blob gets an rcu_head in addition to
* what the modules might need.
@@ -460,6 +462,29 @@ int lsm_superblock_alloc(struct super_block *sb)
return 0;
}
+/**
+ * lsm_task_alloc - allocate a composite task blob
+ * @task: the task that needs a blob
+ *
+ * Allocate the task blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_task_alloc(struct task_struct *task)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (task->security)
+ pr_info("%s: Inbound task blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_task == 0)
+ return 0;
+
+ task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
+ if (task->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
/*
* A secids structure contains all of the modules specific
* secids and the secmark used to represent the combination
@@ -1422,6 +1447,9 @@ int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
void security_task_free(struct task_struct *task)
{
call_void_hook(task_free, task);
+
+ kfree(task->security);
+ task->security = NULL;
}
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH RFC 00/11] LSM: Stacking for major security modules
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
` (9 preceding siblings ...)
2017-04-05 21:54 ` [PATCH RFC 11/11] LSM: manage task security blobs Casey Schaufler
@ 2017-04-06 18:26 ` Stephen Smalley
2017-04-06 20:10 ` Casey Schaufler
10 siblings, 1 reply; 19+ messages in thread
From: Stephen Smalley @ 2017-04-06 18:26 UTC (permalink / raw)
To: linux-security-module
On Wed, 2017-04-05 at 14:39 -0700, Casey Schaufler wrote:
> Subject: [PATCH RFC 00/11] LSM: Stacking for major security modules
>
> I am again sending this as an RFC. If you stop at patch 04 you can
> use any combination of modules so long as you use only one of
> SELinux and Smack. Patches 05-10 take you most of the way to complete
> stacking, but cannot be said to completely address all the issues.
> Patch 11 provides for management of the yet unused task blob.
>
> This patch set implements stacking for "major" security modules
> that use cred and file blobs. Management of security blobs is
> moved from the security modules and into the LSM infrastructure.
> This has been proposed in the past by Serge Hallyn and David Howells.
> This implementation owes much to their work.
>
> The bulk of the change is in abstracting use of blobs within the
> security modules. This allows the modules to share a single blob
> and hides the details from the code. There is?
>
> Modules are required to declare the amount of space they require
> for each blob they use. Because modules deal with blobs during their
> initialization the blob sizes must be declared prior to module
> initialization. The module initialization becomes a two step process.
>
> Security module stacking is optional. If stacking is not configured,
> the CONFIG_DEFAULT_SECURITY value is used, just as before. If
> stacking
> is configured using CONFIG_SECURITY_STACKING the modules desired for
> the stack are selected individually. AppArmor would be selected by
> specifying CONFIG_SECURITY_APPARMOR_STACKED. The
> CONFIG_DEFAULT_SECURITY
> is ignored. The security= boot option is still respected and has the
> same behavior as before, allowing a single module to be used instead
> of
> the specified stack.
>
> To accommodate multiple active modules a security "context" is
> defined to use a regular format:
>
> lsmname='lsmvalue'[,lsmname='lsmvalue']...
>
> This is not supported by any existing user space run time code.
>
> I have tested these patches in various configurations of Ubuntu and
> Fedora. I have had much better success with SELinux in permissive
> mode
> than enforcing, but that appears to be a result of user space code
> issues. Smack and SELinux together have limited success, again
> because
> of the context format.
I think in order for this to be viable, it must not break existing
userspace if CONFIG_SECURITY_STACKING=y if only one module is enabled.
Ideally, it wouldn't even break existing userspace with multiple
modules, so long as they do not conflict in their usage of userspace
APIs (e.g. if only one implements getpeersec_stream, why mutate its
result and break userspace?).
At present, it breaks the selinux-testsuite even with
CONFIG_SECURITY_STACKING=n, all in the inet_socket tests; looks like
network labeling is broken. FWIW, output was:
inet_socket/test ............ getsockopt: SO_PEERSEC: Protocol not
available
read: Connection reset by peer
inet_socket/test ............ 1/33?
#???Failed test at inet_socket/test line 27.
inet_socket/client:??expected
unconfined_u:unconfined_r:test_inet_client_t:s0-s0:c0.c1023, got?
inet_socket/test ............ 3/33?
#???Failed test at inet_socket/test line 45.
inet_socket/test ............ 26/33?
#???Failed test at inet_socket/test line 219.
#???Failed test at inet_socket/test line 227.
inet_socket/test ............ 30/33?
#???Failed test at inet_socket/test line 245.
#???Failed test at inet_socket/test line 253.
# Looks like you failed 6 tests of 33.
inet_socket/test ............ Dubious, test returned 6 (wstat 1536,
0x600)
Failed 6/33 subtests
These all pass on security-next and on v4.11-rc4, so it is definitely
something in your patches.?
>
> Patch 01 Adds a smack subdirectory in /proc/.../attr (proposed
> separately)
> Patch 02 Move management of the cred blob to the LSM infrastructure.
> Patch 03 Move management of the file blob to the LSM infrastructure.
> Patch 04 Change how the security modules get selected.
> Patch 05 Infrastructure blob management for IPC, keys, sockets.
> Patch 06 Fixes Smack's sk_free hook.
> Patch 07 Support mount options for multiple security modules.
> Patch 08 Change secids from a u32 to a structure.
