From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28D16C433E6 for ; Tue, 9 Mar 2021 14:55:21 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8A507650DF for ; Tue, 9 Mar 2021 14:55:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8A507650DF Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-587-xHPnhh_aM-mRfztQRPpJUw-1; Tue, 09 Mar 2021 09:55:15 -0500 X-MC-Unique: xHPnhh_aM-mRfztQRPpJUw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 865B8192376F; Tue, 9 Mar 2021 14:55:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6D8125945E; Tue, 9 Mar 2021 14:55:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 32D6F1809C86; Tue, 9 Mar 2021 14:55:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 129EtAoN020904 for ; Tue, 9 Mar 2021 09:55:10 -0500 Received: by smtp.corp.redhat.com (Postfix) id 82CD26E1AB; Tue, 9 Mar 2021 14:55:10 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7B3316D9D6 for ; Tue, 9 Mar 2021 14:55:08 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 499E6801222 for ; Tue, 9 Mar 2021 14:55:08 +0000 (UTC) Received: from sonic317-38.consmr.mail.ne1.yahoo.com (sonic317-38.consmr.mail.ne1.yahoo.com [66.163.184.49]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-201-HnkByTmIPq2VEEEo2KE3uw-1; Tue, 09 Mar 2021 09:55:06 -0500 X-MC-Unique: HnkByTmIPq2VEEEo2KE3uw-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1615301705; bh=MCQHmC90LZMeHKiujCf8q33QRkR57d43yUiOyxIwwDv=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=QVuzQdNYfJYqA48R7XYY/xjsXGP96NQN2wktfN0HfsgIEPOy455tbKwemcwGqKnUf/YQ8lIqRhMvBsa9Uykis4y+q7QOJNaEw9tZx8p8vfx9nyDuloZ12hLDIQOwA3hpozb+x85q9Okm3ZSzM4ZljuZP+np/x529qoAt3pB8+xlYgjYIFm1no++W/0yC2RHc8P/NmxNM/O3tvvuzOl2VTBafLLAphfGxJuqPSXDebplUoMx6y+s9WF+1Iphxkji3jCiuN1J58M1vCFfVNHBJ1zH+1vrJtS5ovCh2b+auAQxNIYIHCQQSZOpOG+naJ6exGpBuZZVq393b4XhdDk0C9Q== X-YMail-OSG: lpQGXRQVM1lEgAAr5CUd6lAESi25MynAb6WyHWh2buYIHtkDBUTRN29goN18xw9 cAFYPISJHE.AUZ5Ob3tyy1eK_0Rm0CFxmWp8Z5vYzC.0Guydri9IXrjuxZtel_WixU7xBPWesfAl _Kf9HH1EPgHZf36fSVzjyesjec0OSvKk5gLei1557yCTbihFAQ_XporlzXI61d6VTAIlI.nejUdo kXX1Y4awbAoHzALQE685MAD0dSSkYU3SRPzBwy6T3eGoR1MdP.EMZSfNStKX6xcO9etzAKZZBmgB yuQKJ_kx0oZMvWhlPaAuRCx1HRSCFqN1n89Bqy._yD2BHqIEtB.p1zrUoidE9WU3lP30XjhV28C5 PNeERf9zZyODSmUCMFRqtTrLFKzq30O8GLYka.qhKMZdDMHOFCPfIAJM3pPd4ufcHkLCEZhbPKoD y6QR.wckkDvm8OUseWXPDSY4NNFRzuqkU54o815VWLK12lZ2LmB5Kirq0vVu6S0OFSOtpZK1d7Gv zEk1kIRFmQUk3BrwlNfZf.nxx6QO6lO_9tAO5Gq8z3UAxQssnuFWRzJNG8ez8kTb2MT3jUYTh2OP uhTC_t9lk8ocgvfE7cqG_zVZSOg5uOmhvM6DmbeGtOOrnkSbuiwhD0Bwu3Khk4fOIEYa8ItxzJ9g Rgkco.q0Un_nlbZdHmDlpjTfrilU_SrzHYH_ktupxpSGs4QCbU8OaJlppfuNa2VwTkX7dwfLO5mG 3OwbccLoNP5i4bwsLmtTeX9wZlWxwJRq71IahamYGSxur0eFHzQb9yyqGbjN_HR3GxDXoxFr3Ef2 3hmNFKPYYBLK8T5pilPFnk2huBk.05gZHA8ikddsM7_omoA1QjkKnE6S.NY980KPtcPQ3pGr3g0G NQwEsTd.U772Nx0ERrw.Lkh5UzUQ5yrtQPPfm9FqWa1K98KK4WaB.edUWGgUSOl1_tuXgki3AZBS ueBEptKVlubYxBvtzvUHrlnd8kKH_63e7yLcz1BJPYvlYoi.OFKRVp7PU7re1vNGNGL9xjO0wanF 