Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
	linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, keescook@chromium.org,
	john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
	paul@paul-moore.com, sds@tycho.nsa.gov
Subject: [PATCH v15 19/23] LSM: Verify LSM display sanity in binder
Date: Fri, 14 Feb 2020 15:41:59 -0800
Message-ID: <20200214234203.7086-20-casey@schaufler-ca.com> (raw)
In-Reply-To: <20200214234203.7086-1-casey@schaufler-ca.com>

Verify that the tasks on the ends of a binder transaction
use the same "display" security module. This prevents confusion
of security "contexts".

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/security/security.c b/security/security.c
index d663406cba86..d6600bb81829 100644
--- a/security/security.c
+++ b/security/security.c
@@ -769,9 +769,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr)
 	return call_int_hook(binder_set_context_mgr, 0, mgr);
 }
 
+/**
+ * security_binder_transaction - Binder driver transaction check
+ * @from: source of the transaction
+ * @to: destination of the transaction
+ *
+ * Verify that the tasks have the same LSM "display", then
+ * call the security module hooks.
+ *
+ * Returns -EINVAL if the displays don't match, or the
+ * result of the security module checks.
+ */
 int security_binder_transaction(struct task_struct *from,
 				struct task_struct *to)
 {
+	int from_display = lsm_task_display(from);
+	int to_display = lsm_task_display(to);
+
+	/*
+	 * If the display is LSMBLOB_INVALID the first module that has
+	 * an entry is used. This will be in the 0 slot.
+	 *
+	 * This is currently only required if the server has requested
+	 * peer contexts, but it would be unwieldly to have too much of
+	 * the binder driver detail here.
+	 */
+	if (from_display == LSMBLOB_INVALID)
+		from_display = 0;
+	if (to_display == LSMBLOB_INVALID)
+		to_display = 0;
+	if (from_display != to_display)
+		return -EINVAL;
+
 	return call_int_hook(binder_transaction, 0, from, to);
 }
 
-- 
2.24.1


  parent reply index

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20200214234203.7086-1-casey.ref@schaufler-ca.com>
2020-02-14 23:41 ` [PATCH v15 00/23] LSM: Module stacking for AppArmor Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 01/23] LSM: Infrastructure management of the sock security Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 02/23] LSM: Create and manage the lsmblob data structure Casey Schaufler
2020-02-18 17:56     ` Stephen Smalley
2020-02-14 23:41   ` [PATCH v15 03/23] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 04/23] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 05/23] net: Prepare UDS for security module stacking Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 06/23] Use lsmblob in security_secctx_to_secid Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 07/23] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 08/23] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 09/23] LSM: Use lsmblob in security_task_getsecid Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 10/23] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 11/23] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 12/23] IMA: Change internal interfaces to use lsmblobs Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 13/23] LSM: Specify which LSM to display Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 14/23] LSM: Ensure the correct LSM context releaser Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 15/23] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 16/23] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 17/23] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2020-02-14 23:41   ` [PATCH v15 18/23] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2020-02-14 23:41   ` Casey Schaufler [this message]
2020-02-14 23:42   ` [PATCH v15 20/23] Audit: Add subj_LSM fields when necessary Casey Schaufler
2020-02-14 23:42   ` [PATCH v15 21/23] Audit: Include object data for all security modules Casey Schaufler
2020-02-14 23:42   ` [PATCH v15 22/23] LSM: Add /proc attr entry for full LSM context Casey Schaufler
2020-02-18 18:17     ` Stephen Smalley
2020-02-14 23:42   ` [PATCH v15 23/23] AppArmor: Remove the exclusive flag Casey Schaufler
2020-02-18 18:19     ` Stephen Smalley

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200214234203.7086-20-casey@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=casey.schaufler@intel.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git