> Patch 09 Netlabel consistency enforcment in sendmsg.
> Patch 10 Fixes a compile issue in one Smack configuration.
> Patch 11 Infrastructure blob management for the new task blob.
>
> These patches can be found in git at:
>
> https://github.com/cschaufler/smack-next.git#stacking-4.11-rc4
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
>
> ?Documentation/security/LSM.txt??????????|???33 +-
> ?drivers/usb/core/devio.c????????????????|???13 +-
> ?fs/btrfs/super.c????????????????????????|???10 +-
> ?fs/proc/base.c??????????????????????????|???96 ++-
> ?fs/proc/internal.h??????????????????????|????1 +
> ?fs/xattr.c??????????????????????????????|????6 +-
> ?include/linux/audit.h???????????????????|???10 +-
> ?include/linux/cred.h????????????????????|????3 +-
> ?include/linux/lsm_hooks.h???????????????|???76 ++-
> ?include/linux/sched/signal.h????????????|????2 +-
> ?include/linux/security.h????????????????|??227 +++++--
> ?include/net/flow.h??????????????????????|????5 +-
> ?include/net/netlabel.h??????????????????|???16 +-
> ?include/net/scm.h???????????????????????|????4 +-
> ?kernel/audit.c??????????????????????????|???25 +-
> ?kernel/audit.h??????????????????????????|????9 +-
> ?kernel/auditfilter.c????????????????????|????4 +-
> ?kernel/auditsc.c????????????????????????|???42 +-
> ?kernel/cred.c???????????????????????????|???19 +-
> ?kernel/signal.c?????????????????????????|????6 +-
> ?net/ipv4/cipso_ipv4.c???????????????????|????5 +-
> ?net/ipv4/ip_sockglue.c??????????????????|????6 +-
> ?net/netfilter/nf_conntrack_netlink.c????|???12 +-
> ?net/netfilter/nf_conntrack_standalone.c |????6 +-
> ?net/netfilter/nfnetlink_queue.c?????????|????9 +-
> ?net/netfilter/xt_AUDIT.c????????????????|????9 +-
> ?net/netfilter/xt_SECMARK.c??????????????|????6 +-
> ?net/netlabel/netlabel_kapi.c????????????|???56 +-
> ?net/netlabel/netlabel_unlabeled.c???????|???30 +-
> ?net/netlabel/netlabel_unlabeled.h???????|????2 +-
> ?net/netlabel/netlabel_user.c????????????|????4 +-
> ?net/unix/af_unix.c??????????????????????|????6 +-
> ?net/xfrm/xfrm_policy.c??????????????????|????6 +-
> ?net/xfrm/xfrm_state.c???????????????????|????3 +-
> ?security/Kconfig????????????????????????|???86 +++
> ?security/apparmor/context.c?????????????|????2 -
> ?security/apparmor/include/context.h?????|???25 +-
> ?security/apparmor/lsm.c?????????????????|??111 ++--
> ?security/integrity/ima/ima_policy.c?????|????7 +-
> ?security/security.c?????????????????????| 1046
> +++++++++++++++++++++++++++++--
> ?security/selinux/hooks.c????????????????|??720 +++++++++------------
> ?security/selinux/include/audit.h????????|????2 +-
> ?security/selinux/include/objsec.h???????|???87 ++-
> ?security/selinux/include/xfrm.h?????????|????9 +-
> ?security/selinux/netlabel.c?????????????|???17 +-
> ?security/selinux/selinuxfs.c????????????|????5 +-
> ?security/selinux/ss/services.c??????????|???13 +-
> ?security/selinux/xfrm.c?????????????????|???29 +-
> ?security/smack/smack.h??????????????????|???95 ++-
> ?security/smack/smack_access.c???????????|????2 +-
> ?security/smack/smack_lsm.c??????????????|??751 +++++++++----------
> ---
> ?security/smack/smack_netfilter.c????????|???28 +-
> ?security/smack/smackfs.c????????????????|???28 +-
> ?security/tomoyo/common.h????????????????|???25 +-
> ?security/tomoyo/domain.c????????????????|????4 +-
> ?security/tomoyo/securityfs_if.c?????????|???13 +-
> ?security/tomoyo/tomoyo.c????????????????|???55 +-
> ?57 files changed, 2647 insertions(+), 1280 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH RFC 00/11] LSM: Stacking for major security modules
2017-04-06 18:26 ` [PATCH RFC 00/11] LSM: Stacking for major security modules Stephen Smalley
@ 2017-04-06 20:10 ` Casey Schaufler
2017-04-06 20:38 ` Stephen Smalley
0 siblings, 1 reply; 19+ messages in thread
From: Casey Schaufler @ 2017-04-06 20:10 UTC (permalink / raw)
To: linux-security-module
On 4/6/2017 11:26 AM, Stephen Smalley wrote:
> On Wed, 2017-04-05 at 14:39 -0700, Casey Schaufler wrote:
>> Subject: [PATCH RFC 00/11] LSM: Stacking for major security modules
>>
>> I am again sending this as an RFC. If you stop at patch 04 you can
>> use any combination of modules so long as you use only one of
>> SELinux and Smack. Patches 05-10 take you most of the way to complete
>> stacking, but cannot be said to completely address all the issues.
>> Patch 11 provides for management of the yet unused task blob.
>>
>> This patch set implements stacking for "major" security modules
>> that use cred and file blobs. Management of security blobs is
>> moved from the security modules and into the LSM infrastructure.
>> This has been proposed in the past by Serge Hallyn and David Howells.
>> This implementation owes much to their work.
>>
>> The bulk of the change is in abstracting use of blobs within the
>> security modules. This allows the modules to share a single blob
>> and hides the details from the code. There is
>>
>> Modules are required to declare the amount of space they require
>> for each blob they use. Because modules deal with blobs during their
>> initialization the blob sizes must be declared prior to module
>> initialization. The module initialization becomes a two step process.
>>
>> Security module stacking is optional. If stacking is not configured,
>> the CONFIG_DEFAULT_SECURITY value is used, just as before. If
>> stacking
>> is configured using CONFIG_SECURITY_STACKING the modules desired for
>> the stack are selected individually. AppArmor would be selected by
>> specifying CONFIG_SECURITY_APPARMOR_STACKED. The
>> CONFIG_DEFAULT_SECURITY
>> is ignored. The security= boot option is still respected and has the
>> same behavior as before, allowing a single module to be used instead
>> of
>> the specified stack.
>>
>> To accommodate multiple active modules a security "context" is
>> defined to use a regular format:
>>
>> lsmname='lsmvalue'[,lsmname='lsmvalue']...
>>
>> This is not supported by any existing user space run time code.
>>
>> I have tested these patches in various configurations of Ubuntu and
>> Fedora. I have had much better success with SELinux in permissive
>> mode
>> than enforcing, but that appears to be a result of user space code
>> issues. Smack and SELinux together have limited success, again
>> because
>> of the context format.
> I think in order for this to be viable, it must not break existing
> userspace if CONFIG_SECURITY_STACKING=y if only one module is enabled.
If there's only one module enabled you don't need
CONFIG_SECURITY_STACKING=y. Nonetheless, I see the point.
It's lots cleaner if this can be a compile time
difference rather than something detected at run time,
but I'll factor that in to the next version.
> Ideally, it wouldn't even break existing userspace with multiple
> modules, so long as they do not conflict in their usage of userspace
> APIs (e.g. if only one implements getpeersec_stream, why mutate its
> result and break userspace?).
Remember that
"system_u:object_r:netlabel_peer_t:s0" is a legitimate Smack label.
I don't think doing "System" vs
"selinux='system_u:object_r:netlabel_peer_t:s0',smack='System'"
on a per-API granularity is a good idea. The author of user space
code oughtn't be compelled to figure out which APIs will identity
the components and when they don't which security module will
provide the unadorned data.
At some point it would be a good idea to have a liblsm that
would make varying and/or multiple security modules easier to
deal with. I know systemd and dbus could use such a library to
good effect.
> At present, it breaks the selinux-testsuite even with
> CONFIG_SECURITY_STACKING=n, all in the inet_socket tests; looks like
> network labeling is broken. FWIW, output was:
Thanks for running the tests. I'll be looking into this soonest.
>
> inet_socket/test ............ getsockopt: SO_PEERSEC: Protocol not
> available
> read: Connection reset by peer
> inet_socket/test ............ 1/33
> # Failed test at inet_socket/test line 27.
> inet_socket/client: expected
> unconfined_u:unconfined_r:test_inet_client_t:s0-s0:c0.c1023, got
I'd be interested to see what it got.
> inet_socket/test ............ 3/33
> # Failed test at inet_socket/test line 45.
> inet_socket/test ............ 26/33
> # Failed test at inet_socket/test line 219.
>
> # Failed test at inet_socket/test line 227.
> inet_socket/test ............ 30/33
> # Failed test at inet_socket/test line 245.
>
> # Failed test at inet_socket/test line 253.
> # Looks like you failed 6 tests of 33.
> inet_socket/test ............ Dubious, test returned 6 (wstat 1536,
> 0x600)
> Failed 6/33 subtests
>
> These all pass on security-next and on v4.11-rc4, so it is definitely
> something in your patches.
>
>> Patch 01 Adds a smack subdirectory in /proc/.../attr (proposed
>> separately)
>> Patch 02 Move management of the cred blob to the LSM infrastructure.
>> Patch 03 Move management of the file blob to the LSM infrastructure.
>> Patch 04 Change how the security modules get selected.
>> Patch 05 Infrastructure blob management for IPC, keys, sockets.
>> Patch 06 Fixes Smack's sk_free hook.
>> Patch 07 Support mount options for multiple security modules.
>> Patch 08 Change secids from a u32 to a structure.
>> Patch 09 Netlabel consistency enforcment in sendmsg.
>> Patch 10 Fixes a compile issue in one Smack configuration.
>> Patch 11 Infrastructure blob management for the new task blob.
>>
>> These patches can be found in git at:
>>
>> https://github.com/cschaufler/smack-next.git#stacking-4.11-rc4
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> ---
>>
>> Documentation/security/LSM.txt | 33 +-
>> drivers/usb/core/devio.c | 13 +-
>> fs/btrfs/super.c | 10 +-
>> fs/proc/base.c | 96 ++-
>> fs/proc/internal.h | 1 +
>> fs/xattr.c | 6 +-
>> include/linux/audit.h | 10 +-
>> include/linux/cred.h | 3 +-
>> include/linux/lsm_hooks.h | 76 ++-
>> include/linux/sched/signal.h | 2 +-
>> include/linux/security.h | 227 +++++--
>> include/net/flow.h | 5 +-
>> include/net/netlabel.h | 16 +-
>> include/net/scm.h | 4 +-
>> kernel/audit.c | 25 +-
>> kernel/audit.h | 9 +-
>> kernel/auditfilter.c | 4 +-
>> kernel/auditsc.c | 42 +-
>> kernel/cred.c | 19 +-
>> kernel/signal.c | 6 +-
>> net/ipv4/cipso_ipv4.c | 5 +-
>> net/ipv4/ip_sockglue.c | 6 +-
>> net/netfilter/nf_conntrack_netlink.c | 12 +-
>> net/netfilter/nf_conntrack_standalone.c | 6 +-
>> net/netfilter/nfnetlink_queue.c | 9 +-
>> net/netfilter/xt_AUDIT.c | 9 +-
>> net/netfilter/xt_SECMARK.c | 6 +-
>> net/netlabel/netlabel_kapi.c | 56 +-
>> net/netlabel/netlabel_unlabeled.c | 30 +-
>> net/netlabel/netlabel_unlabeled.h | 2 +-
>> net/netlabel/netlabel_user.c | 4 +-
>> net/unix/af_unix.c | 6 +-
>> net/xfrm/xfrm_policy.c | 6 +-
>> net/xfrm/xfrm_state.c | 3 +-
>> security/Kconfig | 86 +++
>> security/apparmor/context.c | 2 -
>> security/apparmor/include/context.h | 25 +-
>> security/apparmor/lsm.c | 111 ++--
>> security/integrity/ima/ima_policy.c | 7 +-
>> security/security.c | 1046
>> +++++++++++++++++++++++++++++--
>> security/selinux/hooks.c | 720 +++++++++------------
>> security/selinux/include/audit.h | 2 +-
>> security/selinux/include/objsec.h | 87 ++-
>> security/selinux/include/xfrm.h | 9 +-
>> security/selinux/netlabel.c | 17 +-
>> security/selinux/selinuxfs.c | 5 +-
>> security/selinux/ss/services.c | 13 +-
>> security/selinux/xfrm.c | 29 +-
>> security/smack/smack.h | 95 ++-
>> security/smack/smack_access.c | 2 +-
>> security/smack/smack_lsm.c | 751 +++++++++----------
>> ---
>> security/smack/smack_netfilter.c | 28 +-
>> security/smack/smackfs.c | 28 +-
>> security/tomoyo/common.h | 25 +-
>> security/tomoyo/domain.c | 4 +-
>> security/tomoyo/securityfs_if.c | 13 +-
>> security/tomoyo/tomoyo.c | 55 +-
>> 57 files changed, 2647 insertions(+), 1280 deletions(-)
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH RFC 00/11] LSM: Stacking for major security modules
2017-04-06 20:10 ` Casey Schaufler
@ 2017-04-06 20:38 ` Stephen Smalley
2017-04-06 22:24 ` James Morris
0 siblings, 1 reply; 19+ messages in thread
From: Stephen Smalley @ 2017-04-06 20:38 UTC (permalink / raw)
To: linux-security-module
On Thu, 2017-04-06 at 13:10 -0700, Casey Schaufler wrote:
> On 4/6/2017 11:26 AM, Stephen Smalley wrote:
> > On Wed, 2017-04-05 at 14:39 -0700, Casey Schaufler wrote:
> > > Subject: [PATCH RFC 00/11] LSM: Stacking for major security
> > > modules
> > >
> > > I am again sending this as an RFC. If you stop at patch 04 you
> > > can
> > > use any combination of modules so long as you use only one of
> > > SELinux and Smack. Patches 05-10 take you most of the way to
> > > complete
> > > stacking, but cannot be said to completely address all the
> > > issues.
> > > Patch 11 provides for management of the yet unused task blob.
> > >
> > > This patch set implements stacking for "major" security modules
> > > that use cred and file blobs. Management of security blobs is
> > > moved from the security modules and into the LSM infrastructure.
> > > This has been proposed in the past by Serge Hallyn and David
> > > Howells.
> > > This implementation owes much to their work.
> > >
> > > The bulk of the change is in abstracting use of blobs within the
> > > security modules. This allows the modules to share a single blob
> > > and hides the details from the code. There is?
> > >
> > > Modules are required to declare the amount of space they require
> > > for each blob they use. Because modules deal with blobs during
> > > their
> > > initialization the blob sizes must be declared prior to module
> > > initialization. The module initialization becomes a two step
> > > process.
> > >
> > > Security module stacking is optional. If stacking is not
> > > configured,
> > > the CONFIG_DEFAULT_SECURITY value is used, just as before. If
> > > stacking
> > > is configured using CONFIG_SECURITY_STACKING the modules desired
> > > for
> > > the stack are selected individually. AppArmor would be selected
> > > by
> > > specifying CONFIG_SECURITY_APPARMOR_STACKED. The
> > > CONFIG_DEFAULT_SECURITY
> > > is ignored. The security= boot option is still respected and has
> > > the
> > > same behavior as before, allowing a single module to be used
> > > instead
> > > of
> > > the specified stack.
> > >
> > > To accommodate multiple active modules a security "context" is
> > > defined to use a regular format:
> > >
> > > lsmname='lsmvalue'[,lsmname='lsmvalue']...
> > >
> > > This is not supported by any existing user space run time code.
> > >
> > > I have tested these patches in various configurations of Ubuntu
> > > and
> > > Fedora. I have had much better success with SELinux in permissive
> > > mode
> > > than enforcing, but that appears to be a result of user space
> > > code
> > > issues. Smack and SELinux together have limited success, again
> > > because
> > > of the context format.
> >
> > I think in order for this to be viable, it must not break existing
> > userspace if CONFIG_SECURITY_STACKING=y if only one module is
> > enabled.
>
> If there's only one module enabled you don't need
> CONFIG_SECURITY_STACKING=y. Nonetheless, I see the point.
> It's lots cleaner if this can be a compile time
> difference rather than something detected at run time,
> but I'll factor that in to the next version.
>
> > ?Ideally, it wouldn't even break existing userspace with multiple
> > modules, so long as they do not conflict in their usage of
> > userspace
> > APIs (e.g. if only one implements getpeersec_stream, why mutate its
> > result and break userspace?).
>
> Remember that
> "system_u:object_r:netlabel_peer_t:s0" is a legitimate Smack label.
That's only a problem if they both return a result from
getpeersec_stream (true for Smack+SELinux, false for Smack+TOMOYO). So
determining whether there is more than one enabled module that
implements getpeersec_stream is sufficient to decide whether you need
to disambiguate the label for SO_PEERSEC.
> I don't think doing "System" vs
> "selinux='system_u:object_r:netlabel_peer_t:s0',smack='System'"
> on a per-API granularity is a good idea. The author of user space
> code oughtn't be compelled to figure out which APIs will identity
> the components and when they don't which security module will
> provide the unadorned data.
You're already leaving /proc/self/attr/current alone for compatibility
reasons, so not clear this is fundamentally different (except maybe you
don't think you can introduce a new socket option to get the "full"
context as easily as you can add a new proc node). If you don't want
to do it piecemeal, then you could just specify which module gets
ownership of all of the userspace APIs via a config option or
something.
> At some point it would be a good idea to have a liblsm that
> would make varying and/or multiple security modules easier to
> deal with. I know systemd and dbus could use such a library to
> good effect.
Yes, but in the meantime, if you want to be able to test
CONFIG_SECURITY_STACKING=y with modules in enforcing mode on
distributions that enable a major security module, it seems like you
need to provide some way of handling this compatibly.
>
> > At present, it breaks the selinux-testsuite even with
> > CONFIG_SECURITY_STACKING=n, all in the inet_socket tests; looks
> > like
> > network labeling is broken.??FWIW, output was:
>
> Thanks for running the tests. I'll be looking into this soonest.
>
> >
> > inet_socket/test ............ getsockopt: SO_PEERSEC: Protocol not
> > available
> > read: Connection reset by peer
> > inet_socket/test ............ 1/33?
> > #???Failed test at inet_socket/test line 27.
> > inet_socket/client:??expected
> > unconfined_u:unconfined_r:test_inet_client_t:s0-s0:c0.c1023, got?
>
> I'd be interested to see what it got.
It was an empty string, because the server didn't get a label.
>
> > inet_socket/test ............ 3/33?
> > #???Failed test at inet_socket/test line 45.
> > inet_socket/test ............ 26/33?
> > #???Failed test at inet_socket/test line 219.
> >
> > #???Failed test at inet_socket/test line 227.
> > inet_socket/test ............ 30/33?
> > #???Failed test at inet_socket/test line 245.
> >
> > #???Failed test at inet_socket/test line 253.
> > # Looks like you failed 6 tests of 33.
> > inet_socket/test ............ Dubious, test returned 6 (wstat 1536,
> > 0x600)
> > Failed 6/33 subtests
> >
> > These all pass on security-next and on v4.11-rc4, so it is
> > definitely
> > something in your patches.?
> >
> > > Patch 01 Adds a smack subdirectory in /proc/.../attr (proposed
> > > separately)
> > > Patch 02 Move management of the cred blob to the LSM
> > > infrastructure.
> > > Patch 03 Move management of the file blob to the LSM
> > > infrastructure.
> > > Patch 04 Change how the security modules get selected.
> > > Patch 05 Infrastructure blob management for IPC, keys, sockets.
> > > Patch 06 Fixes Smack's sk_free hook.
> > > Patch 07 Support mount options for multiple security modules.
> > > Patch 08 Change secids from a u32 to a structure.
> > > Patch 09 Netlabel consistency enforcment in sendmsg.
> > > Patch 10 Fixes a compile issue in one Smack configuration.
> > > Patch 11 Infrastructure blob management for the new task blob.
> > >
> > > These patches can be found in git at:
> > >
> > > https://github.com/cschaufler/smack-next.git#stacking-4.11-rc4
> > >
> > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > > ---
> > >
> > > ?Documentation/security/LSM.txt??????????|???33 +-
> > > ?drivers/usb/core/devio.c????????????????|???13 +-
> > > ?fs/btrfs/super.c????????????????????????|???10 +-
> > > ?fs/proc/base.c??????????????????????????|???96 ++-
> > > ?fs/proc/internal.h??????????????????????|????1 +
> > > ?fs/xattr.c??????????????????????????????|????6 +-
> > > ?include/linux/audit.h???????????????????|???10 +-
> > > ?include/linux/cred.h????????????????????|????3 +-
> > > ?include/linux/lsm_hooks.h???????????????|???76 ++-
> > > ?include/linux/sched/signal.h????????????|????2 +-
> > > ?include/linux/security.h????????????????|??227 +++++--
> > > ?include/net/flow.h??????????????????????|????5 +-
> > > ?include/net/netlabel.h??????????????????|???16 +-
> > > ?include/net/scm.h???????????????????????|????4 +-
> > > ?kernel/audit.c??????????????????????????|???25 +-
> > > ?kernel/audit.h??????????????????????????|????9 +-
> > > ?kernel/auditfilter.c????????????????????|????4 +-
> > > ?kernel/auditsc.c????????????????????????|???42 +-
> > > ?kernel/cred.c???????????????????????????|???19 +-
> > > ?kernel/signal.c?????????????????????????|????6 +-
> > > ?net/ipv4/cipso_ipv4.c???????????????????|????5 +-
> > > ?net/ipv4/ip_sockglue.c??????????????????|????6 +-
> > > ?net/netfilter/nf_conntrack_netlink.c????|???12 +-
> > > ?net/netfilter/nf_conntrack_standalone.c |????6 +-
> > > ?net/netfilter/nfnetlink_queue.c?????????|????9 +-
> > > ?net/netfilter/xt_AUDIT.c????????????????|????9 +-
> > > ?net/netfilter/xt_SECMARK.c??????????????|????6 +-
> > > ?net/netlabel/netlabel_kapi.c????????????|???56 +-
> > > ?net/netlabel/netlabel_unlabeled.c???????|???30 +-
> > > ?net/netlabel/netlabel_unlabeled.h???????|????2 +-
> > > ?net/netlabel/netlabel_user.c????????????|????4 +-
> > > ?net/unix/af_unix.c??????????????????????|????6 +-
> > > ?net/xfrm/xfrm_policy.c??????????????????|????6 +-
> > > ?net/xfrm/xfrm_state.c???????????????????|????3 +-
> > > ?security/Kconfig????????????????????????|???86 +++
> > > ?security/apparmor/context.c?????????????|????2 -
> > > ?security/apparmor/include/context.h?????|???25 +-
> > > ?security/apparmor/lsm.c?????????????????|??111 ++--
> > > ?security/integrity/ima/ima_policy.c?????|????7 +-
> > > ?security/security.c?????????????????????| 1046
> > > +++++++++++++++++++++++++++++--
> > > ?security/selinux/hooks.c????????????????|??720 +++++++++------
> > > ------
> > > ?security/selinux/include/audit.h????????|????2 +-
> > > ?security/selinux/include/objsec.h???????|???87 ++-
> > > ?security/selinux/include/xfrm.h?????????|????9 +-
> > > ?security/selinux/netlabel.c?????????????|???17 +-
> > > ?security/selinux/selinuxfs.c????????????|????5 +-
> > > ?security/selinux/ss/services.c??????????|???13 +-
> > > ?security/selinux/xfrm.c?????????????????|???29 +-
> > > ?security/smack/smack.h??????????????????|???95 ++-
> > > ?security/smack/smack_access.c???????????|????2 +-
> > > ?security/smack/smack_lsm.c??????????????|??751 +++++++++------
> > > ----
> > > ---
> > > ?security/smack/smack_netfilter.c????????|???28 +-
> > > ?security/smack/smackfs.c????????????????|???28 +-
> > > ?security/tomoyo/common.h????????????????|???25 +-
> > > ?security/tomoyo/domain.c????????????????|????4 +-
> > > ?security/tomoyo/securityfs_if.c?????????|???13 +-
> > > ?security/tomoyo/tomoyo.c????????????????|???55 +-
> > > ?57 files changed, 2647 insertions(+), 1280 deletions(-)
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-
> > security-module" in
> > the body of a message to majordomo at vger.kernel.org
> > More majordomo info at??http://vger.kernel.org/majordomo-info.html
> >
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH RFC 00/11] LSM: Stacking for major security modules
2017-04-06 20:38 ` Stephen Smalley
@ 2017-04-06 22:24 ` James Morris
2017-04-06 22:50 ` Casey Schaufler
0 siblings, 1 reply; 19+ messages in thread
From: James Morris @ 2017-04-06 22:24 UTC (permalink / raw)
To: linux-security-module
On Thu, 6 Apr 2017, Stephen Smalley wrote:
> Yes, but in the meantime, if you want to be able to test
> CONFIG_SECURITY_STACKING=y with modules in enforcing mode on
> distributions that enable a major security module, it seems like you
> need to provide some way of handling this compatibly.
Regardless of the config option, we can't break existing userspace. This
is a long-standing Linux kernel development rule.
You'll need to implement new interfaces for any changes.
--
James Morris
<jmorris@namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH RFC 00/11] LSM: Stacking for major security modules
2017-04-06 22:24 ` James Morris
@ 2017-04-06 22:50 ` Casey Schaufler
2017-04-08 13:14 ` Paul Moore
0 siblings, 1 reply; 19+ messages in thread
From: Casey Schaufler @ 2017-04-06 22:50 UTC (permalink / raw)
To: linux-security-module
On 4/6/2017 3:24 PM, James Morris wrote:
> On Thu, 6 Apr 2017, Stephen Smalley wrote:
>
>> Yes, but in the meantime, if you want to be able to test
>> CONFIG_SECURITY_STACKING=y with modules in enforcing mode on
>> distributions that enable a major security module, it seems like you
>> need to provide some way of handling this compatibly.
> Regardless of the config option, we can't break existing userspace. This
> is a long-standing Linux kernel development rule.
>
> You'll need to implement new interfaces for any changes.
The big question is SO_PEERSEC. SO_PEERSEC provides
undefined "security credentials". You don't need to
define a new interface here because the interface allows
different configurations (e.g. Smack active, SELinux
active, both active) to provide different information.
The basic argument today is over whether
"System"
is preferred over
"smack='System'"
in the case where only Smack is enabled, and to what extent.
The majority opinion seems to be that the self-identifying
attribute should *never* be used unless there are in fact
multiple modules providing data. I personally believe that
this is short sighted and will discourage the development
of run time environments that are capable of dealing with
multiple concurrent security modules. But, I'm not going
to let my own stubborn streak get in the way of progress.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH RFC 00/11] LSM: Stacking for major security modules
2017-04-06 22:50 ` Casey Schaufler
@ 2017-04-08 13:14 ` Paul Moore
2017-04-08 17:29 ` Casey Schaufler
0 siblings, 1 reply; 19+ messages in thread
From: Paul Moore @ 2017-04-08 13:14 UTC (permalink / raw)
To: linux-security-module
On Thu, Apr 6, 2017 at 6:50 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 4/6/2017 3:24 PM, James Morris wrote:
>> On Thu, 6 Apr 2017, Stephen Smalley wrote:
>>
>>> Yes, but in the meantime, if you want to be able to test
>>> CONFIG_SECURITY_STACKING=y with modules in enforcing mode on
>>> distributions that enable a major security module, it seems like you
>>> need to provide some way of handling this compatibly.
>> Regardless of the config option, we can't break existing userspace. This
>> is a long-standing Linux kernel development rule.
>>
>> You'll need to implement new interfaces for any changes.
>
> The big question is SO_PEERSEC. SO_PEERSEC provides
> undefined "security credentials". You don't need to
> define a new interface here because the interface allows
> different configurations (e.g. Smack active, SELinux
> active, both active) to provide different information.
Just a gentle reminder that ignoring existing conventions because the
formal (?) specification declares the interface as "undefined" is a
really good way to break userspace :)
In all seriousness, a new interface with a well defined specification
that could support multiple labels/LSM might not be a bad idea if for
no other reason that what we currently have is a bit broken, but works
due to dumb luck (see the discussion in the GH issue below).
https://github.com/SELinuxProject/selinux-kernel/issues/24
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH RFC 00/11] LSM: Stacking for major security modules
2017-04-08 13:14 ` Paul Moore
@ 2017-04-08 17:29 ` Casey Schaufler
0 siblings, 0 replies; 19+ messages in thread
From: Casey Schaufler @ 2017-04-08 17:29 UTC (permalink / raw)
To: linux-security-module
On 4/8/2017 6:14 AM, Paul Moore wrote:
> On Thu, Apr 6, 2017 at 6:50 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 4/6/2017 3:24 PM, James Morris wrote:
>>> On Thu, 6 Apr 2017, Stephen Smalley wrote:
>>>
>>>> Yes, but in the meantime, if you want to be able to test
>>>> CONFIG_SECURITY_STACKING=y with modules in enforcing mode on
>>>> distributions that enable a major security module, it seems like you
>>>> need to provide some way of handling this compatibly.
>>> Regardless of the config option, we can't break existing userspace. This
>>> is a long-standing Linux kernel development rule.
>>>
>>> You'll need to implement new interfaces for any changes.
>> The big question is SO_PEERSEC. SO_PEERSEC provides
>> undefined "security credentials". You don't need to
>> define a new interface here because the interface allows
>> different configurations (e.g. Smack active, SELinux
>> active, both active) to provide different information.
> Just a gentle reminder that ignoring existing conventions because the
> formal (?) specification declares the interface as "undefined" is a
> really good way to break userspace :)
Indeed. That's the lesson of /proc/.../attr/current. I
should *never* have reused that for Smack. Even the rationale
that "id wouldn't have to change" was flawed because that
program checks to see if SELinux is active and refuses to
even look if it isn't.
Alas, there is going to be a balance between "break old"
and "enable new". Of course we can create all new everything,
but I'm not a fan of API bloat. It's good to keep getting
feedback, even when I don't like it.
> In all seriousness, a new interface with a well defined specification
> that could support multiple labels/LSM might not be a bad idea if for
> no other reason that what we currently have is a bit broken, but works
> due to dumb luck (see the discussion in the GH issue below).
>
> https://github.com/SELinuxProject/selinux-kernel/issues/24
>
Oh my. I thought the mechanism was sort of peculiar,
but I wasn't really aware of all the details.
lsm_setsockattr(sock, "lsmname", "attrname", attr, attrlen);
lsm_getsockattr(sock, "lsmname" "attrname", attr, &attrlen);
These could be based on the current mechanisms or purpose
written for a new world order. There'd also have to be
something network magic-like for sendmsg() and recvmsg().
That's starting to sound like a lot of work.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH RFC 04/11] LSM: general but not extreme module stacking
2017-04-05 21:53 ` [PATCH RFC 04/11] LSM: general but not extreme module stacking Casey Schaufler
@ 2017-04-10 22:07 ` Tetsuo Handa
0 siblings, 0 replies; 19+ messages in thread
From: Tetsuo Handa @ 2017-04-10 22:07 UTC (permalink / raw)
To: linux-security-module
Casey Schaufler wrote:
> @@ -1365,6 +1432,77 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
> {
> struct security_hook_list *hp;
> int rc;
> + char *local;
> + char *cp;
> + int slen;
> + int failed = 0;
> +
> + /*
> + * If lsm is NULL look at all the modules to find one
> + * that processes name. If lsm is not NULL only look at
> + * that module.
> + *
> + * "context" is handled directly here.
> + */
> + if (strcmp(name, "context") == 0) {
> + /*
> + * First verify that the input is acceptable.
> + * lsm1='v1'lsm2='v2'lsm3='v3'
> + *
> + * A note on the use of strncmp() below.
> + * The check is for the substring at the beginning of cp.
> + * The kzalloc of size + 1 ensures a terminated string.
> + */
> + rc = -EINVAL;
> + local = kzalloc(size + 1, GFP_KERNEL);
> + memcpy(local, value, size);
> + cp = local;
> + list_for_each_entry(hp, &security_hook_heads.setprocattr,
> + list) {
> + if (lsm != NULL && strcmp(lsm, hp->lsm))
> + continue;
> + if (cp[0] == ',') {
> + if (cp == local)
> + goto free_out;
> + cp++;
> + }
> + slen = strlen(hp->lsm);
> + if (strncmp(cp, hp->lsm, slen))
> + goto free_out;
> + cp += slen;
> + if (cp[0] != '=' || cp[1] != '\'' || cp[2] == '\'')
> + goto free_out;
> + for (cp += 2; cp[0] != '\''; cp++)
> + if (cp[0] == '\0')
> + goto free_out;
> + cp++;
> + }
> +
> + cp = local;
> + list_for_each_entry(hp, &security_hook_heads.setprocattr,
> + list) {
> + if (lsm != NULL && strcmp(lsm, hp->lsm))
> + continue;
> + if (cp[0] == ',')
> + cp++;
> + cp += strlen(hp->lsm) + 2;
> + for (slen = 0; cp[slen] != '\''; slen++)
> + ;
> + cp[slen] = '\0';
> +
> + rc = hp->hook.setprocattr("context", cp, slen);
> + if (rc < 0)
> + failed = rc;
I did not find your answer to my question.
When
valid_lsmname1='valid_value_for_lsmname1'valid_lsmname2='valid_value_for_lsmname2'valid_lsmname3='invalid_value_for_lsmname3'
is given, there is no way to undo already committed
valid_lsmname1='valid_value_for_lsmname1'valid_lsmname2='valid_value_for_lsmname2'
changes while return value tells failure at
valid_lsmname3='invalid_value_for_lsmname3'
. If you want to allow updating multiple values, you need to make them a transaction.
> + cp += slen + 1;
> + }
> + if (failed != 0)
> + rc = failed;
> + else
> + rc = size;
> +free_out:
> + kfree(local);
> + return rc;
> + }
>
> list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
> if (lsm != NULL && strcmp(lsm, hp->lsm))
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2017-04-10 22:07 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-05 21:39 [PATCH RFC 00/11] LSM: Stacking for major security modules Casey Schaufler
2017-04-05 21:52 ` [PATCH RFC 01/11] procfs: add smack subdir to attrs Casey Schaufler
2017-04-05 21:52 ` [PATCH RFC 02/11] LSM: manage credential security blobs Casey Schaufler
2017-04-05 21:52 ` [PATCH RFC 03/11] LSM: Manage file " Casey Schaufler
2017-04-05 21:53 ` [PATCH RFC 04/11] LSM: general but not extreme module stacking Casey Schaufler
2017-04-10 22:07 ` Tetsuo Handa
2017-04-05 21:53 ` [PATCH RFC 05/11] LSM: Infrastructure management of the remaining blobs Casey Schaufler
2017-04-05 21:53 ` [PATCH RFC 06/11] Smack: remove socket blob free Casey Schaufler
2017-04-05 21:53 ` [PATCH RFC 07/11] LSM: Mount option data for extreme stacking Casey Schaufler
2017-04-05 21:54 ` [PATCH RFC 09/11] netlabel agreement checking Casey Schaufler
2017-04-05 21:54 ` [PATCH RFC 10/11] Smack: sendmsg compile error fix Casey Schaufler
2017-04-05 21:54 ` [PATCH RFC 11/11] LSM: manage task security blobs Casey Schaufler
2017-04-06 18:26 ` [PATCH RFC 00/11] LSM: Stacking for major security modules Stephen Smalley
2017-04-06 20:10 ` Casey Schaufler
2017-04-06 20:38 ` Stephen Smalley
2017-04-06 22:24 ` James Morris
2017-04-06 22:50 ` Casey Schaufler
2017-04-08 13:14 ` Paul Moore
2017-04-08 17:29 ` Casey Schaufler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.