From: Fan Wu <wufan@linux.microsoft.com>
To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
eparis@redhat.com, paul@paul-moore.com
Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org,
dm-devel@redhat.com, linux-audit@redhat.com,
roberto.sassu@huawei.com, linux-kernel@vger.kernel.org,
Deven Bowers <deven.desai@linux.microsoft.com>,
Fan Wu <wufan@linux.microsoft.com>
Subject: [RFC PATCH v9 09/16] block|security: add LSM blob to block_device
Date: Mon, 30 Jan 2023 14:57:24 -0800 [thread overview]
Message-ID: <1675119451-23180-10-git-send-email-wufan@linux.microsoft.com> (raw)
In-Reply-To: <1675119451-23180-1-git-send-email-wufan@linux.microsoft.com>
From: Deven Bowers <deven.desai@linux.microsoft.com>
block_device structures can have valuable security properties,
based on how they are created, and what subsystem manages them.
By adding LSM storage to this structure, this data can be accessed
at the LSM layer.
Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
---
v2:
+ No Changes
v3:
+ Minor style changes from checkpatch --strict
v4:
+ No Changes
v5:
+ Allow multiple callers to call security_bdev_setsecurity
v6:
+ Simplify security_bdev_setsecurity break condition
v7:
+ Squash all dm-verity related patches to two patches,
the additions to dm-verity/fs, and the consumption of
the additions.
v8:
+ Split dm-verity related patches squashed in v7 to 3 commits based on
topic:
+ New LSM hook
+ Consumption of hook outside LSM
+ Consumption of hook inside LSM.
+ change return of security_bdev_alloc / security_bdev_setsecurity
to LSM_RET_DEFAULT instead of 0.
+ Change return code to -EOPNOTSUPP, bring inline with other
setsecurity hooks.
v9:
+ Add Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+ Remove unlikely when calling LSM hook
+ Make the security field dependent on CONFIG_SECURITY
---
block/bdev.c | 7 ++++
include/linux/blk_types.h | 3 ++
include/linux/lsm_hook_defs.h | 5 +++
include/linux/lsm_hooks.h | 12 ++++++
include/linux/security.h | 22 +++++++++++
security/security.c | 70 +++++++++++++++++++++++++++++++++++
6 files changed, 119 insertions(+)
diff --git a/block/bdev.c b/block/bdev.c
index edc110d90df4..f8db53b47c00 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -24,6 +24,7 @@
#include <linux/pseudo_fs.h>
#include <linux/uio.h>
#include <linux/namei.h>
+#include <linux/security.h>
#include <linux/part_stat.h>
#include <linux/uaccess.h>
#include <linux/stat.h>
@@ -396,6 +397,11 @@ static struct inode *bdev_alloc_inode(struct super_block *sb)
if (!ei)
return NULL;
memset(&ei->bdev, 0, sizeof(ei->bdev));
+
+ if (security_bdev_alloc(&ei->bdev)) {
+ kmem_cache_free(bdev_cachep, ei);
+ return NULL;
+ }
return &ei->vfs_inode;
}
@@ -405,6 +411,7 @@ static void bdev_free_inode(struct inode *inode)
free_percpu(bdev->bd_stats);
kfree(bdev->bd_meta_info);
+ security_bdev_free(bdev);
if (!bdev_is_partition(bdev)) {
if (bdev->bd_disk && bdev->bd_disk->bdi)
diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h
index 99be590f952f..137a04f45c17 100644
--- a/include/linux/blk_types.h
+++ b/include/linux/blk_types.h
@@ -68,6 +68,9 @@ struct block_device {
#ifdef CONFIG_FAIL_MAKE_REQUEST
bool bd_make_it_fail;
#endif
+#ifdef CONFIG_SECURITY
+ void *security;
+#endif
} __randomize_layout;
#define bdev_whole(_bdev) \
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index ed6cb2ac55fa..1f79029c9e28 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -417,3 +417,8 @@ LSM_HOOK(int, 0, uring_override_creds, const struct cred *new)
LSM_HOOK(int, 0, uring_sqpoll, void)
LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
#endif /* CONFIG_IO_URING */
+
+LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev)
+LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev)
+LSM_HOOK(int, 0, bdev_setsecurity, struct block_device *bdev, const char *name,
+ const void *value, size_t size)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 0a5ba81f7367..b622ceb57d83 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1618,6 +1618,17 @@
* @what: kernel feature being accessed.
* Return 0 if permission is granted.
*
+ * @bdev_alloc_security:
+ * Initialize the security field inside a block_device structure.
+ *
+ * @bdev_free_security:
+ * Cleanup the security information stored inside a block_device structure.
+ *
+ * @bdev_setsecurity:
+ * Set a security property associated with @name for @bdev with
+ * value @value. @size indicates the size of @value in bytes.
+ * If a @name is not implemented, return -EOPNOTSUPP.
+ *
* Security hooks for perf events
*
* @perf_event_open:
@@ -1687,6 +1698,7 @@ struct lsm_blob_sizes {
int lbs_ipc;
int lbs_msg_msg;
int lbs_task;
+ int lbs_bdev;
};
/*
diff --git a/include/linux/security.h b/include/linux/security.h
index 479e154a12b8..7dea630bff5f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -487,6 +487,11 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
int security_locked_down(enum lockdown_reason what);
+int security_bdev_alloc(struct block_device *bdev);
+void security_bdev_free(struct block_device *bdev);
+int security_bdev_setsecurity(struct block_device *bdev,
+ const char *name, const void *value,
+ size_t size);
#else /* CONFIG_SECURITY */
static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1402,6 +1407,23 @@ static inline int security_locked_down(enum lockdown_reason what)
{
return 0;
}
+
+static inline int security_bdev_alloc(struct block_device *bdev)
+{
+ return 0;
+}
+
+static inline void security_bdev_free(struct block_device *bdev)
+{
+}
+
+static inline int security_bdev_setsecurity(struct block_device *bdev,
+ const char *name,
+ const void *value, size_t size)
+{
+ return 0;
+}
+
#endif /* CONFIG_SECURITY */
#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
diff --git a/security/security.c b/security/security.c
index d1571900a8c7..5c81dd3b1350 100644
--- a/security/security.c
+++ b/security/security.c
@@ -29,6 +29,7 @@
#include <linux/string.h>
#include <linux/msg.h>
#include <net/flow.h>
+#include <linux/fs.h>
#define MAX_LSM_EVM_XATTR 2
@@ -211,6 +212,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
+ lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev);
}
/* Prepare LSM for initialization. */
@@ -370,6 +372,7 @@ static void __init ordered_lsm_init(void)
init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);
init_debug("task blob size = %d\n", blob_sizes.lbs_task);
+ init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev);
/*
* Create any kmem_caches needed for blobs
@@ -690,6 +693,28 @@ static int lsm_msg_msg_alloc(struct msg_msg *mp)
return 0;
}
+/**
+ * lsm_bdev_alloc - allocate a composite block_device blob
+ * @bdev: the block_device that needs a blob
+ *
+ * Allocate the block_device blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+static int lsm_bdev_alloc(struct block_device *bdev)
+{
+ if (blob_sizes.lbs_bdev == 0) {
+ bdev->security = NULL;
+ return 0;
+ }
+
+ bdev->security = kzalloc(blob_sizes.lbs_bdev, GFP_KERNEL);
+ if (!bdev->security)
+ return -ENOMEM;
+
+ return 0;
+}
+
/**
* lsm_early_task - during initialization allocate a composite task blob
* @task: the task that needs a blob
@@ -2705,6 +2730,51 @@ int security_locked_down(enum lockdown_reason what)
}
EXPORT_SYMBOL(security_locked_down);
+int security_bdev_alloc(struct block_device *bdev)
+{
+ int rc = 0;
+
+ rc = lsm_bdev_alloc(bdev);
+ if (unlikely(rc))
+ return rc;
+
+ rc = call_int_hook(bdev_alloc_security, 0, bdev);
+ if (unlikely(rc))
+ security_bdev_free(bdev);
+
+ return LSM_RET_DEFAULT(bdev_alloc_security);
+}
+EXPORT_SYMBOL(security_bdev_alloc);
+
+void security_bdev_free(struct block_device *bdev)
+{
+ if (!bdev->security)
+ return;
+
+ call_void_hook(bdev_free_security, bdev);
+
+ kfree(bdev->security);
+ bdev->security = NULL;
+}
+EXPORT_SYMBOL(security_bdev_free);
+
+int security_bdev_setsecurity(struct block_device *bdev,
+ const char *name, const void *value,
+ size_t size)
+{
+ int rc = 0;
+ struct security_hook_list *p;
+
+ hlist_for_each_entry(p, &security_hook_heads.bdev_setsecurity, list) {
+ rc = p->hook.bdev_setsecurity(bdev, name, value, size);
+ if (rc && rc != -EOPNOTSUPP)
+ return rc;
+ }
+
+ return LSM_RET_DEFAULT(bdev_setsecurity);
+}
+EXPORT_SYMBOL(security_bdev_setsecurity);
+
#ifdef CONFIG_PERF_EVENTS
int security_perf_event_open(struct perf_event_attr *attr, int type)
{
--
2.39.0
next prev parent reply other threads:[~2023-01-30 22:58 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-30 22:57 [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 01/16] security: add ipe lsm Fan Wu
2023-03-02 19:00 ` Paul Moore
2023-04-06 19:20 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 02/16] ipe: add policy parser Fan Wu
2023-01-31 10:53 ` Roberto Sassu
2023-02-01 22:38 ` Fan Wu
2023-03-02 19:02 ` Paul Moore
2023-04-06 20:00 ` Fan Wu
2023-04-11 19:13 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 03/16] ipe: add evaluation loop and introduce 'boot_verified' as a trust provider Fan Wu
2023-01-31 10:29 ` Roberto Sassu
2023-01-31 15:49 ` Roberto Sassu
2023-02-10 23:21 ` Fan Wu
2023-03-02 2:33 ` Paul Moore
2023-03-02 19:03 ` Paul Moore
2023-04-10 18:53 ` Fan Wu
2023-04-11 20:32 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 04/16] security: add new securityfs delete function Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 05/16] ipe: add userspace interface Fan Wu
2023-01-31 10:49 ` Roberto Sassu
2023-02-01 19:46 ` Fan Wu
2023-03-02 19:04 ` Paul Moore
2023-04-10 19:10 ` Fan Wu
2023-04-11 21:45 ` Paul Moore
2023-04-12 23:36 ` Fan Wu
2023-04-13 18:45 ` Paul Moore
2023-04-17 18:06 ` Fan Wu
2023-04-17 20:16 ` Paul Moore
2023-04-17 21:18 ` Fan Wu
2023-04-17 21:31 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 06/16] ipe: add LSM hooks on execution and kernel read Fan Wu
2023-01-31 12:51 ` Roberto Sassu
2023-02-09 22:42 ` Fan Wu
2023-03-02 19:05 ` Paul Moore
2023-04-10 21:22 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support Fan Wu
2023-01-31 12:57 ` Roberto Sassu
2023-01-31 17:10 ` Steve Grubb
2023-03-02 19:05 ` Paul Moore
2023-03-16 22:53 ` Fan Wu
2023-04-11 23:07 ` Paul Moore
2023-04-11 23:21 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 08/16] ipe: add permissive toggle Fan Wu
2023-03-02 19:06 ` Paul Moore
2023-01-30 22:57 ` Fan Wu [this message]
2023-01-31 8:53 ` [RFC PATCH v9 09/16] block|security: add LSM blob to block_device Christoph Hellwig
2023-01-31 23:01 ` Fan Wu
2023-03-02 19:07 ` Paul Moore
2023-01-30 22:57 ` [RFC PATCH v9 10/16] dm-verity: consume root hash digest and signature data via LSM hook Fan Wu
2023-01-31 13:22 ` Roberto Sassu
2023-02-01 23:26 ` Fan Wu
2023-02-02 8:21 ` Roberto Sassu
2023-02-07 23:52 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider Fan Wu
2023-03-02 19:08 ` Paul Moore
2023-03-16 22:10 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM hook Fan Wu
2023-02-09 3:30 ` Eric Biggers
2023-02-09 22:21 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 13/16] ipe: enable support for fs-verity as a trust provider Fan Wu
2023-01-31 14:00 ` Roberto Sassu
2023-02-01 23:50 ` Fan Wu
2023-02-02 9:51 ` Roberto Sassu
2023-02-08 0:16 ` Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 14/16] scripts: add boot policy generation program Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 15/16] ipe: kunit test for parser Fan Wu
2023-01-30 22:57 ` [RFC PATCH v9 16/16] documentation: add ipe documentation Fan Wu
2023-01-31 3:59 ` Bagas Sanjaya
2023-02-02 0:19 ` Fan Wu
2023-01-31 14:22 ` [RFC PATCH v9 00/16] Integrity Policy Enforcement LSM (IPE) Roberto Sassu
2023-02-01 0:48 ` Fan Wu
2023-02-02 10:48 ` Roberto Sassu
2023-02-08 0:31 ` Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1675119451-23180-10-git-send-email-wufan@linux.microsoft.com \
--to=wufan@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=ebiggers@kernel.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=snitzer@kernel.org \
--cc=tytso@mit.edu \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).