9vfiOnAafTyparNounSDZIzuzYiUZ9iZgOZFGkmMZ14n7x6Nh7gUgGUpuMKCD6lKUtMpb84xekfw yPHv1iJdVPaoE0lzynzy9pa3E9TI4tFCprK6i.y.p.1ZXKGvesIkgTjaA.0CV7OEWmpJwR3_aeKc 23mauqsbNA98TBGxxei2_NVJpVTAGPHA8qaDRLGgTRFFhTQ70S98mAxBiVVLfeZKvgKE6pZP3aU_ Wxs2_58aMYQk1RykozBEm.U1DjVEohSVcZ4KnJU1.llNACYrJuW8Zv3qi.YyFi74ngEV6EUw5MNR c2UWJ2KPZrnOiOzLd3LIlsHFbjXp04qzisy4QmHGlPaUjkCUGDOG.M4N2tLEyDO1j47Jabxlptq8 OQ8xMCaCGKRI8i8DSBshb3_Zvy9f09onHlIlP0EqEsfTnfzDiTsa95L_rvZYH8kUbHSX81FtrlZc v2oyCkG0e8wVSLh982CecP0TdaRdzzAAoKkdNvls2IxI6bbi0NM2vwWoyfMaKyLNHjDBusrLjLKD buGepU1gIC1J_gfsez0JgOiJa344HrQ79I9i4aRPQ_JQSTuIMXBp_q5lD3w1G7fB6am2Z30rGlPq uxNOaKkRCgU6CEJt1hEYjBXVEPJmgYkzZ8F.P4HaUXSPTUNAfRjOzP2RGZfE0opKP92lImq4MgHu crW142C6ezUCoTI7IK9aaWfQ9BcGSZ5oQAaM0ggBIAcnkQ1cOho2vDHc04bb9em1ZdHYUSKyay2Z elHeQwM6pKF1rQq2gKo_k_X0uKyvq8QWWp4dDJlivofHr_uQr2hmw_eVyHUQrF7nV7td5zLNH0.H j2hY1L9DB027Si0qc2JhySdUaItWI2lxZs5__.Z85_xphRLJ4SwzxPuhRXXmLVIGs.ecqgNGc.LB ACGNmLbLGmivvxlSGoHfD9at6.TYVB77aCOwPn.nORpbduVYTr7ZR_IXX1uOOPz_cQR1mwLBSwIN vXvTleCb1WErv6gynjjIrFBXUubpNc7PLAuPxyjwdSyFCRD8RAXNUsVAPu7DMvddS1e9FKqsAh9T eaqmL3mwKbzRmNwsRJlppKoEfI.0eihu9NRNUf7W9qH_4mz.4iEDGJq3Gho.II1psg_M5akez.ha IFcb0VKJhOcPV0CyUG0inO1sqdMhSt.6hotoHYor0t9lyyG_bV5rH9QkIsz14yTpx3VNwSHptKWf 3t_A2WumiDEwxCX_KNVjyfkpM2ckelPyyb9rKp6v7fX2djOTpmbsoHSY2YU0R.LLJBe4VR_MfBR9 fQ5bH0pVpN.SOmqoMKXqRFwjUxIumITNVIFdxhtk535P7WcBOyXdlIf6xvDGgMW89ftKVQaBwfhp gcKe6Rdwd_AM2BYO0qvrBgKz.B04z.uQqwc1BTLKIfqoeRYDdYdLlIVQJMJbIwWRGEG4v_oVJ3_q m3fqnSuQglhc7b6JyN7xWodlvOVsTIB1LU4ho44Rfm2uTIrMTMamggS_cwWJCLPi1cYzQFrx2_Gn uZOgiSGnTTXWCfUHfXxV1wa9ET8.sbxaX3I9g0aXVr2c3kQ3ootEPfGzwEA8JFDUWlD63GvSIK3d bYX3gSl7A7akLMWEifwj5IbYtEjIi1LRiwM46IIoQf2gnR9lbvIrMGO_tlCk0cOz2m3aPqvm63mN bE1uZkCym7_mzXkDWPxR2APHOSOc1ev8LHJfRPdpb85SmY_eUg8KVb0i5oj3nouukIo9zqzFIuPj EEzYADe9Z.MBHSMzByCYccodsBvJQeYchHLL_e_oSzQVdlmMbnXWZlaa3O03wUyLMTeAT2_HHpbf ey5B_qMHGqfRfxgU0yPTzNTw7Gy6Dq52IgCydLaS50EJ1nWKcX70UXlBiLxeabRIxpVvkZU8VTo_ y3nZfr32BYYZBAmI_AmCOXOgOVHTilJ2486X6OiKwktGfG8liz4FtH3xZ.HdWMFzB8Av6avDVixo 1hqrgthfaNb1idwAMPWwaptP.crDMC82sg7Y7QvkgFTeW.CDuMoiBFAwwfpvx9e8SX5OiVkyPBaT A2GjD88A90OZJvpJYwzzLOXS22GUnr0gV51Ync2o0wKH6gBO4ChTil_g8aiZM9bZeDsnTR0rP2.N .N1W_nqXCl7Dt5Rs56EWwqMEFd8zvmlBWxaaSxJr50rWSBCVzlGf1UtHGHe9ZoIr8mXPg9aG2OWg b X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Tue, 9 Mar 2021 14:55:05 +0000 Received: by smtp416.mail.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID bc431f58c3d808e2525c2432f93caa75; Tue, 09 Mar 2021 14:55:02 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v25 11/25] LSM: Use lsmblob in security_inode_getsecid Date: Tue, 9 Mar 2021 06:42:29 -0800 Message-Id: <20210309144243.12519-12-casey@schaufler-ca.com> In-Reply-To: <20210309144243.12519-1-casey@schaufler-ca.com> References: <20210309144243.12519-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org, linux-audit@redhat.com, linux-integrity@vger.kernel.org, sds@tycho.nsa.gov X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Change the security_inode_getsecid() interface to fill in a lsmblob structure instead of a u32 secid. This allows for its callers to gather data from all registered LSMs. Data is provided for IMA and audit. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com --- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 6 +++++- security/integrity/ima/ima_policy.c | 4 +--- security/security.c | 11 +++++++++-- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 852a4764a609..6fa19899903e 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -452,7 +452,7 @@ int security_inode_getsecurity(struct user_namespace *mnt_userns, void **buffer, bool alloc); int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); -void security_inode_getsecid(struct inode *inode, u32 *secid); +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, @@ -992,9 +992,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer, return 0; } -static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +static inline void security_inode_getsecid(struct inode *inode, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_inode_copy_up(struct dentry *src, struct cred **new) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index c2fe8d6f0238..59cb2c4ad149 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1966,13 +1966,17 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { + struct lsmblob blob; + name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &name->osid); + security_inode_getsecid(inode, &blob); + /* scaffolding until osid is updated */ + name->osid = blob.secid[0]; if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 81d45b471a62..1cadd61533d7 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -606,7 +606,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; struct lsmblob lsmdata; if (!ima_lsm_isset(rule, i)) { @@ -619,8 +618,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - security_inode_getsecid(inode, &osid); - lsmblob_init(&lsmdata, osid); + security_inode_getsecid(inode, &lsmdata); rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); diff --git a/security/security.c b/security/security.c index 67127b6f1710..54bca6d52ab7 100644 --- a/security/security.c +++ b/security/security.c @@ -1502,9 +1502,16 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer } EXPORT_SYMBOL(security_inode_listsecurity); -void security_inode_getsecid(struct inode *inode, u32 *secid) +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob) { - call_void_hook(inode_getsecid, inode, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.inode_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.inode_getsecid(inode, &blob->secid[hp->lsmid->slot]); + } } int security_inode_copy_up(struct dentry *src, struct cred **new) -- 2.29.2 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit