* [PATCH 1/9] procfs: add smack subdir to attrs
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
@ 2017-10-27 21:45 ` Casey Schaufler
2017-10-27 21:45 ` [PATCH 2/9] LSM: Manage credential security blobs Casey Schaufler
` (9 subsequent siblings)
10 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-10-27 21:45 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 1/9] procfs: add smack subdir to attrs
Back in 2007 I made what turned out to be a rather serious
mistake in the implementation of the Smack security module.
The SELinux module used an interface in /proc to manipulate
the security context on processes. Rather than use a similar
interface, I used the same interface. The AppArmor team did
likewise. Now /proc/.../attr/current will tell you the
security "context" of the process, but it will be different
depending on the security module you're using.
This patch provides a subdirectory in /proc/.../attr for
Smack. Smack user space can use the "current" file in
this subdirectory and never have to worry about getting
SELinux attributes by mistake. Programs that use the
old interface will continue to work (or fail, as the case
may be) as before.
The original implementation is by Kees Cook.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/admin-guide/LSM/index.rst | 13 +++++--
fs/proc/base.c | 63 ++++++++++++++++++++++++++++-----
fs/proc/internal.h | 1 +
include/linux/security.h | 15 +++++---
security/security.c | 24 ++++++++++---
5 files changed, 95 insertions(+), 21 deletions(-)
diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
index c980dfe9abf1..9842e21afd4a 100644
--- a/Documentation/admin-guide/LSM/index.rst
+++ b/Documentation/admin-guide/LSM/index.rst
@@ -17,9 +17,8 @@ MAC extensions, other extensions can be built using the LSM to provide
specific changes to system operation when these tweaks are not available
in the core functionality of Linux itself.
-Without a specific LSM built into the kernel, the default LSM will be the
-Linux capabilities system. Most LSMs choose to extend the capabilities
-system, building their checks on top of the defined capability hooks.
+The Linux capabilities modules will always be included. This may be
+followed by any number of "minor" modules and at most one "major" module.
For more details on capabilities, see ``capabilities(7)`` in the Linux
man-pages project.
@@ -30,6 +29,14 @@ order in which checks are made. The capability module will always
be first, followed by any "minor" modules (e.g. Yama) and then
the one "major" module (e.g. SELinux) if there is one configured.
+Process attributes associated with "major" security modules should
+be accessed and maintained using the special files in ``/proc/.../attr``.
+A security module may maintain a module specific subdirectory there,
+named after the module. ``/proc/.../attr/smack`` is provided by the Smack
+security module and contains all its special files. The files directly
+in ``/proc/.../attr`` remain as legacy interfaces for modules that provide
+subdirectories.
+
.. toctree::
:maxdepth: 1
diff --git a/fs/proc/base.c b/fs/proc/base.c
index ad3b0762cc3e..a096e90fc12e 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -139,9 +139,13 @@ struct pid_entry {
#define REG(NAME, MODE, fops) \
NOD(NAME, (S_IFREG|(MODE)), NULL, &fops, {})
#define ONE(NAME, MODE, show) \
- NOD(NAME, (S_IFREG|(MODE)), \
+ NOD(NAME, (S_IFREG|(MODE)), \
NULL, &proc_single_file_operations, \
{ .proc_show = show } )
+#define ATTR(LSM, NAME, MODE) \
+ NOD(NAME, (S_IFREG|(MODE)), \
+ NULL, &proc_pid_attr_operations, \
+ { .lsm = LSM })
/*
* Count the number of hardlinks for the pid_entry table, excluding the .
@@ -2496,7 +2500,7 @@ static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
if (!task)
return -ESRCH;
- length = security_getprocattr(task,
+ length = security_getprocattr(task, PROC_I(inode)->op.lsm,
(char*)file->f_path.dentry->d_name.name,
&p);
put_task_struct(task);
@@ -2542,7 +2546,8 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
if (length < 0)
goto out_free;
- length = security_setprocattr(file->f_path.dentry->d_name.name,
+ length = security_setprocattr(PROC_I(inode)->op.lsm,
+ file->f_path.dentry->d_name.name,
page, count);
mutex_unlock(¤t->signal->cred_guard_mutex);
out_free:
@@ -2559,13 +2564,53 @@ static const struct file_operations proc_pid_attr_operations = {
.llseek = generic_file_llseek,
};
+#define LSM_DIR_OPS(LSM) \
+static int proc_##LSM##_attr_dir_iterate(struct file *filp, \
+ struct dir_context *ctx) \
+{ \
+ return proc_pident_readdir(filp, ctx, \
+ LSM##_attr_dir_stuff, \
+ ARRAY_SIZE(LSM##_attr_dir_stuff)); \
+} \
+\
+static const struct file_operations proc_##LSM##_attr_dir_ops = { \
+ .read = generic_read_dir, \
+ .iterate = proc_##LSM##_attr_dir_iterate, \
+ .llseek = default_llseek, \
+}; \
+\
+static struct dentry *proc_##LSM##_attr_dir_lookup(struct inode *dir, \
+ struct dentry *dentry, unsigned int flags) \
+{ \
+ return proc_pident_lookup(dir, dentry, \
+ LSM##_attr_dir_stuff, \
+ ARRAY_SIZE(LSM##_attr_dir_stuff)); \
+} \
+\
+static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \
+ .lookup = proc_##LSM##_attr_dir_lookup, \
+ .getattr = pid_getattr, \
+ .setattr = proc_setattr, \
+}
+
+#ifdef CONFIG_SECURITY_SMACK
+static const struct pid_entry smack_attr_dir_stuff[] = {
+ ATTR("smack", "current", 0666),
+};
+LSM_DIR_OPS(smack);
+#endif
+
static const struct pid_entry attr_dir_stuff[] = {
- REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("prev", S_IRUGO, proc_pid_attr_operations),
- REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ ATTR(NULL, "current", 0666),
+ ATTR(NULL, "prev", 0444),
+ ATTR(NULL, "exec", 0666),
+ ATTR(NULL, "fscreate", 0666),
+ ATTR(NULL, "keycreate", 0666),
+ ATTR(NULL, "sockcreate", 0666),
+#ifdef CONFIG_SECURITY_SMACK
+ DIR("smack", 0555,
+ proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
+#endif
};
static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
index a34195e92b20..758e32874444 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -58,6 +58,7 @@ union proc_op {
int (*proc_show)(struct seq_file *m,
struct pid_namespace *ns, struct pid *pid,
struct task_struct *task);
+ const char *lsm;
};
struct proc_inode {
diff --git a/include/linux/security.h b/include/linux/security.h
index ce6265960d6c..46ec92658ad3 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -375,8 +375,10 @@ int security_sem_semctl(struct sem_array *sma, int cmd);
int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
unsigned nsops, int alter);
void security_d_instantiate(struct dentry *dentry, struct inode *inode);
-int security_getprocattr(struct task_struct *p, char *name, char **value);
-int security_setprocattr(const char *name, void *value, size_t size);
+int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ char **value);
+int security_setprocattr(const char *lsm, const char *name, void *value,
+ size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
@@ -1128,15 +1130,18 @@ static inline int security_sem_semop(struct sem_array *sma,
return 0;
}
-static inline void security_d_instantiate(struct dentry *dentry, struct inode *inode)
+static inline void security_d_instantiate(struct dentry *dentry,
+ struct inode *inode)
{ }
-static inline int security_getprocattr(struct task_struct *p, char *name, char **value)
+static inline int security_getprocattr(struct task_struct *p, const char *lsm,
+ char *name, char **value)
{
return -EINVAL;
}
-static inline int security_setprocattr(char *name, void *value, size_t size)
+static inline int security_setprocattr(const char *lsm, char *name,
+ void *value, size_t size)
{
return -EINVAL;
}
diff --git a/security/security.c b/security/security.c
index 4bf0f571b4ef..49a069bb76da 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1253,14 +1253,30 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode)
}
EXPORT_SYMBOL(security_d_instantiate);
-int security_getprocattr(struct task_struct *p, char *name, char **value)
+int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ char **value)
{
- return call_int_hook(getprocattr, -EINVAL, p, name, value);
+ struct security_hook_list *hp;
+
+ list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ return hp->hook.getprocattr(p, name, value);
+ }
+ return -EINVAL;
}
-int security_setprocattr(const char *name, void *value, size_t size)
+int security_setprocattr(const char *lsm, const char *name, void *value,
+ size_t size)
{
- return call_int_hook(setprocattr, -EINVAL, name, value, size);
+ struct security_hook_list *hp;
+
+ list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsm))
+ continue;
+ return hp->hook.setprocattr(name, value, size);
+ }
+ return -EINVAL;
}
int security_netlink_send(struct sock *sk, struct sk_buff *skb)
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [PATCH 2/9] LSM: Manage credential security blobs
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
2017-10-27 21:45 ` [PATCH 1/9] procfs: add smack subdir to attrs Casey Schaufler
@ 2017-10-27 21:45 ` Casey Schaufler
2017-10-27 21:45 ` [PATCH 3/9] LSM: Manage file " Casey Schaufler
` (8 subsequent siblings)
10 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-10-27 21:45 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 2/9] LSM: Manage credential security blobs
Move the management of credential security blobs from the
individual security modules to the security infrastructure.
The security modules using credential blobs have been updated
accordingly. Modules are required to identify the space they
require at module initialization. In some cases a module no
longer needs to supply a blob management hook, in which case
the hook has been removed.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 14 ++++
kernel/cred.c | 13 ----
security/Kconfig | 11 +++
security/apparmor/context.c | 2 -
security/apparmor/include/context.h | 9 ++-
security/apparmor/lsm.c | 44 +++++-------
security/security.c | 98 ++++++++++++++++++++++++++-
security/selinux/hooks.c | 113 ++++++++++++-------------------
security/selinux/include/objsec.h | 9 +++
security/selinux/selinuxfs.c | 1 +
security/selinux/xfrm.c | 4 +-
security/smack/smack.h | 15 ++++-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 130 +++++++++++++++---------------------
security/smack/smackfs.c | 18 ++---
security/tomoyo/common.h | 20 +++++-
security/tomoyo/domain.c | 4 +-
security/tomoyo/securityfs_if.c | 13 ++--
security/tomoyo/tomoyo.c | 49 +++++++++++---
19 files changed, 343 insertions(+), 226 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index c9258124e417..ee4fcc51fa91 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1915,6 +1915,13 @@ struct security_hook_list {
} __randomize_layout;
/*
+ * Security blob size or offset data.
+ */
+struct lsm_blob_sizes {
+ int lbs_cred;
+};
+
+/*
* Initializing a security_hook_list structure takes
* up a lot of space in a source file. This macro takes
* care of the common case and reduces the amount of
@@ -1926,6 +1933,7 @@ struct security_hook_list {
extern struct security_hook_heads security_hook_heads;
extern char *lsm_names;
+extern void security_add_blobs(struct lsm_blob_sizes *needed);
extern void security_add_hooks(struct security_hook_list *hooks, int count,
char *lsm);
@@ -1972,4 +1980,10 @@ void __init loadpin_add_hooks(void);
static inline void loadpin_add_hooks(void) { };
#endif
+extern int lsm_cred_alloc(struct cred *cred, gfp_t gfp);
+
+#ifdef CONFIG_SECURITY
+void lsm_early_cred(struct cred *cred);
+#endif
+
#endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/kernel/cred.c b/kernel/cred.c
index ecf03657e71c..fa2061ee4955 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -704,19 +704,6 @@ bool creds_are_invalid(const struct cred *cred)
{
if (cred->magic != CRED_MAGIC)
return true;
-#ifdef CONFIG_SECURITY_SELINUX
- /*
- * cred->security == NULL if security_cred_alloc_blank() or
- * security_prepare_creds() returned an error.
- */
- if (selinux_is_enabled() && cred->security) {
- if ((unsigned long) cred->security < PAGE_SIZE)
- return true;
- if ((*(u32 *)cred->security & 0xffffff00) ==
- (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
- return true;
- }
-#endif
return false;
}
EXPORT_SYMBOL(creds_are_invalid);
diff --git a/security/Kconfig b/security/Kconfig
index e8e449444e65..f3464fb5a8b0 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -36,6 +36,17 @@ config SECURITY_WRITABLE_HOOKS
bool
default n
+config SECURITY_LSM_DEBUG
+ bool "Enable debugging of the LSM infrastructure"
+ depends on SECURITY
+ help
+ This allows you to choose debug messages related to
+ security modules configured into your kernel. These
+ messages may be helpful in determining how a security
+ module is using security blobs.
+
+ If you are unsure how to answer this question, answer N.
+
config SECURITYFS
bool "Enable the securityfs filesystem"
help
diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index c95f1ac6190b..db203ee24db8 100644
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -50,8 +50,6 @@ void aa_free_task_context(struct aa_task_ctx *ctx)
aa_put_label(ctx->label);
aa_put_label(ctx->previous);
aa_put_label(ctx->onexec);
-
- kzfree(ctx);
}
}
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 6ae07e9aaa17..301ab3a0dd04 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -18,11 +18,12 @@
#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/sched.h>
+#include <linux/lsm_hooks.h>
#include "label.h"
#include "policy_ns.h"
-#define cred_ctx(X) ((X)->security)
+#define cred_ctx(X) apparmor_cred(X)
#define current_ctx() cred_ctx(current_cred())
/**
@@ -54,6 +55,10 @@ int aa_set_current_hat(struct aa_label *label, u64 token);
int aa_restore_previous_label(u64 cookie);
struct aa_label *aa_get_task_label(struct task_struct *task);
+static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
+{
+ return cred->security;
+}
/**
* aa_cred_raw_label - obtain cred's label
@@ -65,7 +70,7 @@ struct aa_label *aa_get_task_label(struct task_struct *task);
*/
static inline struct aa_label *aa_cred_raw_label(const struct cred *cred)
{
- struct aa_task_ctx *ctx = cred_ctx(cred);
+ struct aa_task_ctx *ctx = apparmor_cred(cred);
AA_BUG(!ctx || !ctx->label);
return ctx->label;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 72b915dfcaf7..d80293bde5bf 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -57,22 +57,6 @@ DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
static void apparmor_cred_free(struct cred *cred)
{
aa_free_task_context(cred_ctx(cred));
- cred_ctx(cred) = NULL;
-}
-
-/*
- * allocate the apparmor part of blank credentials
- */
-static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
-{
- /* freed by apparmor_cred_free */
- struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
-
- if (!ctx)
- return -ENOMEM;
-
- cred_ctx(cred) = ctx;
- return 0;
}
/*
@@ -81,14 +65,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- /* freed by apparmor_cred_free */
- struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
-
- if (!ctx)
- return -ENOMEM;
-
- aa_dup_task_context(ctx, cred_ctx(old));
- cred_ctx(new) = ctx;
+ aa_dup_task_context(cred_ctx(new), cred_ctx(old));
return 0;
}
@@ -1099,6 +1076,10 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
ctx->label = aa_get_current_label();
}
+struct lsm_blob_sizes apparmor_blob_sizes = {
+ .lbs_cred = sizeof(struct aa_task_ctx),
+};
+
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
@@ -1157,7 +1138,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
apparmor_socket_getpeersec_dgram),
LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
- LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
LSM_HOOK_INIT(cred_free, apparmor_cred_free),
LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
@@ -1413,12 +1393,10 @@ static int __init set_init_ctx(void)
struct cred *cred = (struct cred *)current->real_cred;
struct aa_task_ctx *ctx;
- ctx = aa_alloc_task_context(GFP_KERNEL);
- if (!ctx)
- return -ENOMEM;
+ lsm_early_cred(cred);
+ ctx = apparmor_cred(cred);
ctx->label = aa_get_label(ns_unconfined(root_ns));
- cred_ctx(cred) = ctx;
return 0;
}
@@ -1502,8 +1480,16 @@ static inline int apparmor_init_sysctl(void)
static int __init apparmor_init(void)
{
+ static int finish;
int error;
+ if (!finish) {
+ if (apparmor_enabled && security_module_enable("apparmor"))
+ security_add_blobs(&apparmor_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
if (!apparmor_enabled || !security_module_enable("apparmor")) {
aa_info_message("AppArmor disabled by boot time parameter");
apparmor_enabled = 0;
diff --git a/security/security.c b/security/security.c
index 49a069bb76da..6fadc3860fb0 100644
--- a/security/security.c
+++ b/security/security.c
@@ -38,6 +38,8 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init;
static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
char *lsm_names;
+static struct lsm_blob_sizes blob_sizes;
+
/* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY;
@@ -75,10 +77,22 @@ int __init security_init(void)
loadpin_add_hooks();
/*
- * Load all the remaining security modules.
+ * The first call to a module specific init function
+ * updates the blob size requirements.
+ */
+ do_security_initcalls();
+
+ /*
+ * The second call to a module specific init function
+ * adds hooks to the hook lists and does any other early
+ * initializations required.
*/
do_security_initcalls();
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
+#endif
+
return 0;
}
@@ -186,6 +200,75 @@ int unregister_lsm_notifier(struct notifier_block *nb)
}
EXPORT_SYMBOL(unregister_lsm_notifier);
+/**
+ * lsm_cred_alloc - allocate a composite cred blob
+ * @cred: the cred that needs a blob
+ * @gfp: allocation type
+ *
+ * Allocate the cred blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (cred->security)
+ pr_info("%s: Inbound cred blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_cred == 0)
+ return 0;
+
+ cred->security = kzalloc(blob_sizes.lbs_cred, gfp);
+ if (cred->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_early_cred - during initialization allocate a composite cred blob
+ * @cred: the cred that needs a blob
+ *
+ * Allocate the cred blob for all the modules if it's not already there
+ */
+void lsm_early_cred(struct cred *cred)
+{
+ int rc;
+
+ if (cred == NULL)
+ panic("%s: NULL cred.\n", __func__);
+ if (cred->security != NULL)
+ return;
+ rc = lsm_cred_alloc(cred, GFP_KERNEL);
+ if (rc)
+ panic("%s: Early cred alloc failed.\n", __func__);
+}
+
+static void __init lsm_set_size(int *need, int *lbs)
+{
+ int offset;
+
+ if (*need > 0) {
+ offset = *lbs;
+ *lbs += *need;
+ *need = offset;
+ }
+}
+
+/**
+ * security_add_blobs - Report blob sizes
+ * @needed: the size of blobs needed by the module
+ *
+ * Each LSM has to register its blobs with the infrastructure.
+ * The "needed" data tells the infrastructure how much memory
+ * the module requires for each of its blobs. On return the
+ * structure is filled with the offset that module should use
+ * from the blob pointer.
+ */
+void __init security_add_blobs(struct lsm_blob_sizes *needed)
+{
+ lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
+}
+
/*
* Hook list operation macros.
*
@@ -986,16 +1069,29 @@ void security_task_free(struct task_struct *task)
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
+ int rc = lsm_cred_alloc(cred, gfp);
+
+ if (rc)
+ return rc;
+
return call_int_hook(cred_alloc_blank, 0, cred, gfp);
}
void security_cred_free(struct cred *cred)
{
call_void_hook(cred_free, cred);
+
+ kfree(cred->security);
+ cred->security = NULL;
}
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
{
+ int rc = lsm_cred_alloc(new, gfp);
+
+ if (rc)
+ return rc;
+
return call_int_hook(cred_prepare, 0, new, old, gfp);
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f5d304736852..a4d1ec236d4e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -191,12 +191,9 @@ static void cred_init_security(void)
struct cred *cred = (struct cred *) current->real_cred;
struct task_security_struct *tsec;
- tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
- if (!tsec)
- panic("SELinux: Failed to initialize initial task.\n");
-
+ lsm_early_cred(cred);
+ tsec = selinux_cred(cred);
tsec->osid = tsec->sid = SECINITSID_KERNEL;
- cred->security = tsec;
}
/*
@@ -206,7 +203,7 @@ static inline u32 cred_sid(const struct cred *cred)
{
const struct task_security_struct *tsec;
- tsec = cred->security;
+ tsec = selinux_cred(cred);
return tsec->sid;
}
@@ -442,7 +439,7 @@ static int may_context_mount_sb_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
@@ -459,7 +456,7 @@ static int may_context_mount_inode_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec = selinux_cred(cred);
int rc;
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
@@ -1884,7 +1881,7 @@ static int may_create(struct inode *dir,
struct dentry *dentry,
u16 tclass)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
u32 sid, newsid;
@@ -1905,7 +1902,7 @@ static int may_create(struct inode *dir,
if (rc)
return rc;
- rc = selinux_determine_inode_label(current_security(), dir,
+ rc = selinux_determine_inode_label(selinux_cred(current_cred()), dir,
&dentry->d_name, tclass, &newsid);
if (rc)
return rc;
@@ -2379,8 +2376,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->called_set_creds)
return 0;
- old_tsec = current_security();
- new_tsec = bprm->cred->security;
+ old_tsec = selinux_cred(current_cred());
+ new_tsec = selinux_cred(bprm->cred);
isec = inode_security(inode);
/* Default to the current task SID. */
@@ -2538,7 +2535,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
struct rlimit *rlim, *initrlim;
int rc, i;
- new_tsec = bprm->cred->security;
+ new_tsec = selinux_cred(bprm->cred);
if (new_tsec->sid == new_tsec->osid)
return;
@@ -2580,7 +2577,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
*/
static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct itimerval itimer;
u32 osid, sid;
int rc, i;
@@ -2880,7 +2877,7 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
u32 newsid;
int rc;
- rc = selinux_determine_inode_label(current_security(),
+ rc = selinux_determine_inode_label(selinux_cred(current_cred()),
d_inode(dentry->d_parent), name,
inode_mode_to_security_class(mode),
&newsid);
@@ -2899,14 +2896,14 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
int rc;
struct task_security_struct *tsec;
- rc = selinux_determine_inode_label(old->security,
+ rc = selinux_determine_inode_label(selinux_cred(old),
d_inode(dentry->d_parent), name,
inode_mode_to_security_class(mode),
&newsid);
if (rc)
return rc;
- tsec = new->security;
+ tsec = selinux_cred(new);
tsec->create_sid = newsid;
return 0;
}
@@ -2916,7 +2913,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
const char **name,
void **value, size_t *len)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct superblock_security_struct *sbsec;
u32 sid, newsid, clen;
int rc;
@@ -2927,7 +2924,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
sid = tsec->sid;
newsid = tsec->create_sid;
- rc = selinux_determine_inode_label(current_security(),
+ rc = selinux_determine_inode_label(selinux_cred(current_cred()),
dir, qstr,
inode_mode_to_security_class(inode->i_mode),
&newsid);
@@ -3383,7 +3380,7 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
return -ENOMEM;
}
- tsec = new_creds->security;
+ tsec = selinux_cred(new_creds);
/* Get label from overlay inode and set it in create_sid */
selinux_inode_getsecid(d_inode(src), &sid);
tsec->create_sid = sid;
@@ -3776,52 +3773,16 @@ static int selinux_task_alloc(struct task_struct *task,
}
/*
- * allocate the SELinux part of blank credentials
- */
-static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
-{
- struct task_security_struct *tsec;
-
- tsec = kzalloc(sizeof(struct task_security_struct), gfp);
- if (!tsec)
- return -ENOMEM;
-
- cred->security = tsec;
- return 0;
-}
-
-/*
- * detach and free the LSM part of a set of credentials
- */
-static void selinux_cred_free(struct cred *cred)
-{
- struct task_security_struct *tsec = cred->security;
-
- /*
- * cred->security == NULL if security_cred_alloc_blank() or
- * security_prepare_creds() returned an error.
- */
- BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
- cred->security = (void *) 0x7UL;
- kfree(tsec);
-}
-
-/*
* prepare a new set of credentials for modification
*/
static int selinux_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- const struct task_security_struct *old_tsec;
- struct task_security_struct *tsec;
+ const struct task_security_struct *old_tsec = selinux_cred(old);
+ struct task_security_struct *tsec = selinux_cred(new);
- old_tsec = old->security;
-
- tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
- if (!tsec)
- return -ENOMEM;
+ *tsec = *old_tsec;
- new->security = tsec;
return 0;
}
@@ -3830,8 +3791,8 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
*/
static void selinux_cred_transfer(struct cred *new, const struct cred *old)
{
- const struct task_security_struct *old_tsec = old->security;
- struct task_security_struct *tsec = new->security;
+ const struct task_security_struct *old_tsec = selinux_cred(old);
+ struct task_security_struct *tsec = selinux_cred(new);
*tsec = *old_tsec;
}
@@ -3842,7 +3803,7 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
*/
static int selinux_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_security_struct *tsec = new->security;
+ struct task_security_struct *tsec = selinux_cred(new);
u32 sid = current_sid();
int ret;
@@ -3866,7 +3827,7 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
{
struct inode_security_struct *isec = inode_security(inode);
- struct task_security_struct *tsec = new->security;
+ struct task_security_struct *tsec = selinux_cred(new);
u32 sid = current_sid();
int ret;
@@ -4348,7 +4309,7 @@ static int sock_has_perm(struct sock *sk, u32 perms)
static int selinux_socket_create(int family, int type,
int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
u32 newsid;
u16 secclass;
int rc;
@@ -4367,7 +4328,7 @@ static int selinux_socket_create(int family, int type,
static int selinux_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock));
struct sk_security_struct *sksec;
u16 sclass = socket_type_to_security_class(family, type, protocol);
@@ -4990,7 +4951,7 @@ static int selinux_secmark_relabel_packet(u32 sid)
const struct task_security_struct *__tsec;
u32 tsid;
- __tsec = current_security();
+ __tsec = selinux_cred(current_cred());
tsid = __tsec->sid;
return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
@@ -5897,7 +5858,7 @@ static int selinux_getprocattr(struct task_struct *p,
unsigned len;
rcu_read_lock();
- __tsec = __task_cred(p)->security;
+ __tsec = selinux_cred(__task_cred(p));
if (current != p) {
error = avc_has_perm(current_sid(), __tsec->sid,
@@ -6010,7 +5971,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
operation. See selinux_bprm_set_creds for the execve
checks and may_create for the file creation checks. The
operation will then fail if the context is not permitted. */
- tsec = new->security;
+ tsec = selinux_cred(new);
if (!strcmp(name, "exec")) {
tsec->exec_sid = sid;
} else if (!strcmp(name, "fscreate")) {
@@ -6133,7 +6094,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
if (!ksec)
return -ENOMEM;
- tsec = cred->security;
+ tsec = selinux_cred(cred);
if (tsec->keycreate_sid)
ksec->sid = tsec->keycreate_sid;
else
@@ -6252,6 +6213,10 @@ static void selinux_ib_free_security(void *ib_sec)
}
#endif
+struct lsm_blob_sizes selinux_blob_sizes = {
+ .lbs_cred = sizeof(struct task_security_struct),
+};
+
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
@@ -6334,8 +6299,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(file_open, selinux_file_open),
LSM_HOOK_INIT(task_alloc, selinux_task_alloc),
- LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank),
- LSM_HOOK_INIT(cred_free, selinux_cred_free),
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
@@ -6475,11 +6438,19 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
static __init int selinux_init(void)
{
+ static int finish;
+
if (!security_module_enable("selinux")) {
selinux_enabled = 0;
return 0;
}
+ if (!finish) {
+ security_add_blobs(&selinux_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
if (!selinux_enabled) {
printk(KERN_INFO "SELinux: Disabled at boot.\n");
return 0;
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 1649cd18eb0b..c0bdb7232f39 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -25,6 +25,9 @@
#include <linux/binfmts.h>
#include <linux/in.h>
#include <linux/spinlock.h>
+#include <linux/lsm_hooks.h>
+#include <linux/msg.h>
+#include <net/sock.h>
#include <net/net_namespace.h>
#include "flask.h"
#include "avc.h"
@@ -151,5 +154,11 @@ struct pkey_security_struct {
};
extern unsigned int selinux_checkreqprot;
+extern struct lsm_blob_sizes selinux_blob_sizes;
+
+static inline struct task_security_struct *selinux_cred(const struct cred *cred)
+{
+ return cred->security;
+}
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 00eed842c491..855a13053a81 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -30,6 +30,7 @@
#include <linux/uaccess.h>
#include <linux/kobject.h>
#include <linux/ctype.h>
+#include <linux/lsm_hooks.h>
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs/nfsd/nfsctl.c code. */
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 56e354fcdfc6..789d07bd900f 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -79,7 +79,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
gfp_t gfp)
{
int rc;
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
struct xfrm_sec_ctx *ctx = NULL;
u32 str_len;
@@ -136,7 +136,7 @@ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
*/
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec = selinux_cred(current_cred());
if (!ctx)
return 0;
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 6a71fc7831ab..ab1d217800e2 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -24,6 +24,7 @@
#include <linux/list.h>
#include <linux/rculist.h>
#include <linux/lsm_audit.h>
+#include <linux/msg.h>
/*
* Use IPv6 port labeling if IPv6 is enabled and secmarks
@@ -355,6 +356,11 @@ extern struct list_head smack_onlycap_list;
#define SMACK_HASH_SLOTS 16
extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
+static inline struct task_smack *smack_cred(const struct cred *cred)
+{
+ return cred->security;
+}
+
/*
* Is the directory transmuting?
*/
@@ -381,13 +387,16 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
return tsp->smk_task;
}
-static inline struct smack_known *smk_of_task_struct(const struct task_struct *t)
+static inline struct smack_known *smk_of_task_struct(
+ const struct task_struct *t)
{
struct smack_known *skp;
+ const struct cred *cred;
rcu_read_lock();
- skp = smk_of_task(__task_cred(t)->security);
+ cred = __task_cred(t);
rcu_read_unlock();
+ skp = smk_of_task(smack_cred(cred));
return skp;
}
@@ -404,7 +413,7 @@ static inline struct smack_known *smk_of_forked(const struct task_smack *tsp)
*/
static inline struct smack_known *smk_of_current(void)
{
- return smk_of_task(current_security());
+ return smk_of_task(smack_cred(current_cred()));
}
/*
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 1a3004189447..e1d304c65fe3 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -275,7 +275,7 @@ int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known,
int smk_curacc(struct smack_known *obj_known,
u32 mode, struct smk_audit_info *a)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_tskacc(tsp, obj_known, mode, a);
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 319add31b4a4..ff4e5c632410 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -121,7 +121,7 @@ static int smk_bu_note(char *note, struct smack_known *sskp,
static int smk_bu_current(char *note, struct smack_known *oskp,
int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (rc <= 0)
@@ -142,7 +142,7 @@ static int smk_bu_current(char *note, struct smack_known *oskp,
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_task(struct task_struct *otp, int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *smk_task = smk_of_task_struct(otp);
char acc[SMK_NUM_ACCESS_TYPE + 1];
@@ -164,7 +164,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc)
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_inode(struct inode *inode, int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct inode_smack *isp = inode->i_security;
char acc[SMK_NUM_ACCESS_TYPE + 1];
@@ -194,7 +194,7 @@ static int smk_bu_inode(struct inode *inode, int mode, int rc)
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_file(struct file *file, int mode, int rc)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
struct inode_smack *isp = inode->i_security;
@@ -224,7 +224,7 @@ static int smk_bu_file(struct file *file, int mode, int rc)
static int smk_bu_credfile(const struct cred *cred, struct file *file,
int mode, int rc)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = smack_cred(cred);
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
struct inode_smack *isp = inode->i_security;
@@ -308,29 +308,20 @@ static struct inode_smack *new_inode_smack(struct smack_known *skp)
}
/**
- * new_task_smack - allocate a task security blob
+ * init_task_smack - initialize a task security blob
+ * @tsp: blob to initialize
* @task: a pointer to the Smack label for the running task
* @forked: a pointer to the Smack label for the forked task
- * @gfp: type of the memory for the allocation
*
- * Returns the new blob or NULL if there's no memory available
*/
-static struct task_smack *new_task_smack(struct smack_known *task,
- struct smack_known *forked, gfp_t gfp)
+static void init_task_smack(struct task_smack *tsp, struct smack_known *task,
+ struct smack_known *forked)
{
- struct task_smack *tsp;
-
- tsp = kzalloc(sizeof(struct task_smack), gfp);
- if (tsp == NULL)
- return NULL;
-
tsp->smk_task = task;
tsp->smk_forked = forked;
INIT_LIST_HEAD(&tsp->smk_rules);
INIT_LIST_HEAD(&tsp->smk_relabel);
mutex_init(&tsp->smk_rules_lock);
-
- return tsp;
}
/**
@@ -428,7 +419,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
}
rcu_read_lock();
- tsp = __task_cred(tracer)->security;
+ tsp = smack_cred(__task_cred(tracer));
tracer_known = smk_of_task(tsp);
if ((mode & PTRACE_MODE_ATTACH) &&
@@ -495,7 +486,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
int rc;
struct smack_known *skp;
- skp = smk_of_task(current_security());
+ skp = smk_of_task(smack_cred(current_cred()));
rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
return rc;
@@ -912,7 +903,7 @@ static int smack_sb_statfs(struct dentry *dentry)
static int smack_bprm_set_creds(struct linux_binprm *bprm)
{
struct inode *inode = file_inode(bprm->file);
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = smack_cred(bprm->cred);
struct inode_smack *isp;
struct superblock_smack *sbsp;
int rc;
@@ -1748,7 +1739,7 @@ static int smack_mmap_file(struct file *file,
return -EACCES;
mkp = isp->smk_mmap;
- tsp = current_security();
+ tsp = smack_cred(current_cred());
skp = smk_of_current();
rc = 0;
@@ -1844,7 +1835,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum)
{
struct smack_known *skp;
- struct smack_known *tkp = smk_of_task(tsk->cred->security);
+ struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
struct file *file;
int rc;
struct smk_audit_info ad;
@@ -1892,7 +1883,7 @@ static int smack_file_receive(struct file *file)
if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
sock = SOCKET_I(inode);
ssp = sock->sk->sk_security;
- tsp = current_security();
+ tsp = smack_cred(current_cred());
/*
* If the receiving process can't write to the
* passed socket or if the passed socket can't
@@ -1934,7 +1925,7 @@ static int smack_file_receive(struct file *file)
*/
static int smack_file_open(struct file *file, const struct cred *cred)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = smack_cred(cred);
struct inode *inode = file_inode(file);
struct smk_audit_info ad;
int rc;
@@ -1962,14 +1953,7 @@ static int smack_file_open(struct file *file, const struct cred *cred)
*/
static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
- struct task_smack *tsp;
-
- tsp = new_task_smack(NULL, NULL, gfp);
- if (tsp == NULL)
- return -ENOMEM;
-
- cred->security = tsp;
-
+ init_task_smack(smack_cred(cred), NULL, NULL);
return 0;
}
@@ -1981,15 +1965,11 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/
static void smack_cred_free(struct cred *cred)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = smack_cred(cred);
struct smack_rule *rp;
struct list_head *l;
struct list_head *n;
- if (tsp == NULL)
- return;
- cred->security = NULL;
-
smk_destroy_label_list(&tsp->smk_relabel);
list_for_each_safe(l, n, &tsp->smk_rules) {
@@ -1997,7 +1977,6 @@ static void smack_cred_free(struct cred *cred)
list_del(&rp->list);
kfree(rp);
}
- kfree(tsp);
}
/**
@@ -2011,15 +1990,11 @@ static void smack_cred_free(struct cred *cred)
static int smack_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct task_smack *old_tsp = old->security;
- struct task_smack *new_tsp;
+ struct task_smack *old_tsp = smack_cred(old);
+ struct task_smack *new_tsp = smack_cred(new);
int rc;
- new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp);
- if (new_tsp == NULL)
- return -ENOMEM;
-
- new->security = new_tsp;
+ init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task);
rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp);
if (rc != 0)
@@ -2027,10 +2002,7 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel,
gfp);
- if (rc != 0)
- return rc;
-
- return 0;
+ return rc;
}
/**
@@ -2042,15 +2014,14 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
*/
static void smack_cred_transfer(struct cred *new, const struct cred *old)
{
- struct task_smack *old_tsp = old->security;
- struct task_smack *new_tsp = new->security;
+ struct task_smack *old_tsp = smack_cred(old);
+ struct task_smack *new_tsp = smack_cred(new);
new_tsp->smk_task = old_tsp->smk_task;
new_tsp->smk_forked = old_tsp->smk_task;
mutex_init(&new_tsp->smk_rules_lock);
INIT_LIST_HEAD(&new_tsp->smk_rules);
-
/* cbs copy rule list */
}
@@ -2063,7 +2034,7 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
*/
static int smack_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_smack *new_tsp = new->security;
+ struct task_smack *new_tsp = smack_cred(new);
new_tsp->smk_task = smack_from_secid(secid);
return 0;
@@ -2081,7 +2052,7 @@ static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode)
{
struct inode_smack *isp = inode->i_security;
- struct task_smack *tsp = new->security;
+ struct task_smack *tsp = smack_cred(new);
tsp->smk_forked = isp->smk_inode;
tsp->smk_task = tsp->smk_forked;
@@ -3644,7 +3615,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
*/
static int smack_setprocattr(const char *name, void *value, size_t size)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
struct cred *new;
struct smack_known *skp;
struct smack_known_list_elem *sklep;
@@ -3685,7 +3656,7 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
if (new == NULL)
return -ENOMEM;
- tsp = new->security;
+ tsp = smack_cred(new);
tsp->smk_task = skp;
/*
* process can change its label only once
@@ -4321,7 +4292,7 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- struct smack_known *skp = smk_of_task(cred->security);
+ struct smack_known *skp = smk_of_task(smack_cred(cred));
key->security = skp;
return 0;
@@ -4352,7 +4323,7 @@ static int smack_key_permission(key_ref_t key_ref,
{
struct key *keyp;
struct smk_audit_info ad;
- struct smack_known *tkp = smk_of_task(cred->security);
+ struct smack_known *tkp = smk_of_task(smack_cred(cred));
int request = 0;
int rc;
@@ -4605,6 +4576,10 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
return 0;
}
+struct lsm_blob_sizes smack_blob_sizes = {
+ .lbs_cred = sizeof(struct task_smack),
+};
+
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
@@ -4778,23 +4753,35 @@ static __init void init_smack_known_list(void)
*/
static __init int smack_init(void)
{
- struct cred *cred;
+ static int finish;
+ struct cred *cred = (struct cred *) current->cred;
struct task_smack *tsp;
if (!security_module_enable("smack"))
return 0;
+ if (!finish) {
+ security_add_blobs(&smack_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
smack_inode_cache = KMEM_CACHE(inode_smack, 0);
if (!smack_inode_cache)
return -ENOMEM;
- tsp = new_task_smack(&smack_known_floor, &smack_known_floor,
- GFP_KERNEL);
- if (tsp == NULL) {
- kmem_cache_destroy(smack_inode_cache);
- return -ENOMEM;
- }
+ lsm_early_cred(cred);
+ /*
+ * Set the security state for the initial task.
+ */
+ tsp = smack_cred(cred);
+ init_task_smack(tsp, &smack_known_floor, &smack_known_floor);
+
+ /*
+ * Register with LSM
+ */
+ security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
smack_enabled = 1;
pr_info("Smack: Initializing.\n");
@@ -4808,20 +4795,9 @@ static __init int smack_init(void)
pr_info("Smack: IPv6 Netfilter enabled.\n");
#endif
- /*
- * Set the security state for the initial task.
- */
- cred = (struct cred *) current->cred;
- cred->security = tsp;
-
/* initialize the smack_known_list */
init_smack_known_list();
- /*
- * Register with LSM
- */
- security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
-
return 0;
}
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index f6482e53d55a..9d2dde608298 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -2208,14 +2208,14 @@ static const struct file_operations smk_logging_ops = {
static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -2262,7 +2262,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_FIXED24_FMT);
@@ -2414,14 +2414,14 @@ static const struct file_operations smk_load2_ops = {
static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -2467,7 +2467,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_LONG_FMT);
@@ -2681,14 +2681,14 @@ static const struct file_operations smk_syslog_ops = {
static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_relabel);
}
static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_relabel);
}
@@ -2736,7 +2736,7 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file)
static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = smack_cred(current_cred());
char *data;
int rc;
LIST_HEAD(list_tmp);
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 361e7a284699..cbcfccc84784 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -28,6 +28,7 @@
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/un.h>
+#include <linux/lsm_hooks.h>
#include <net/sock.h>
#include <net/af_unix.h>
#include <net/ip.h>
@@ -1196,13 +1197,26 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
}
/**
+ * tomoyo_cred - Get a pointer to the tomoyo cred security blob
+ * @cred - the relevant cred
+ *
+ * Returns pointer to the tomoyo cred blob.
+ */
+static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred)
+{
+ return cred->security;
+}
+
+/**
* tomoyo_domain - Get "struct tomoyo_domain_info" for current thread.
*
* Returns pointer to "struct tomoyo_domain_info" for current thread.
*/
static inline struct tomoyo_domain_info *tomoyo_domain(void)
{
- return current_cred()->security;
+ struct tomoyo_domain_info **blob = tomoyo_cred(current_cred());
+
+ return *blob;
}
/**
@@ -1215,7 +1229,9 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void)
static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
*task)
{
- return task_cred_xxx(task, security);
+ struct tomoyo_domain_info **blob = tomoyo_cred(get_task_cred(task));
+
+ return *blob;
}
/**
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 00d223e9fb37..80ebb422c02b 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -677,6 +677,7 @@ static int tomoyo_environ(struct tomoyo_execve *ee)
*/
int tomoyo_find_next_domain(struct linux_binprm *bprm)
{
+ struct tomoyo_domain_info **blob;
struct tomoyo_domain_info *old_domain = tomoyo_domain();
struct tomoyo_domain_info *domain = NULL;
const char *original_name = bprm->filename;
@@ -842,7 +843,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
domain = old_domain;
/* Update reference count on "struct tomoyo_domain_info". */
atomic_inc(&domain->users);
- bprm->cred->security = domain;
+ blob = tomoyo_cred(bprm->cred);
+ *blob = domain;
kfree(exename.name);
if (!retval) {
ee->r.domain = domain;
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 06ab41b1ff28..9289f2a16036 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -70,9 +70,12 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
if (!cred) {
error = -ENOMEM;
} else {
- struct tomoyo_domain_info *old_domain =
- cred->security;
- cred->security = new_domain;
+ struct tomoyo_domain_info **blob;
+ struct tomoyo_domain_info *old_domain;
+
+ blob = tomoyo_cred(cred);
+ old_domain = *blob;
+ *blob = new_domain;
atomic_inc(&new_domain->users);
atomic_dec(&old_domain->users);
commit_creds(cred);
@@ -233,10 +236,12 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode,
*/
static int __init tomoyo_initerface_init(void)
{
+ struct tomoyo_domain_info *domain;
struct dentry *tomoyo_dir;
+ domain = tomoyo_domain();
/* Don't create securityfs entries unless registered. */
- if (current_cred()->security != &tomoyo_kernel_domain)
+ if (domain != &tomoyo_kernel_domain)
return 0;
tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index d25b705360e0..1224a59291fb 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -17,7 +17,9 @@
*/
static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
{
- new->security = NULL;
+ struct tomoyo_domain_info **blob = tomoyo_cred(new);
+
+ *blob = NULL;
return 0;
}
@@ -33,8 +35,13 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct tomoyo_domain_info *domain = old->security;
- new->security = domain;
+ struct tomoyo_domain_info **old_blob = tomoyo_cred(old);
+ struct tomoyo_domain_info **new_blob = tomoyo_cred(new);
+ struct tomoyo_domain_info *domain;
+
+ domain = *old_blob;
+ *new_blob = domain;
+
if (domain)
atomic_inc(&domain->users);
return 0;
@@ -58,7 +65,9 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
*/
static void tomoyo_cred_free(struct cred *cred)
{
- struct tomoyo_domain_info *domain = cred->security;
+ struct tomoyo_domain_info **blob = tomoyo_cred(cred);
+ struct tomoyo_domain_info *domain = *blob;
+
if (domain)
atomic_dec(&domain->users);
}
@@ -72,6 +81,9 @@ static void tomoyo_cred_free(struct cred *cred)
*/
static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
{
+ struct tomoyo_domain_info **blob;
+ struct tomoyo_domain_info *domain;
+
/*
* Do only if this function is called for the first time of an execve
* operation.
@@ -92,13 +104,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
* stored inside "bprm->cred->security" will be acquired later inside
* tomoyo_find_next_domain().
*/
- atomic_dec(&((struct tomoyo_domain_info *)
- bprm->cred->security)->users);
+ blob = tomoyo_cred(bprm->cred);
+ domain = *blob;
+ atomic_dec(&domain->users);
/*
* Tell tomoyo_bprm_check_security() is called for the first time of an
* execve operation.
*/
- bprm->cred->security = NULL;
+ *blob = NULL;
return 0;
}
@@ -111,8 +124,11 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
*/
static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
{
- struct tomoyo_domain_info *domain = bprm->cred->security;
+ struct tomoyo_domain_info **blob;
+ struct tomoyo_domain_info *domain;
+ blob = tomoyo_cred(bprm->cred);
+ domain = *blob;
/*
* Execute permission is checked against pathname passed to do_execve()
* using current domain.
@@ -492,6 +508,10 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
return tomoyo_socket_sendmsg_permission(sock, msg, size);
}
+struct lsm_blob_sizes tomoyo_blob_sizes = {
+ .lbs_cred = sizeof(struct tomoyo_domain_info *),
+};
+
/*
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
@@ -537,14 +557,25 @@ DEFINE_SRCU(tomoyo_ss);
*/
static int __init tomoyo_init(void)
{
+ static int finish;
struct cred *cred = (struct cred *) current_cred();
+ struct tomoyo_domain_info **blob;
if (!security_module_enable("tomoyo"))
return 0;
+
+ if (!finish) {
+ security_add_blobs(&tomoyo_blob_sizes);
+ finish = 1;
+ return 0;
+ }
+
/* register ourselves with the security framework */
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
printk(KERN_INFO "TOMOYO Linux initialized\n");
- cred->security = &tomoyo_kernel_domain;
+ lsm_early_cred(cred);
+ blob = tomoyo_cred(cred);
+ *blob = &tomoyo_kernel_domain;
tomoyo_mm_init();
return 0;
}
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [PATCH 3/9] LSM: Manage file security blobs
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
2017-10-27 21:45 ` [PATCH 1/9] procfs: add smack subdir to attrs Casey Schaufler
2017-10-27 21:45 ` [PATCH 2/9] LSM: Manage credential security blobs Casey Schaufler
@ 2017-10-27 21:45 ` Casey Schaufler
2017-10-31 15:25 ` Stephen Smalley
2017-10-27 21:45 ` [PATCH 4/9] LSM: Manage task " Casey Schaufler
` (7 subsequent siblings)
10 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2017-10-27 21:45 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 3/9] LSM: Manage file security blobs
Move the management of file security blobs from the individual
security modules to the security infrastructure. The security modules
using file blobs have been updated accordingly. Modules are required
to identify the space they need at module initialization. In some
cases a module no longer needs to supply a blob management hook, in
which case the hook has been removed.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/apparmor/include/context.h | 5 +++++
security/apparmor/include/file.h | 2 +-
security/apparmor/lsm.c | 19 ++++++++--------
security/security.c | 43 +++++++++++++++++++++++++++++++++++++
security/selinux/hooks.c | 41 +++++++++--------------------------
security/selinux/include/objsec.h | 5 +++++
security/smack/smack.h | 5 +++++
security/smack/smack_lsm.c | 26 ++++++++--------------
9 files changed, 89 insertions(+), 58 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index ee4fcc51fa91..e5d0f1e01b81 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1919,6 +1919,7 @@ struct security_hook_list {
*/
struct lsm_blob_sizes {
int lbs_cred;
+ int lbs_file;
};
/*
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 301ab3a0dd04..c6e106a533e8 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -87,6 +87,11 @@ static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
return aa_get_newest_label(aa_cred_raw_label(cred));
}
+static inline struct aa_file_ctx *apparmor_file(const struct file *file)
+{
+ return file->f_security;
+}
+
/**
* __aa_task_raw_label - retrieve another task's label
* @task: task to query (NOT NULL)
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 4c2c8ac8842f..b9efe6bc226b 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -32,7 +32,7 @@ struct path;
AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_LOCK | \
AA_EXEC_MMAP | AA_MAY_LINK)
-#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security)
+#define file_ctx(X) apparmor_file(X)
/* struct aa_file_ctx - the AppArmor context the file was opened in
* @lock: lock to update the ctx
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index d80293bde5bf..f2814ba84481 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -402,21 +402,21 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
static int apparmor_file_alloc_security(struct file *file)
{
- int error = 0;
-
- /* freed by apparmor_file_free_security */
+ struct aa_file_ctx *ctx = file_ctx(file);
struct aa_label *label = begin_current_label_crit_section();
- file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
- if (!file_ctx(file))
- error = -ENOMEM;
- end_current_label_crit_section(label);
- return error;
+ spin_lock_init(&ctx->lock);
+ rcu_assign_pointer(ctx->label, aa_get_label(label));
+ end_current_label_crit_section(label);
+ return 0;
}
static void apparmor_file_free_security(struct file *file)
{
- aa_free_file_ctx(file_ctx(file));
+ struct aa_file_ctx *ctx = file_ctx(file);
+
+ if (ctx)
+ aa_put_label(rcu_access_pointer(ctx->label));
}
static int common_file_perm(const char *op, struct file *file, u32 mask)
@@ -1078,6 +1078,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
struct lsm_blob_sizes apparmor_blob_sizes = {
.lbs_cred = sizeof(struct aa_task_ctx),
+ .lbs_file = sizeof(struct aa_file_ctx),
};
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
diff --git a/security/security.c b/security/security.c
index 6fadc3860fb0..4d8e702fa22f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -37,6 +37,8 @@
struct security_hook_heads security_hook_heads __lsm_ro_after_init;
static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
+static struct kmem_cache *lsm_file_cache;
+
char *lsm_names;
static struct lsm_blob_sizes blob_sizes;
@@ -83,6 +85,13 @@ int __init security_init(void)
do_security_initcalls();
/*
+ * Create any kmem_caches needed for blobs
+ */
+ if (blob_sizes.lbs_file)
+ lsm_file_cache = kmem_cache_create("lsm_file_cache",
+ blob_sizes.lbs_file, 0,
+ SLAB_PANIC, NULL);
+ /*
* The second call to a module specific init function
* adds hooks to the hook lists and does any other early
* initializations required.
@@ -91,6 +100,7 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
+ pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
#endif
return 0;
@@ -267,6 +277,26 @@ static void __init lsm_set_size(int *need, int *lbs)
void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
+ lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+}
+
+/**
+ * lsm_file_alloc - allocate a composite file blob
+ * @file: the file that needs a blob
+ *
+ * Allocate the file blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_file_alloc(struct file *file)
+{
+ if (!lsm_file_cache)
+ return 0;
+
+ file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL);
+ if (file->f_security == NULL)
+ return -ENOMEM;
+ return 0;
}
/*
@@ -952,12 +982,25 @@ int security_file_permission(struct file *file, int mask)
int security_file_alloc(struct file *file)
{
+ int rc = lsm_file_alloc(file);
+
+ if (rc)
+ return rc;
return call_int_hook(file_alloc_security, 0, file);
}
void security_file_free(struct file *file)
{
+ void *blob;
+
+ if (!lsm_file_cache)
+ return;
+
call_void_hook(file_free_security, file);
+
+ blob = file->f_security;
+ file->f_security = NULL;
+ kmem_cache_free(lsm_file_cache, blob);
}
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a4d1ec236d4e..28e641f829b2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -129,7 +129,6 @@ int selinux_enabled = 1;
#endif
static struct kmem_cache *sel_inode_cache;
-static struct kmem_cache *file_security_cache;
/**
* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
@@ -359,27 +358,15 @@ static void inode_free_security(struct inode *inode)
static int file_alloc_security(struct file *file)
{
- struct file_security_struct *fsec;
+ struct file_security_struct *fsec = selinux_file(file);
u32 sid = current_sid();
- fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
- if (!fsec)
- return -ENOMEM;
-
fsec->sid = sid;
fsec->fown_sid = sid;
- file->f_security = fsec;
return 0;
}
-static void file_free_security(struct file *file)
-{
- struct file_security_struct *fsec = file->f_security;
- file->f_security = NULL;
- kmem_cache_free(file_security_cache, fsec);
-}
-
static int superblock_alloc_security(struct super_block *sb)
{
struct superblock_security_struct *sbsec;
@@ -1823,7 +1810,7 @@ static int file_has_perm(const struct cred *cred,
struct file *file,
u32 av)
{
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct inode *inode = file_inode(file);
struct common_audit_data ad;
u32 sid = cred_sid(cred);
@@ -2143,7 +2130,7 @@ static int selinux_binder_transfer_file(struct task_struct *from,
struct file *file)
{
u32 sid = task_sid(to);
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct dentry *dentry = file->f_path.dentry;
struct inode_security_struct *isec;
struct common_audit_data ad;
@@ -3421,7 +3408,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
static int selinux_file_permission(struct file *file, int mask)
{
struct inode *inode = file_inode(file);
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct inode_security_struct *isec;
u32 sid = current_sid();
@@ -3443,11 +3430,6 @@ static int selinux_file_alloc_security(struct file *file)
return file_alloc_security(file);
}
-static void selinux_file_free_security(struct file *file)
-{
- file_free_security(file);
-}
-
/*
* Check whether a task has the ioctl permission and cmd
* operation to an inode.
@@ -3456,7 +3438,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
u32 requested, u16 cmd)
{
struct common_audit_data ad;
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = selinux_file(file);
struct inode *inode = file_inode(file);
struct inode_security_struct *isec;
struct lsm_ioctlop_audit ioctl;
@@ -3702,7 +3684,7 @@ static void selinux_file_set_fowner(struct file *file)
{
struct file_security_struct *fsec;
- fsec = file->f_security;
+ fsec = selinux_file(file);
fsec->fown_sid = current_sid();
}
@@ -3717,7 +3699,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
/* struct fown_struct is never outside the context of a struct file */
file = container_of(fown, struct file, f_owner);
- fsec = file->f_security;
+ fsec = selinux_file(file);
if (!signum)
perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
@@ -3740,7 +3722,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
struct file_security_struct *fsec;
struct inode_security_struct *isec;
- fsec = file->f_security;
+ fsec = selinux_file(file);
isec = inode_security(file_inode(file));
/*
* Save inode label and policy sequence number
@@ -3870,7 +3852,7 @@ static int selinux_kernel_module_from_file(struct file *file)
ad.type = LSM_AUDIT_DATA_FILE;
ad.u.file = file;
- fsec = file->f_security;
+ fsec = selinux_file(file);
if (sid != fsec->sid) {
rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);
if (rc)
@@ -6215,6 +6197,7 @@ static void selinux_ib_free_security(void *ib_sec)
struct lsm_blob_sizes selinux_blob_sizes = {
.lbs_cred = sizeof(struct task_security_struct),
+ .lbs_file = sizeof(struct file_security_struct),
};
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
@@ -6285,7 +6268,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
- LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
@@ -6466,9 +6448,6 @@ static __init int selinux_init(void)
sel_inode_cache = kmem_cache_create("selinux_inode_security",
sizeof(struct inode_security_struct),
0, SLAB_PANIC, NULL);
- file_security_cache = kmem_cache_create("selinux_file_security",
- sizeof(struct file_security_struct),
- 0, SLAB_PANIC, NULL);
avc_init();
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index c0bdb7232f39..504e15ed234f 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -161,4 +161,9 @@ static inline struct task_security_struct *selinux_cred(const struct cred *cred)
return cred->security;
}
+static inline struct file_security_struct *selinux_file(const struct file *file)
+{
+ return file->f_security;
+}
+
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/smack/smack.h b/security/smack/smack.h
index ab1d217800e2..d14e8d17eea0 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -361,6 +361,11 @@ static inline struct task_smack *smack_cred(const struct cred *cred)
return cred->security;
}
+static inline struct smack_known **smack_file(const struct file *file)
+{
+ return file->f_security;
+}
+
/*
* Is the directory transmuting?
*/
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index ff4e5c632410..a807624aff9a 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1575,25 +1575,13 @@ static void smack_inode_getsecid(struct inode *inode, u32 *secid)
*/
static int smack_file_alloc_security(struct file *file)
{
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_file(file);
- file->f_security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_file_free_security - clear a file security blob
- * @file: the object
- *
- * The security blob for a file is a pointer to the master
- * label list, so no memory is freed.
- */
-static void smack_file_free_security(struct file *file)
-{
- file->f_security = NULL;
-}
-
-/**
* smack_file_ioctl - Smack check on ioctls
* @file: the object
* @cmd: what to do
@@ -1817,7 +1805,9 @@ static int smack_mmap_file(struct file *file,
*/
static void smack_file_set_fowner(struct file *file)
{
- file->f_security = smk_of_current();
+ struct smack_known **blob = smack_file(file);
+
+ *blob = smk_of_current();
}
/**
@@ -1834,6 +1824,7 @@ static void smack_file_set_fowner(struct file *file)
static int smack_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum)
{
+ struct smack_known **blob;
struct smack_known *skp;
struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
struct file *file;
@@ -1846,7 +1837,8 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
file = container_of(fown, struct file, f_owner);
/* we don't log here as rc can be overriden */
- skp = file->f_security;
+ blob = smack_file(file);
+ skp = *blob;
rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
@@ -4578,6 +4570,7 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
struct lsm_blob_sizes smack_blob_sizes = {
.lbs_cred = sizeof(struct task_smack),
+ .lbs_file = sizeof(struct smack_known *),
};
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
@@ -4615,7 +4608,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
- LSM_HOOK_INIT(file_free_security, smack_file_free_security),
LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
LSM_HOOK_INIT(file_lock, smack_file_lock),
LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [PATCH 3/9] LSM: Manage file security blobs
2017-10-27 21:45 ` [PATCH 3/9] LSM: Manage file " Casey Schaufler
@ 2017-10-31 15:25 ` Stephen Smalley
2017-10-31 16:16 ` Casey Schaufler
0 siblings, 1 reply; 27+ messages in thread
From: Stephen Smalley @ 2017-10-31 15:25 UTC (permalink / raw)
To: linux-security-module
On Fri, 2017-10-27 at 14:45 -0700, Casey Schaufler wrote:
> Subject: [PATCH 3/9] LSM: Manage file security blobs
>
> Move the management of file security blobs from the individual
> security modules to the security infrastructure. The security modules
> using file blobs have been updated accordingly. Modules are required
> to identify the space they need at module initialization. In some
> cases a module no longer needs to supply a blob management hook, in
> which case the hook has been removed.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> ?include/linux/lsm_hooks.h???????????|??1 +
> ?security/apparmor/include/context.h |??5 +++++
> ?security/apparmor/include/file.h????|??2 +-
> ?security/apparmor/lsm.c?????????????| 19 ++++++++--------
> ?security/security.c?????????????????| 43
> +++++++++++++++++++++++++++++++++++++
> ?security/selinux/hooks.c????????????| 41 +++++++++----------------
> ----------
> ?security/selinux/include/objsec.h???|??5 +++++
> ?security/smack/smack.h??????????????|??5 +++++
> ?security/smack/smack_lsm.c??????????| 26 ++++++++--------------
> ?9 files changed, 89 insertions(+), 58 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index ee4fcc51fa91..e5d0f1e01b81 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1919,6 +1919,7 @@ struct security_hook_list {
> ? */
> ?struct lsm_blob_sizes {
> ? int lbs_cred;
> + int lbs_file;
> ?};
> ?
> ?/*
> diff --git a/security/apparmor/include/context.h
> b/security/apparmor/include/context.h
> index 301ab3a0dd04..c6e106a533e8 100644
> --- a/security/apparmor/include/context.h
> +++ b/security/apparmor/include/context.h
> @@ -87,6 +87,11 @@ static inline struct aa_label
> *aa_get_newest_cred_label(const struct cred *cred)
> ? return aa_get_newest_label(aa_cred_raw_label(cred));
> ?}
> ?
> +static inline struct aa_file_ctx *apparmor_file(const struct file
> *file)
> +{
> + return file->f_security;
> +}
> +
> ?/**
> ? * __aa_task_raw_label - retrieve another task's label
> ? * @task: task to query??(NOT NULL)
> diff --git a/security/apparmor/include/file.h
> b/security/apparmor/include/file.h
> index 4c2c8ac8842f..b9efe6bc226b 100644
> --- a/security/apparmor/include/file.h
> +++ b/security/apparmor/include/file.h
> @@ -32,7 +32,7 @@ struct path;
> ? ?AA_MAY_CHMOD | AA_MAY_CHOWN |
> AA_MAY_LOCK | \
> ? ?AA_EXEC_MMAP | AA_MAY_LINK)
> ?
> -#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security)
> +#define file_ctx(X) apparmor_file(X)
> ?
> ?/* struct aa_file_ctx - the AppArmor context the file was opened in
> ? * @lock: lock to update the ctx
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index d80293bde5bf..f2814ba84481 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -402,21 +402,21 @@ static int apparmor_file_open(struct file
> *file, const struct cred *cred)
> ?
> ?static int apparmor_file_alloc_security(struct file *file)
> ?{
> - int error = 0;
> -
> - /* freed by apparmor_file_free_security */
> + struct aa_file_ctx *ctx = file_ctx(file);
> ? struct aa_label *label = begin_current_label_crit_section();
> - file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
> - if (!file_ctx(file))
> - error = -ENOMEM;
> - end_current_label_crit_section(label);
> ?
> - return error;
> + spin_lock_init(&ctx->lock);
> + rcu_assign_pointer(ctx->label, aa_get_label(label));
> + end_current_label_crit_section(label);
> + return 0;
> ?}
> ?
> ?static void apparmor_file_free_security(struct file *file)
> ?{
> - aa_free_file_ctx(file_ctx(file));
> + struct aa_file_ctx *ctx = file_ctx(file);
> +
> + if (ctx)
> + aa_put_label(rcu_access_pointer(ctx->label));
> ?}
> ?
> ?static int common_file_perm(const char *op, struct file *file, u32
> mask)
> @@ -1078,6 +1078,7 @@ static void apparmor_sock_graft(struct sock
> *sk, struct socket *parent)
> ?
> ?struct lsm_blob_sizes apparmor_blob_sizes = {
> ? .lbs_cred = sizeof(struct aa_task_ctx),
> + .lbs_file = sizeof(struct aa_file_ctx),
> ?};
> ?
> ?static struct security_hook_list apparmor_hooks[]
> __lsm_ro_after_init = {
> diff --git a/security/security.c b/security/security.c
> index 6fadc3860fb0..4d8e702fa22f 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -37,6 +37,8 @@
> ?struct security_hook_heads security_hook_heads __lsm_ro_after_init;
> ?static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
> ?
> +static struct kmem_cache *lsm_file_cache;
> +
> ?char *lsm_names;
> ?static struct lsm_blob_sizes blob_sizes;
> ?
> @@ -83,6 +85,13 @@ int __init security_init(void)
> ? do_security_initcalls();
> ?
> ? /*
> + ?* Create any kmem_caches needed for blobs
> + ?*/
> + if (blob_sizes.lbs_file)
> + lsm_file_cache = kmem_cache_create("lsm_file_cache",
> + ???blob_sizes.lbs_fi
> le, 0,
> + ???SLAB_PANIC,
> NULL);
> + /*
> ? ?* The second call to a module specific init function
> ? ?* adds hooks to the hook lists and does any other early
> ? ?* initializations required.
> @@ -91,6 +100,7 @@ int __init security_init(void)
> ?
> ?#ifdef CONFIG_SECURITY_LSM_DEBUG
> ? pr_info("LSM: cred blob size???????= %d\n",
> blob_sizes.lbs_cred);
> + pr_info("LSM: file blob size???????= %d\n",
> blob_sizes.lbs_file);
> ?#endif
> ?
> ? return 0;
> @@ -267,6 +277,26 @@ static void __init lsm_set_size(int *need, int
> *lbs)
> ?void __init security_add_blobs(struct lsm_blob_sizes *needed)
> ?{
> ? lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
> + lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
> +}
> +
> +/**
> + * lsm_file_alloc - allocate a composite file blob
> + * @file: the file that needs a blob
> + *
> + * Allocate the file blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +int lsm_file_alloc(struct file *file)
> +{
> + if (!lsm_file_cache)
> + return 0;
> +
> + file->f_security = kmem_cache_zalloc(lsm_file_cache,
> GFP_KERNEL);
> + if (file->f_security == NULL)
> + return -ENOMEM;
> + return 0;
> ?}
> ?
> ?/*
> @@ -952,12 +982,25 @@ int security_file_permission(struct file *file,
> int mask)
> ?
> ?int security_file_alloc(struct file *file)
> ?{
> + int rc = lsm_file_alloc(file);
> +
> + if (rc)
> + return rc;
> ? return call_int_hook(file_alloc_security, 0, file);
Suppose that a module's file_alloc_security() hook returns an error.
What should happen to the blob allocated by lsm_file_alloc()? In
general, callers assumes that security_file_alloc() handles cleanup
internally if it returns an error and do not call security_file_free();
this is also true of other similar alloc hooks I believe. ?Further, if
we allow the module file_alloc_security() hooks to perform any
allocation themselves, then we have a similar problem with regard to
cleanup if any one of them fails; to be fully safe, we'd need to call
the file_free_security() hook on the ones that had previously returned
success. Either we need to handle such errors within
security_file_alloc(), or we need to dispense with the ability to
allocate and return an error code from the module's
file_alloc_security(), i.e. make them return void, and probably rename
them to file_init_security() or similar.
> ?}
> ?
> ?void security_file_free(struct file *file)
> ?{
> + void *blob;
> +
> + if (!lsm_file_cache)
> + return;
> +
> ? call_void_hook(file_free_security, file);
> +
> + blob = file->f_security;
> + file->f_security = NULL;
> + kmem_cache_free(lsm_file_cache, blob);
> ?}
> ?
> ?int security_file_ioctl(struct file *file, unsigned int cmd,
> unsigned long arg)
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index a4d1ec236d4e..28e641f829b2 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -129,7 +129,6 @@ int selinux_enabled = 1;
> ?#endif
> ?
> ?static struct kmem_cache *sel_inode_cache;
> -static struct kmem_cache *file_security_cache;
> ?
> ?/**
> ? * selinux_secmark_enabled - Check to see if SECMARK is currently
> enabled
> @@ -359,27 +358,15 @@ static void inode_free_security(struct inode
> *inode)
> ?
> ?static int file_alloc_security(struct file *file)
> ?{
> - struct file_security_struct *fsec;
> + struct file_security_struct *fsec = selinux_file(file);
> ? u32 sid = current_sid();
> ?
> - fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
> - if (!fsec)
> - return -ENOMEM;
> -
> ? fsec->sid = sid;
> ? fsec->fown_sid = sid;
> - file->f_security = fsec;
> ?
> ? return 0;
> ?}
> ?
> -static void file_free_security(struct file *file)
> -{
> - struct file_security_struct *fsec = file->f_security;
> - file->f_security = NULL;
> - kmem_cache_free(file_security_cache, fsec);
> -}
> -
> ?static int superblock_alloc_security(struct super_block *sb)
> ?{
> ? struct superblock_security_struct *sbsec;
> @@ -1823,7 +1810,7 @@ static int file_has_perm(const struct cred
> *cred,
> ? ?struct file *file,
> ? ?u32 av)
> ?{
> - struct file_security_struct *fsec = file->f_security;
> + struct file_security_struct *fsec = selinux_file(file);
> ? struct inode *inode = file_inode(file);
> ? struct common_audit_data ad;
> ? u32 sid = cred_sid(cred);
> @@ -2143,7 +2130,7 @@ static int selinux_binder_transfer_file(struct
> task_struct *from,
> ? struct file *file)
> ?{
> ? u32 sid = task_sid(to);
> - struct file_security_struct *fsec = file->f_security;
> + struct file_security_struct *fsec = selinux_file(file);
> ? struct dentry *dentry = file->f_path.dentry;
> ? struct inode_security_struct *isec;
> ? struct common_audit_data ad;
> @@ -3421,7 +3408,7 @@ static int
> selinux_revalidate_file_permission(struct file *file, int mask)
> ?static int selinux_file_permission(struct file *file, int mask)
> ?{
> ? struct inode *inode = file_inode(file);
> - struct file_security_struct *fsec = file->f_security;
> + struct file_security_struct *fsec = selinux_file(file);
> ? struct inode_security_struct *isec;
> ? u32 sid = current_sid();
> ?
> @@ -3443,11 +3430,6 @@ static int selinux_file_alloc_security(struct
> file *file)
> ? return file_alloc_security(file);
> ?}
> ?
> -static void selinux_file_free_security(struct file *file)
> -{
> - file_free_security(file);
> -}
> -
> ?/*
> ? * Check whether a task has the ioctl permission and cmd
> ? * operation to an inode.
> @@ -3456,7 +3438,7 @@ static int ioctl_has_perm(const struct cred
> *cred, struct file *file,
> ? u32 requested, u16 cmd)
> ?{
> ? struct common_audit_data ad;
> - struct file_security_struct *fsec = file->f_security;
> + struct file_security_struct *fsec = selinux_file(file);
> ? struct inode *inode = file_inode(file);
> ? struct inode_security_struct *isec;
> ? struct lsm_ioctlop_audit ioctl;
> @@ -3702,7 +3684,7 @@ static void selinux_file_set_fowner(struct file
> *file)
> ?{
> ? struct file_security_struct *fsec;
> ?
> - fsec = file->f_security;
> + fsec = selinux_file(file);
> ? fsec->fown_sid = current_sid();
> ?}
> ?
> @@ -3717,7 +3699,7 @@ static int selinux_file_send_sigiotask(struct
> task_struct *tsk,
> ? /* struct fown_struct is never outside the context of a
> struct file */
> ? file = container_of(fown, struct file, f_owner);
> ?
> - fsec = file->f_security;
> + fsec = selinux_file(file);
> ?
> ? if (!signum)
> ? perm = signal_to_av(SIGIO); /* as per
> send_sigio_to_task */
> @@ -3740,7 +3722,7 @@ static int selinux_file_open(struct file *file,
> const struct cred *cred)
> ? struct file_security_struct *fsec;
> ? struct inode_security_struct *isec;
> ?
> - fsec = file->f_security;
> + fsec = selinux_file(file);
> ? isec = inode_security(file_inode(file));
> ? /*
> ? ?* Save inode label and policy sequence number
> @@ -3870,7 +3852,7 @@ static int
> selinux_kernel_module_from_file(struct file *file)
> ? ad.type = LSM_AUDIT_DATA_FILE;
> ? ad.u.file = file;
> ?
> - fsec = file->f_security;
> + fsec = selinux_file(file);
> ? if (sid != fsec->sid) {
> ? rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD,
> FD__USE, &ad);
> ? if (rc)
> @@ -6215,6 +6197,7 @@ static void selinux_ib_free_security(void
> *ib_sec)
> ?
> ?struct lsm_blob_sizes selinux_blob_sizes = {
> ? .lbs_cred = sizeof(struct task_security_struct),
> + .lbs_file = sizeof(struct file_security_struct),
> ?};
> ?
> ?static struct security_hook_list selinux_hooks[] __lsm_ro_after_init
> = {
> @@ -6285,7 +6268,6 @@ static struct security_hook_list
> selinux_hooks[] __lsm_ro_after_init = {
> ?
> ? LSM_HOOK_INIT(file_permission, selinux_file_permission),
> ? LSM_HOOK_INIT(file_alloc_security,
> selinux_file_alloc_security),
> - LSM_HOOK_INIT(file_free_security,
> selinux_file_free_security),
> ? LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
> ? LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
> ? LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
> @@ -6466,9 +6448,6 @@ static __init int selinux_init(void)
> ? sel_inode_cache =
> kmem_cache_create("selinux_inode_security",
> ? ????sizeof(struct
> inode_security_struct),
> ? ????0, SLAB_PANIC, NULL);
> - file_security_cache =
> kmem_cache_create("selinux_file_security",
> - ????sizeof(struct
> file_security_struct),
> - ????0, SLAB_PANIC, NULL);
> ? avc_init();
> ?
> ? security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
> "selinux");
> diff --git a/security/selinux/include/objsec.h
> b/security/selinux/include/objsec.h
> index c0bdb7232f39..504e15ed234f 100644
> --- a/security/selinux/include/objsec.h
> +++ b/security/selinux/include/objsec.h
> @@ -161,4 +161,9 @@ static inline struct task_security_struct
> *selinux_cred(const struct cred *cred)
> ? return cred->security;
> ?}
> ?
> +static inline struct file_security_struct *selinux_file(const struct
> file *file)
> +{
> + return file->f_security;
> +}
> +
> ?#endif /* _SELINUX_OBJSEC_H_ */
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index ab1d217800e2..d14e8d17eea0 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -361,6 +361,11 @@ static inline struct task_smack
> *smack_cred(const struct cred *cred)
> ? return cred->security;
> ?}
> ?
> +static inline struct smack_known **smack_file(const struct file
> *file)
> +{
> + return file->f_security;
> +}
> +
> ?/*
> ? * Is the directory transmuting?
> ? */
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index ff4e5c632410..a807624aff9a 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -1575,25 +1575,13 @@ static void smack_inode_getsecid(struct inode
> *inode, u32 *secid)
> ? */
> ?static int smack_file_alloc_security(struct file *file)
> ?{
> - struct smack_known *skp = smk_of_current();
> + struct smack_known **blob = smack_file(file);
> ?
> - file->f_security = skp;
> + *blob = smk_of_current();
> ? return 0;
> ?}
> ?
> ?/**
> - * smack_file_free_security - clear a file security blob
> - * @file: the object
> - *
> - * The security blob for a file is a pointer to the master
> - * label list, so no memory is freed.
> - */
> -static void smack_file_free_security(struct file *file)
> -{
> - file->f_security = NULL;
> -}
> -
> -/**
> ? * smack_file_ioctl - Smack check on ioctls
> ? * @file: the object
> ? * @cmd: what to do
> @@ -1817,7 +1805,9 @@ static int smack_mmap_file(struct file *file,
> ? */
> ?static void smack_file_set_fowner(struct file *file)
> ?{
> - file->f_security = smk_of_current();
> + struct smack_known **blob = smack_file(file);
> +
> + *blob = smk_of_current();
> ?}
> ?
> ?/**
> @@ -1834,6 +1824,7 @@ static void smack_file_set_fowner(struct file
> *file)
> ?static int smack_file_send_sigiotask(struct task_struct *tsk,
> ? ?????struct fown_struct *fown, int
> signum)
> ?{
> + struct smack_known **blob;
> ? struct smack_known *skp;
> ? struct smack_known *tkp = smk_of_task(smack_cred(tsk-
> >cred));
> ? struct file *file;
> @@ -1846,7 +1837,8 @@ static int smack_file_send_sigiotask(struct
> task_struct *tsk,
> ? file = container_of(fown, struct file, f_owner);
> ?
> ? /* we don't log here as rc can be overriden */
> - skp = file->f_security;
> + blob = smack_file(file);
> + skp = *blob;
> ? rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
> ? rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
> ? if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
> @@ -4578,6 +4570,7 @@ static int smack_inode_getsecctx(struct inode
> *inode, void **ctx, u32 *ctxlen)
> ?
> ?struct lsm_blob_sizes smack_blob_sizes = {
> ? .lbs_cred = sizeof(struct task_smack),
> + .lbs_file = sizeof(struct smack_known *),
> ?};
> ?
> ?static struct security_hook_list smack_hooks[] __lsm_ro_after_init =
> {
> @@ -4615,7 +4608,6 @@ static struct security_hook_list smack_hooks[]
> __lsm_ro_after_init = {
> ? LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
> ?
> ? LSM_HOOK_INIT(file_alloc_security,
> smack_file_alloc_security),
> - LSM_HOOK_INIT(file_free_security, smack_file_free_security),
> ? LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
> ? LSM_HOOK_INIT(file_lock, smack_file_lock),
> ? LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 3/9] LSM: Manage file security blobs
2017-10-31 15:25 ` Stephen Smalley
@ 2017-10-31 16:16 ` Casey Schaufler
2017-10-31 17:32 ` John Johansen
0 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2017-10-31 16:16 UTC (permalink / raw)
To: linux-security-module
On 10/31/2017 8:25 AM, Stephen Smalley wrote:
> On Fri, 2017-10-27 at 14:45 -0700, Casey Schaufler wrote:
>> Subject: [PATCH 3/9] LSM: Manage file security blobs
>>
>> Move the management of file security blobs from the individual
>> security modules to the security infrastructure. The security modules
>> using file blobs have been updated accordingly. Modules are required
>> to identify the space they need at module initialization. In some
>> cases a module no longer needs to supply a blob management hook, in
>> which case the hook has been removed.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> ---
>> ?include/linux/lsm_hooks.h???????????|??1 +
>> ?security/apparmor/include/context.h |??5 +++++
>> ?security/apparmor/include/file.h????|??2 +-
>> ?security/apparmor/lsm.c?????????????| 19 ++++++++--------
>> ?security/security.c?????????????????| 43
>> +++++++++++++++++++++++++++++++++++++
>> ?security/selinux/hooks.c????????????| 41 +++++++++----------------
>> ----------
>> ?security/selinux/include/objsec.h???|??5 +++++
>> ?security/smack/smack.h??????????????|??5 +++++
>> ?security/smack/smack_lsm.c??????????| 26 ++++++++--------------
>> ?9 files changed, 89 insertions(+), 58 deletions(-)
>>
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index ee4fcc51fa91..e5d0f1e01b81 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -1919,6 +1919,7 @@ struct security_hook_list {
>> ? */
>> ?struct lsm_blob_sizes {
>> ? int lbs_cred;
>> + int lbs_file;
>> ?};
>> ?
>> ?/*
>> diff --git a/security/apparmor/include/context.h
>> b/security/apparmor/include/context.h
>> index 301ab3a0dd04..c6e106a533e8 100644
>> --- a/security/apparmor/include/context.h
>> +++ b/security/apparmor/include/context.h
>> @@ -87,6 +87,11 @@ static inline struct aa_label
>> *aa_get_newest_cred_label(const struct cred *cred)
>> ? return aa_get_newest_label(aa_cred_raw_label(cred));
>> ?}
>> ?
>> +static inline struct aa_file_ctx *apparmor_file(const struct file
>> *file)
>> +{
>> + return file->f_security;
>> +}
>> +
>> ?/**
>> ? * __aa_task_raw_label - retrieve another task's label
>> ? * @task: task to query??(NOT NULL)
>> diff --git a/security/apparmor/include/file.h
>> b/security/apparmor/include/file.h
>> index 4c2c8ac8842f..b9efe6bc226b 100644
>> --- a/security/apparmor/include/file.h
>> +++ b/security/apparmor/include/file.h
>> @@ -32,7 +32,7 @@ struct path;
>> ? ?AA_MAY_CHMOD | AA_MAY_CHOWN |
>> AA_MAY_LOCK | \
>> ? ?AA_EXEC_MMAP | AA_MAY_LINK)
>> ?
>> -#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security)
>> +#define file_ctx(X) apparmor_file(X)
>> ?
>> ?/* struct aa_file_ctx - the AppArmor context the file was opened in
>> ? * @lock: lock to update the ctx
>> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
>> index d80293bde5bf..f2814ba84481 100644
>> --- a/security/apparmor/lsm.c
>> +++ b/security/apparmor/lsm.c
>> @@ -402,21 +402,21 @@ static int apparmor_file_open(struct file
>> *file, const struct cred *cred)
>> ?
>> ?static int apparmor_file_alloc_security(struct file *file)
>> ?{
>> - int error = 0;
>> -
>> - /* freed by apparmor_file_free_security */
>> + struct aa_file_ctx *ctx = file_ctx(file);
>> ? struct aa_label *label = begin_current_label_crit_section();
>> - file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
>> - if (!file_ctx(file))
>> - error = -ENOMEM;
>> - end_current_label_crit_section(label);
>> ?
>> - return error;
>> + spin_lock_init(&ctx->lock);
>> + rcu_assign_pointer(ctx->label, aa_get_label(label));
>> + end_current_label_crit_section(label);
>> + return 0;
>> ?}
>> ?
>> ?static void apparmor_file_free_security(struct file *file)
>> ?{
>> - aa_free_file_ctx(file_ctx(file));
>> + struct aa_file_ctx *ctx = file_ctx(file);
>> +
>> + if (ctx)
>> + aa_put_label(rcu_access_pointer(ctx->label));
>> ?}
>> ?
>> ?static int common_file_perm(const char *op, struct file *file, u32
>> mask)
>> @@ -1078,6 +1078,7 @@ static void apparmor_sock_graft(struct sock
>> *sk, struct socket *parent)
>> ?
>> ?struct lsm_blob_sizes apparmor_blob_sizes = {
>> ? .lbs_cred = sizeof(struct aa_task_ctx),
>> + .lbs_file = sizeof(struct aa_file_ctx),
>> ?};
>> ?
>> ?static struct security_hook_list apparmor_hooks[]
>> __lsm_ro_after_init = {
>> diff --git a/security/security.c b/security/security.c
>> index 6fadc3860fb0..4d8e702fa22f 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -37,6 +37,8 @@
>> ?struct security_hook_heads security_hook_heads __lsm_ro_after_init;
>> ?static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
>> ?
>> +static struct kmem_cache *lsm_file_cache;
>> +
>> ?char *lsm_names;
>> ?static struct lsm_blob_sizes blob_sizes;
>> ?
>> @@ -83,6 +85,13 @@ int __init security_init(void)
>> ? do_security_initcalls();
>> ?
>> ? /*
>> + ?* Create any kmem_caches needed for blobs
>> + ?*/
>> + if (blob_sizes.lbs_file)
>> + lsm_file_cache = kmem_cache_create("lsm_file_cache",
>> + ???blob_sizes.lbs_fi
>> le, 0,
>> + ???SLAB_PANIC,
>> NULL);
>> + /*
>> ? ?* The second call to a module specific init function
>> ? ?* adds hooks to the hook lists and does any other early
>> ? ?* initializations required.
>> @@ -91,6 +100,7 @@ int __init security_init(void)
>> ?
>> ?#ifdef CONFIG_SECURITY_LSM_DEBUG
>> ? pr_info("LSM: cred blob size???????= %d\n",
>> blob_sizes.lbs_cred);
>> + pr_info("LSM: file blob size???????= %d\n",
>> blob_sizes.lbs_file);
>> ?#endif
>> ?
>> ? return 0;
>> @@ -267,6 +277,26 @@ static void __init lsm_set_size(int *need, int
>> *lbs)
>> ?void __init security_add_blobs(struct lsm_blob_sizes *needed)
>> ?{
>> ? lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
>> + lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
>> +}
>> +
>> +/**
>> + * lsm_file_alloc - allocate a composite file blob
>> + * @file: the file that needs a blob
>> + *
>> + * Allocate the file blob for all the modules
>> + *
>> + * Returns 0, or -ENOMEM if memory can't be allocated.
>> + */
>> +int lsm_file_alloc(struct file *file)
>> +{
>> + if (!lsm_file_cache)
>> + return 0;
>> +
>> + file->f_security = kmem_cache_zalloc(lsm_file_cache,
>> GFP_KERNEL);
>> + if (file->f_security == NULL)
>> + return -ENOMEM;
>> + return 0;
>> ?}
>> ?
>> ?/*
>> @@ -952,12 +982,25 @@ int security_file_permission(struct file *file,
>> int mask)
>> ?
>> ?int security_file_alloc(struct file *file)
>> ?{
>> + int rc = lsm_file_alloc(file);
>> +
>> + if (rc)
>> + return rc;
>> ? return call_int_hook(file_alloc_security, 0, file);
> Suppose that a module's file_alloc_security() hook returns an error.
> What should happen to the blob allocated by lsm_file_alloc()? In
> general, callers assumes that security_file_alloc() handles cleanup
> internally if it returns an error and do not call security_file_free();
> this is also true of other similar alloc hooks I believe. ?Further, if
> we allow the module file_alloc_security() hooks to perform any
> allocation themselves, then we have a similar problem with regard to
> cleanup if any one of them fails; to be fully safe, we'd need to call
> the file_free_security() hook on the ones that had previously returned
> success. Either we need to handle such errors within
> security_file_alloc(), or we need to dispense with the ability to
> allocate and return an error code from the module's
> file_alloc_security(), i.e. make them return void, and probably rename
> them to file_init_security() or similar.
I like the idea of changing file_alloc_security() to file_init_security()
or maybe file_setup_security() and making the hook a void function. If a
module wants to allocate space on its own it will need to deal with the
fact that it may have been unable to do so. I hesitate to prohibit modules
from allocating their own space because someone is going to want to have a
list of attributes. Trying to manage memory that you don't know about is
a loosing proposition.
>
>> ?}
>> ?
>> ?void security_file_free(struct file *file)
>> ?{
>> + void *blob;
>> +
>> + if (!lsm_file_cache)
>> + return;
>> +
>> ? call_void_hook(file_free_security, file);
>> +
>> + blob = file->f_security;
>> + file->f_security = NULL;
>> + kmem_cache_free(lsm_file_cache, blob);
>> ?}
>> ?
>> ?int security_file_ioctl(struct file *file, unsigned int cmd,
>> unsigned long arg)
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index a4d1ec236d4e..28e641f829b2 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -129,7 +129,6 @@ int selinux_enabled = 1;
>> ?#endif
>> ?
>> ?static struct kmem_cache *sel_inode_cache;
>> -static struct kmem_cache *file_security_cache;
>> ?
>> ?/**
>> ? * selinux_secmark_enabled - Check to see if SECMARK is currently
>> enabled
>> @@ -359,27 +358,15 @@ static void inode_free_security(struct inode
>> *inode)
>> ?
>> ?static int file_alloc_security(struct file *file)
>> ?{
>> - struct file_security_struct *fsec;
>> + struct file_security_struct *fsec = selinux_file(file);
>> ? u32 sid = current_sid();
>> ?
>> - fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
>> - if (!fsec)
>> - return -ENOMEM;
>> -
>> ? fsec->sid = sid;
>> ? fsec->fown_sid = sid;
>> - file->f_security = fsec;
>> ?
>> ? return 0;
>> ?}
>> ?
>> -static void file_free_security(struct file *file)
>> -{
>> - struct file_security_struct *fsec = file->f_security;
>> - file->f_security = NULL;
>> - kmem_cache_free(file_security_cache, fsec);
>> -}
>> -
>> ?static int superblock_alloc_security(struct super_block *sb)
>> ?{
>> ? struct superblock_security_struct *sbsec;
>> @@ -1823,7 +1810,7 @@ static int file_has_perm(const struct cred
>> *cred,
>> ? ?struct file *file,
>> ? ?u32 av)
>> ?{
>> - struct file_security_struct *fsec = file->f_security;
>> + struct file_security_struct *fsec = selinux_file(file);
>> ? struct inode *inode = file_inode(file);
>> ? struct common_audit_data ad;
>> ? u32 sid = cred_sid(cred);
>> @@ -2143,7 +2130,7 @@ static int selinux_binder_transfer_file(struct
>> task_struct *from,
>> ? struct file *file)
>> ?{
>> ? u32 sid = task_sid(to);
>> - struct file_security_struct *fsec = file->f_security;
>> + struct file_security_struct *fsec = selinux_file(file);
>> ? struct dentry *dentry = file->f_path.dentry;
>> ? struct inode_security_struct *isec;
>> ? struct common_audit_data ad;
>> @@ -3421,7 +3408,7 @@ static int
>> selinux_revalidate_file_permission(struct file *file, int mask)
>> ?static int selinux_file_permission(struct file *file, int mask)
>> ?{
>> ? struct inode *inode = file_inode(file);
>> - struct file_security_struct *fsec = file->f_security;
>> + struct file_security_struct *fsec = selinux_file(file);
>> ? struct inode_security_struct *isec;
>> ? u32 sid = current_sid();
>> ?
>> @@ -3443,11 +3430,6 @@ static int selinux_file_alloc_security(struct
>> file *file)
>> ? return file_alloc_security(file);
>> ?}
>> ?
>> -static void selinux_file_free_security(struct file *file)
>> -{
>> - file_free_security(file);
>> -}
>> -
>> ?/*
>> ? * Check whether a task has the ioctl permission and cmd
>> ? * operation to an inode.
>> @@ -3456,7 +3438,7 @@ static int ioctl_has_perm(const struct cred
>> *cred, struct file *file,
>> ? u32 requested, u16 cmd)
>> ?{
>> ? struct common_audit_data ad;
>> - struct file_security_struct *fsec = file->f_security;
>> + struct file_security_struct *fsec = selinux_file(file);
>> ? struct inode *inode = file_inode(file);
>> ? struct inode_security_struct *isec;
>> ? struct lsm_ioctlop_audit ioctl;
>> @@ -3702,7 +3684,7 @@ static void selinux_file_set_fowner(struct file
>> *file)
>> ?{
>> ? struct file_security_struct *fsec;
>> ?
>> - fsec = file->f_security;
>> + fsec = selinux_file(file);
>> ? fsec->fown_sid = current_sid();
>> ?}
>> ?
>> @@ -3717,7 +3699,7 @@ static int selinux_file_send_sigiotask(struct
>> task_struct *tsk,
>> ? /* struct fown_struct is never outside the context of a
>> struct file */
>> ? file = container_of(fown, struct file, f_owner);
>> ?
>> - fsec = file->f_security;
>> + fsec = selinux_file(file);
>> ?
>> ? if (!signum)
>> ? perm = signal_to_av(SIGIO); /* as per
>> send_sigio_to_task */
>> @@ -3740,7 +3722,7 @@ static int selinux_file_open(struct file *file,
>> const struct cred *cred)
>> ? struct file_security_struct *fsec;
>> ? struct inode_security_struct *isec;
>> ?
>> - fsec = file->f_security;
>> + fsec = selinux_file(file);
>> ? isec = inode_security(file_inode(file));
>> ? /*
>> ? ?* Save inode label and policy sequence number
>> @@ -3870,7 +3852,7 @@ static int
>> selinux_kernel_module_from_file(struct file *file)
>> ? ad.type = LSM_AUDIT_DATA_FILE;
>> ? ad.u.file = file;
>> ?
>> - fsec = file->f_security;
>> + fsec = selinux_file(file);
>> ? if (sid != fsec->sid) {
>> ? rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD,
>> FD__USE, &ad);
>> ? if (rc)
>> @@ -6215,6 +6197,7 @@ static void selinux_ib_free_security(void
>> *ib_sec)
>> ?
>> ?struct lsm_blob_sizes selinux_blob_sizes = {
>> ? .lbs_cred = sizeof(struct task_security_struct),
>> + .lbs_file = sizeof(struct file_security_struct),
>> ?};
>> ?
>> ?static struct security_hook_list selinux_hooks[] __lsm_ro_after_init
>> = {
>> @@ -6285,7 +6268,6 @@ static struct security_hook_list
>> selinux_hooks[] __lsm_ro_after_init = {
>> ?
>> ? LSM_HOOK_INIT(file_permission, selinux_file_permission),
>> ? LSM_HOOK_INIT(file_alloc_security,
>> selinux_file_alloc_security),
>> - LSM_HOOK_INIT(file_free_security,
>> selinux_file_free_security),
>> ? LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
>> ? LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
>> ? LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
>> @@ -6466,9 +6448,6 @@ static __init int selinux_init(void)
>> ? sel_inode_cache =
>> kmem_cache_create("selinux_inode_security",
>> ? ????sizeof(struct
>> inode_security_struct),
>> ? ????0, SLAB_PANIC, NULL);
>> - file_security_cache =
>> kmem_cache_create("selinux_file_security",
>> - ????sizeof(struct
>> file_security_struct),
>> - ????0, SLAB_PANIC, NULL);
>> ? avc_init();
>> ?
>> ? security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
>> "selinux");
>> diff --git a/security/selinux/include/objsec.h
>> b/security/selinux/include/objsec.h
>> index c0bdb7232f39..504e15ed234f 100644
>> --- a/security/selinux/include/objsec.h
>> +++ b/security/selinux/include/objsec.h
>> @@ -161,4 +161,9 @@ static inline struct task_security_struct
>> *selinux_cred(const struct cred *cred)
>> ? return cred->security;
>> ?}
>> ?
>> +static inline struct file_security_struct *selinux_file(const struct
>> file *file)
>> +{
>> + return file->f_security;
>> +}
>> +
>> ?#endif /* _SELINUX_OBJSEC_H_ */
>> diff --git a/security/smack/smack.h b/security/smack/smack.h
>> index ab1d217800e2..d14e8d17eea0 100644
>> --- a/security/smack/smack.h
>> +++ b/security/smack/smack.h
>> @@ -361,6 +361,11 @@ static inline struct task_smack
>> *smack_cred(const struct cred *cred)
>> ? return cred->security;
>> ?}
>> ?
>> +static inline struct smack_known **smack_file(const struct file
>> *file)
>> +{
>> + return file->f_security;
>> +}
>> +
>> ?/*
>> ? * Is the directory transmuting?
>> ? */
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index ff4e5c632410..a807624aff9a 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -1575,25 +1575,13 @@ static void smack_inode_getsecid(struct inode
>> *inode, u32 *secid)
>> ? */
>> ?static int smack_file_alloc_security(struct file *file)
>> ?{
>> - struct smack_known *skp = smk_of_current();
>> + struct smack_known **blob = smack_file(file);
>> ?
>> - file->f_security = skp;
>> + *blob = smk_of_current();
>> ? return 0;
>> ?}
>> ?
>> ?/**
>> - * smack_file_free_security - clear a file security blob
>> - * @file: the object
>> - *
>> - * The security blob for a file is a pointer to the master
>> - * label list, so no memory is freed.
>> - */
>> -static void smack_file_free_security(struct file *file)
>> -{
>> - file->f_security = NULL;
>> -}
>> -
>> -/**
>> ? * smack_file_ioctl - Smack check on ioctls
>> ? * @file: the object
>> ? * @cmd: what to do
>> @@ -1817,7 +1805,9 @@ static int smack_mmap_file(struct file *file,
>> ? */
>> ?static void smack_file_set_fowner(struct file *file)
>> ?{
>> - file->f_security = smk_of_current();
>> + struct smack_known **blob = smack_file(file);
>> +
>> + *blob = smk_of_current();
>> ?}
>> ?
>> ?/**
>> @@ -1834,6 +1824,7 @@ static void smack_file_set_fowner(struct file
>> *file)
>> ?static int smack_file_send_sigiotask(struct task_struct *tsk,
>> ? ?????struct fown_struct *fown, int
>> signum)
>> ?{
>> + struct smack_known **blob;
>> ? struct smack_known *skp;
>> ? struct smack_known *tkp = smk_of_task(smack_cred(tsk-
>>> cred));
>> ? struct file *file;
>> @@ -1846,7 +1837,8 @@ static int smack_file_send_sigiotask(struct
>> task_struct *tsk,
>> ? file = container_of(fown, struct file, f_owner);
>> ?
>> ? /* we don't log here as rc can be overriden */
>> - skp = file->f_security;
>> + blob = smack_file(file);
>> + skp = *blob;
>> ? rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
>> ? rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
>> ? if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
>> @@ -4578,6 +4570,7 @@ static int smack_inode_getsecctx(struct inode
>> *inode, void **ctx, u32 *ctxlen)
>> ?
>> ?struct lsm_blob_sizes smack_blob_sizes = {
>> ? .lbs_cred = sizeof(struct task_smack),
>> + .lbs_file = sizeof(struct smack_known *),
>> ?};
>> ?
>> ?static struct security_hook_list smack_hooks[] __lsm_ro_after_init =
>> {
>> @@ -4615,7 +4608,6 @@ static struct security_hook_list smack_hooks[]
>> __lsm_ro_after_init = {
>> ? LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
>> ?
>> ? LSM_HOOK_INIT(file_alloc_security,
>> smack_file_alloc_security),
>> - LSM_HOOK_INIT(file_free_security, smack_file_free_security),
>> ? LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
>> ? LSM_HOOK_INIT(file_lock, smack_file_lock),
>> ? LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 3/9] LSM: Manage file security blobs
2017-10-31 16:16 ` Casey Schaufler
@ 2017-10-31 17:32 ` John Johansen
2017-10-31 21:30 ` Casey Schaufler
0 siblings, 1 reply; 27+ messages in thread
From: John Johansen @ 2017-10-31 17:32 UTC (permalink / raw)
To: linux-security-module
On 10/31/2017 09:16 AM, Casey Schaufler wrote:
> On 10/31/2017 8:25 AM, Stephen Smalley wrote:
>> On Fri, 2017-10-27 at 14:45 -0700, Casey Schaufler wrote:
>>> Subject: [PATCH 3/9] LSM: Manage file security blobs
>>>
>>> Move the management of file security blobs from the individual
>>> security modules to the security infrastructure. The security modules
>>> using file blobs have been updated accordingly. Modules are required
>>> to identify the space they need at module initialization. In some
>>> cases a module no longer needs to supply a blob management hook, in
>>> which case the hook has been removed.
>>>
>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>> ---
>>> ?include/linux/lsm_hooks.h???????????|??1 +
>>> ?security/apparmor/include/context.h |??5 +++++
>>> ?security/apparmor/include/file.h????|??2 +-
>>> ?security/apparmor/lsm.c?????????????| 19 ++++++++--------
>>> ?security/security.c?????????????????| 43
>>> +++++++++++++++++++++++++++++++++++++
>>> ?security/selinux/hooks.c????????????| 41 +++++++++----------------
>>> ----------
>>> ?security/selinux/include/objsec.h???|??5 +++++
>>> ?security/smack/smack.h??????????????|??5 +++++
>>> ?security/smack/smack_lsm.c??????????| 26 ++++++++--------------
>>> ?9 files changed, 89 insertions(+), 58 deletions(-)
>>>
>>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>>> index ee4fcc51fa91..e5d0f1e01b81 100644
>>> --- a/include/linux/lsm_hooks.h
>>> +++ b/include/linux/lsm_hooks.h
>>> @@ -1919,6 +1919,7 @@ struct security_hook_list {
>>> ? */
>>> ?struct lsm_blob_sizes {
>>> ? int lbs_cred;
>>> + int lbs_file;
>>> ?};
>>> ?
>>> ?/*
>>> diff --git a/security/apparmor/include/context.h
>>> b/security/apparmor/include/context.h
>>> index 301ab3a0dd04..c6e106a533e8 100644
>>> --- a/security/apparmor/include/context.h
>>> +++ b/security/apparmor/include/context.h
>>> @@ -87,6 +87,11 @@ static inline struct aa_label
>>> *aa_get_newest_cred_label(const struct cred *cred)
>>> ? return aa_get_newest_label(aa_cred_raw_label(cred));
>>> ?}
>>> ?
>>> +static inline struct aa_file_ctx *apparmor_file(const struct file
>>> *file)
>>> +{
>>> + return file->f_security;
>>> +}
>>> +
>>> ?/**
>>> ? * __aa_task_raw_label - retrieve another task's label
>>> ? * @task: task to query??(NOT NULL)
>>> diff --git a/security/apparmor/include/file.h
>>> b/security/apparmor/include/file.h
>>> index 4c2c8ac8842f..b9efe6bc226b 100644
>>> --- a/security/apparmor/include/file.h
>>> +++ b/security/apparmor/include/file.h
>>> @@ -32,7 +32,7 @@ struct path;
>>> ? ?AA_MAY_CHMOD | AA_MAY_CHOWN |
>>> AA_MAY_LOCK | \
>>> ? ?AA_EXEC_MMAP | AA_MAY_LINK)
>>> ?
>>> -#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security)
>>> +#define file_ctx(X) apparmor_file(X)
>>> ?
>>> ?/* struct aa_file_ctx - the AppArmor context the file was opened in
>>> ? * @lock: lock to update the ctx
>>> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
>>> index d80293bde5bf..f2814ba84481 100644
>>> --- a/security/apparmor/lsm.c
>>> +++ b/security/apparmor/lsm.c
>>> @@ -402,21 +402,21 @@ static int apparmor_file_open(struct file
>>> *file, const struct cred *cred)
>>> ?
>>> ?static int apparmor_file_alloc_security(struct file *file)
>>> ?{
>>> - int error = 0;
>>> -
>>> - /* freed by apparmor_file_free_security */
>>> + struct aa_file_ctx *ctx = file_ctx(file);
>>> ? struct aa_label *label = begin_current_label_crit_section();
>>> - file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
>>> - if (!file_ctx(file))
>>> - error = -ENOMEM;
>>> - end_current_label_crit_section(label);
>>> ?
>>> - return error;
>>> + spin_lock_init(&ctx->lock);
>>> + rcu_assign_pointer(ctx->label, aa_get_label(label));
>>> + end_current_label_crit_section(label);
>>> + return 0;
>>> ?}
>>> ?
>>> ?static void apparmor_file_free_security(struct file *file)
>>> ?{
>>> - aa_free_file_ctx(file_ctx(file));
>>> + struct aa_file_ctx *ctx = file_ctx(file);
>>> +
>>> + if (ctx)
>>> + aa_put_label(rcu_access_pointer(ctx->label));
>>> ?}
>>> ?
>>> ?static int common_file_perm(const char *op, struct file *file, u32
>>> mask)
>>> @@ -1078,6 +1078,7 @@ static void apparmor_sock_graft(struct sock
>>> *sk, struct socket *parent)
>>> ?
>>> ?struct lsm_blob_sizes apparmor_blob_sizes = {
>>> ? .lbs_cred = sizeof(struct aa_task_ctx),
>>> + .lbs_file = sizeof(struct aa_file_ctx),
>>> ?};
>>> ?
>>> ?static struct security_hook_list apparmor_hooks[]
>>> __lsm_ro_after_init = {
>>> diff --git a/security/security.c b/security/security.c
>>> index 6fadc3860fb0..4d8e702fa22f 100644
>>> --- a/security/security.c
>>> +++ b/security/security.c
>>> @@ -37,6 +37,8 @@
>>> ?struct security_hook_heads security_hook_heads __lsm_ro_after_init;
>>> ?static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
>>> ?
>>> +static struct kmem_cache *lsm_file_cache;
>>> +
>>> ?char *lsm_names;
>>> ?static struct lsm_blob_sizes blob_sizes;
>>> ?
>>> @@ -83,6 +85,13 @@ int __init security_init(void)
>>> ? do_security_initcalls();
>>> ?
>>> ? /*
>>> + ?* Create any kmem_caches needed for blobs
>>> + ?*/
>>> + if (blob_sizes.lbs_file)
>>> + lsm_file_cache = kmem_cache_create("lsm_file_cache",
>>> + ???blob_sizes.lbs_fi
>>> le, 0,
>>> + ???SLAB_PANIC,
>>> NULL);
>>> + /*
>>> ? ?* The second call to a module specific init function
>>> ? ?* adds hooks to the hook lists and does any other early
>>> ? ?* initializations required.
>>> @@ -91,6 +100,7 @@ int __init security_init(void)
>>> ?
>>> ?#ifdef CONFIG_SECURITY_LSM_DEBUG
>>> ? pr_info("LSM: cred blob size???????= %d\n",
>>> blob_sizes.lbs_cred);
>>> + pr_info("LSM: file blob size???????= %d\n",
>>> blob_sizes.lbs_file);
>>> ?#endif
>>> ?
>>> ? return 0;
>>> @@ -267,6 +277,26 @@ static void __init lsm_set_size(int *need, int
>>> *lbs)
>>> ?void __init security_add_blobs(struct lsm_blob_sizes *needed)
>>> ?{
>>> ? lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
>>> + lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
>>> +}
>>> +
>>> +/**
>>> + * lsm_file_alloc - allocate a composite file blob
>>> + * @file: the file that needs a blob
>>> + *
>>> + * Allocate the file blob for all the modules
>>> + *
>>> + * Returns 0, or -ENOMEM if memory can't be allocated.
>>> + */
>>> +int lsm_file_alloc(struct file *file)
>>> +{
>>> + if (!lsm_file_cache)
>>> + return 0;
>>> +
>>> + file->f_security = kmem_cache_zalloc(lsm_file_cache,
>>> GFP_KERNEL);
>>> + if (file->f_security == NULL)
>>> + return -ENOMEM;
>>> + return 0;
>>> ?}
>>> ?
>>> ?/*
>>> @@ -952,12 +982,25 @@ int security_file_permission(struct file *file,
>>> int mask)
>>> ?
>>> ?int security_file_alloc(struct file *file)
>>> ?{
>>> + int rc = lsm_file_alloc(file);
>>> +
>>> + if (rc)
>>> + return rc;
>>> ? return call_int_hook(file_alloc_security, 0, file);
>> Suppose that a module's file_alloc_security() hook returns an error.
>> What should happen to the blob allocated by lsm_file_alloc()? In
>> general, callers assumes that security_file_alloc() handles cleanup
>> internally if it returns an error and do not call security_file_free();
>> this is also true of other similar alloc hooks I believe. ?Further, if
>> we allow the module file_alloc_security() hooks to perform any
>> allocation themselves, then we have a similar problem with regard to
>> cleanup if any one of them fails; to be fully safe, we'd need to call
>> the file_free_security() hook on the ones that had previously returned
>> success. Either we need to handle such errors within
>> security_file_alloc(), or we need to dispense with the ability to
>> allocate and return an error code from the module's
>> file_alloc_security(), i.e. make them return void, and probably rename
>> them to file_init_security() or similar.
>
> I like the idea of changing file_alloc_security() to file_init_security()
> or maybe file_setup_security() and making the hook a void function. If a
> module wants to allocate space on its own it will need to deal with the
> fact that it may have been unable to do so. I hesitate to prohibit modules
> from allocating their own space because someone is going to want to have a
> list of attributes. Trying to manage memory that you don't know about is
> a loosing proposition.
>
Changing it to a void is just going to lead to LSMs that handle this them
selves having to deny every access of the object, because that is the only
sane thing they can do if the data they need isn't present.
It far better to have the one failure upfront than having an LSM rejecting
every access to the object after the fact. And looking down the road to
namespacing for containers I don't see away to handle some of the things
that will be needed without an LSM doing allocations and managing stuff
internally, but thats an argument for a different patch series.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 3/9] LSM: Manage file security blobs
2017-10-31 17:32 ` John Johansen
@ 2017-10-31 21:30 ` Casey Schaufler
2017-10-31 21:57 ` Casey Schaufler
2017-11-01 12:20 ` Stephen Smalley
0 siblings, 2 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-10-31 21:30 UTC (permalink / raw)
To: linux-security-module
On 10/31/2017 10:32 AM, John Johansen wrote:
> On 10/31/2017 09:16 AM, Casey Schaufler wrote:
>> On 10/31/2017 8:25 AM, Stephen Smalley wrote:
>>> On Fri, 2017-10-27 at 14:45 -0700, Casey Schaufler wrote:
>>>> Subject: [PATCH 3/9] LSM: Manage file security blobs
>>>>
>>>> Move the management of file security blobs from the individual
>>>> security modules to the security infrastructure. The security modules
>>>> using file blobs have been updated accordingly. Modules are required
>>>> to identify the space they need at module initialization. In some
>>>> cases a module no longer needs to supply a blob management hook, in
>>>> which case the hook has been removed.
>>>>
>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>>> ---
>>>> ?include/linux/lsm_hooks.h???????????|??1 +
>>>> ?security/apparmor/include/context.h |??5 +++++
>>>> ?security/apparmor/include/file.h????|??2 +-
>>>> ?security/apparmor/lsm.c?????????????| 19 ++++++++--------
>>>> ?security/security.c?????????????????| 43
>>>> +++++++++++++++++++++++++++++++++++++
>>>> ?security/selinux/hooks.c????????????| 41 +++++++++----------------
>>>> ----------
>>>> ?security/selinux/include/objsec.h???|??5 +++++
>>>> ?security/smack/smack.h??????????????|??5 +++++
>>>> ?security/smack/smack_lsm.c??????????| 26 ++++++++--------------
>>>> ?9 files changed, 89 insertions(+), 58 deletions(-)
>>>>
>>>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>>>> index ee4fcc51fa91..e5d0f1e01b81 100644
>>>> --- a/include/linux/lsm_hooks.h
>>>> +++ b/include/linux/lsm_hooks.h
>>>> @@ -1919,6 +1919,7 @@ struct security_hook_list {
>>>> ? */
>>>> ?struct lsm_blob_sizes {
>>>> ? int lbs_cred;
>>>> + int lbs_file;
>>>> ?};
>>>> ?
>>>> ?/*
>>>> diff --git a/security/apparmor/include/context.h
>>>> b/security/apparmor/include/context.h
>>>> index 301ab3a0dd04..c6e106a533e8 100644
>>>> --- a/security/apparmor/include/context.h
>>>> +++ b/security/apparmor/include/context.h
>>>> @@ -87,6 +87,11 @@ static inline struct aa_label
>>>> *aa_get_newest_cred_label(const struct cred *cred)
>>>> ? return aa_get_newest_label(aa_cred_raw_label(cred));
>>>> ?}
>>>> ?
>>>> +static inline struct aa_file_ctx *apparmor_file(const struct file
>>>> *file)
>>>> +{
>>>> + return file->f_security;
>>>> +}
>>>> +
>>>> ?/**
>>>> ? * __aa_task_raw_label - retrieve another task's label
>>>> ? * @task: task to query??(NOT NULL)
>>>> diff --git a/security/apparmor/include/file.h
>>>> b/security/apparmor/include/file.h
>>>> index 4c2c8ac8842f..b9efe6bc226b 100644
>>>> --- a/security/apparmor/include/file.h
>>>> +++ b/security/apparmor/include/file.h
>>>> @@ -32,7 +32,7 @@ struct path;
>>>> ? ?AA_MAY_CHMOD | AA_MAY_CHOWN |
>>>> AA_MAY_LOCK | \
>>>> ? ?AA_EXEC_MMAP | AA_MAY_LINK)
>>>> ?
>>>> -#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security)
>>>> +#define file_ctx(X) apparmor_file(X)
>>>> ?
>>>> ?/* struct aa_file_ctx - the AppArmor context the file was opened in
>>>> ? * @lock: lock to update the ctx
>>>> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
>>>> index d80293bde5bf..f2814ba84481 100644
>>>> --- a/security/apparmor/lsm.c
>>>> +++ b/security/apparmor/lsm.c
>>>> @@ -402,21 +402,21 @@ static int apparmor_file_open(struct file
>>>> *file, const struct cred *cred)
>>>> ?
>>>> ?static int apparmor_file_alloc_security(struct file *file)
>>>> ?{
>>>> - int error = 0;
>>>> -
>>>> - /* freed by apparmor_file_free_security */
>>>> + struct aa_file_ctx *ctx = file_ctx(file);
>>>> ? struct aa_label *label = begin_current_label_crit_section();
>>>> - file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
>>>> - if (!file_ctx(file))
>>>> - error = -ENOMEM;
>>>> - end_current_label_crit_section(label);
>>>> ?
>>>> - return error;
>>>> + spin_lock_init(&ctx->lock);
>>>> + rcu_assign_pointer(ctx->label, aa_get_label(label));
>>>> + end_current_label_crit_section(label);
>>>> + return 0;
>>>> ?}
>>>> ?
>>>> ?static void apparmor_file_free_security(struct file *file)
>>>> ?{
>>>> - aa_free_file_ctx(file_ctx(file));
>>>> + struct aa_file_ctx *ctx = file_ctx(file);
>>>> +
>>>> + if (ctx)
>>>> + aa_put_label(rcu_access_pointer(ctx->label));
>>>> ?}
>>>> ?
>>>> ?static int common_file_perm(const char *op, struct file *file, u32
>>>> mask)
>>>> @@ -1078,6 +1078,7 @@ static void apparmor_sock_graft(struct sock
>>>> *sk, struct socket *parent)
>>>> ?
>>>> ?struct lsm_blob_sizes apparmor_blob_sizes = {
>>>> ? .lbs_cred = sizeof(struct aa_task_ctx),
>>>> + .lbs_file = sizeof(struct aa_file_ctx),
>>>> ?};
>>>> ?
>>>> ?static struct security_hook_list apparmor_hooks[]
>>>> __lsm_ro_after_init = {
>>>> diff --git a/security/security.c b/security/security.c
>>>> index 6fadc3860fb0..4d8e702fa22f 100644
>>>> --- a/security/security.c
>>>> +++ b/security/security.c
>>>> @@ -37,6 +37,8 @@
>>>> ?struct security_hook_heads security_hook_heads __lsm_ro_after_init;
>>>> ?static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
>>>> ?
>>>> +static struct kmem_cache *lsm_file_cache;
>>>> +
>>>> ?char *lsm_names;
>>>> ?static struct lsm_blob_sizes blob_sizes;
>>>> ?
>>>> @@ -83,6 +85,13 @@ int __init security_init(void)
>>>> ? do_security_initcalls();
>>>> ?
>>>> ? /*
>>>> + ?* Create any kmem_caches needed for blobs
>>>> + ?*/
>>>> + if (blob_sizes.lbs_file)
>>>> + lsm_file_cache = kmem_cache_create("lsm_file_cache",
>>>> + ???blob_sizes.lbs_fi
>>>> le, 0,
>>>> + ???SLAB_PANIC,
>>>> NULL);
>>>> + /*
>>>> ? ?* The second call to a module specific init function
>>>> ? ?* adds hooks to the hook lists and does any other early
>>>> ? ?* initializations required.
>>>> @@ -91,6 +100,7 @@ int __init security_init(void)
>>>> ?
>>>> ?#ifdef CONFIG_SECURITY_LSM_DEBUG
>>>> ? pr_info("LSM: cred blob size???????= %d\n",
>>>> blob_sizes.lbs_cred);
>>>> + pr_info("LSM: file blob size???????= %d\n",
>>>> blob_sizes.lbs_file);
>>>> ?#endif
>>>> ?
>>>> ? return 0;
>>>> @@ -267,6 +277,26 @@ static void __init lsm_set_size(int *need, int
>>>> *lbs)
>>>> ?void __init security_add_blobs(struct lsm_blob_sizes *needed)
>>>> ?{
>>>> ? lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
>>>> + lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
>>>> +}
>>>> +
>>>> +/**
>>>> + * lsm_file_alloc - allocate a composite file blob
>>>> + * @file: the file that needs a blob
>>>> + *
>>>> + * Allocate the file blob for all the modules
>>>> + *
>>>> + * Returns 0, or -ENOMEM if memory can't be allocated.
>>>> + */
>>>> +int lsm_file_alloc(struct file *file)
>>>> +{
>>>> + if (!lsm_file_cache)
>>>> + return 0;
>>>> +
>>>> + file->f_security = kmem_cache_zalloc(lsm_file_cache,
>>>> GFP_KERNEL);
>>>> + if (file->f_security == NULL)
>>>> + return -ENOMEM;
>>>> + return 0;
>>>> ?}
>>>> ?
>>>> ?/*
>>>> @@ -952,12 +982,25 @@ int security_file_permission(struct file *file,
>>>> int mask)
>>>> ?
>>>> ?int security_file_alloc(struct file *file)
>>>> ?{
>>>> + int rc = lsm_file_alloc(file);
>>>> +
>>>> + if (rc)
>>>> + return rc;
>>>> ? return call_int_hook(file_alloc_security, 0, file);
>>> Suppose that a module's file_alloc_security() hook returns an error.
>>> What should happen to the blob allocated by lsm_file_alloc()? In
>>> general, callers assumes that security_file_alloc() handles cleanup
>>> internally if it returns an error and do not call security_file_free();
>>> this is also true of other similar alloc hooks I believe. ?Further, if
>>> we allow the module file_alloc_security() hooks to perform any
>>> allocation themselves, then we have a similar problem with regard to
>>> cleanup if any one of them fails; to be fully safe, we'd need to call
>>> the file_free_security() hook on the ones that had previously returned
>>> success. Either we need to handle such errors within
>>> security_file_alloc(), or we need to dispense with the ability to
>>> allocate and return an error code from the module's
>>> file_alloc_security(), i.e. make them return void, and probably rename
>>> them to file_init_security() or similar.
>> I like the idea of changing file_alloc_security() to file_init_security()
>> or maybe file_setup_security() and making the hook a void function. If a
>> module wants to allocate space on its own it will need to deal with the
>> fact that it may have been unable to do so. I hesitate to prohibit modules
>> from allocating their own space because someone is going to want to have a
>> list of attributes. Trying to manage memory that you don't know about is
>> a loosing proposition.
>>
> Changing it to a void is just going to lead to LSMs that handle this them
> selves having to deny every access of the object, because that is the only
> sane thing they can do if the data they need isn't present.
It's also not going to work for the IPC cases where SELinux is
doing access checks in the alloc functions. I sure wasn't expecting
that. But the reality is that no security module does additional
allocation, and I don't see any initialization that requires cleanup.
Life will be a whole lot simpler if we keep it that way.
Or, we can have a post_file_alloc_security() hook which takes a boolean
that tells the function to complete or delete the action. The boolean
would be set depending on whether security_file_alloc() succeeded or
failed. It would be called in security_file_alloc() after the
file_alloc_security() functions. Hm. That would keep it contained and
mean that only modules that do their own management would have to have
a hook. Brilliant! Messy, but workable. And best of all, nothing needs
to be done until we have a module that needs it.
> It far better to have the one failure upfront than having an LSM rejecting
> every access to the object after the fact. And looking down the road to
> namespacing for containers I don't see away to handle some of the things
> that will be needed without an LSM doing allocations and managing stuff
> internally, but thats an argument for a different patch series.
OK, I'll buy that. Let's plan for post_file_alloc entries when the need
arises, and leave the code the way it is for now.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 3/9] LSM: Manage file security blobs
2017-10-31 21:30 ` Casey Schaufler
@ 2017-10-31 21:57 ` Casey Schaufler
2017-11-01 12:20 ` Stephen Smalley
1 sibling, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-10-31 21:57 UTC (permalink / raw)
To: linux-security-module
On 10/31/2017 2:30 PM, Casey Schaufler wrote:
> On 10/31/2017 10:32 AM, John Johansen wrote:
>> On 10/31/2017 09:16 AM, Casey Schaufler wrote:
>>> On 10/31/2017 8:25 AM, Stephen Smalley wrote:
>>>> On Fri, 2017-10-27 at 14:45 -0700, Casey Schaufler wrote:
>>>>> Subject: [PATCH 3/9] LSM: Manage file security blobs
>>>>>
>>>>> Move the management of file security blobs from the individual
>>>>> security modules to the security infrastructure. The security modules
>>>>> using file blobs have been updated accordingly. Modules are required
>>>>> to identify the space they need at module initialization. In some
>>>>> cases a module no longer needs to supply a blob management hook, in
>>>>> which case the hook has been removed.
>>>>>
>>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>>>> ---
>>>>> ?include/linux/lsm_hooks.h???????????|??1 +
>>>>> ?security/apparmor/include/context.h |??5 +++++
>>>>> ?security/apparmor/include/file.h????|??2 +-
>>>>> ?security/apparmor/lsm.c?????????????| 19 ++++++++--------
>>>>> ?security/security.c?????????????????| 43
>>>>> +++++++++++++++++++++++++++++++++++++
>>>>> ?security/selinux/hooks.c????????????| 41 +++++++++----------------
>>>>> ----------
>>>>> ?security/selinux/include/objsec.h???|??5 +++++
>>>>> ?security/smack/smack.h??????????????|??5 +++++
>>>>> ?security/smack/smack_lsm.c??????????| 26 ++++++++--------------
>>>>> ?9 files changed, 89 insertions(+), 58 deletions(-)
>>>>>
>>>>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>>>>> index ee4fcc51fa91..e5d0f1e01b81 100644
>>>>> --- a/include/linux/lsm_hooks.h
>>>>> +++ b/include/linux/lsm_hooks.h
>>>>> @@ -1919,6 +1919,7 @@ struct security_hook_list {
>>>>> ? */
>>>>> ?struct lsm_blob_sizes {
>>>>> ? int lbs_cred;
>>>>> + int lbs_file;
>>>>> ?};
>>>>> ?
>>>>> ?/*
>>>>> diff --git a/security/apparmor/include/context.h
>>>>> b/security/apparmor/include/context.h
>>>>> index 301ab3a0dd04..c6e106a533e8 100644
>>>>> --- a/security/apparmor/include/context.h
>>>>> +++ b/security/apparmor/include/context.h
>>>>> @@ -87,6 +87,11 @@ static inline struct aa_label
>>>>> *aa_get_newest_cred_label(const struct cred *cred)
>>>>> ? return aa_get_newest_label(aa_cred_raw_label(cred));
>>>>> ?}
>>>>> ?
>>>>> +static inline struct aa_file_ctx *apparmor_file(const struct file
>>>>> *file)
>>>>> +{
>>>>> + return file->f_security;
>>>>> +}
>>>>> +
>>>>> ?/**
>>>>> ? * __aa_task_raw_label - retrieve another task's label
>>>>> ? * @task: task to query??(NOT NULL)
>>>>> diff --git a/security/apparmor/include/file.h
>>>>> b/security/apparmor/include/file.h
>>>>> index 4c2c8ac8842f..b9efe6bc226b 100644
>>>>> --- a/security/apparmor/include/file.h
>>>>> +++ b/security/apparmor/include/file.h
>>>>> @@ -32,7 +32,7 @@ struct path;
>>>>> ? ?AA_MAY_CHMOD | AA_MAY_CHOWN |
>>>>> AA_MAY_LOCK | \
>>>>> ? ?AA_EXEC_MMAP | AA_MAY_LINK)
>>>>> ?
>>>>> -#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security)
>>>>> +#define file_ctx(X) apparmor_file(X)
>>>>> ?
>>>>> ?/* struct aa_file_ctx - the AppArmor context the file was opened in
>>>>> ? * @lock: lock to update the ctx
>>>>> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
>>>>> index d80293bde5bf..f2814ba84481 100644
>>>>> --- a/security/apparmor/lsm.c
>>>>> +++ b/security/apparmor/lsm.c
>>>>> @@ -402,21 +402,21 @@ static int apparmor_file_open(struct file
>>>>> *file, const struct cred *cred)
>>>>> ?
>>>>> ?static int apparmor_file_alloc_security(struct file *file)
>>>>> ?{
>>>>> - int error = 0;
>>>>> -
>>>>> - /* freed by apparmor_file_free_security */
>>>>> + struct aa_file_ctx *ctx = file_ctx(file);
>>>>> ? struct aa_label *label = begin_current_label_crit_section();
>>>>> - file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
>>>>> - if (!file_ctx(file))
>>>>> - error = -ENOMEM;
>>>>> - end_current_label_crit_section(label);
>>>>> ?
>>>>> - return error;
>>>>> + spin_lock_init(&ctx->lock);
>>>>> + rcu_assign_pointer(ctx->label, aa_get_label(label));
>>>>> + end_current_label_crit_section(label);
>>>>> + return 0;
>>>>> ?}
>>>>> ?
>>>>> ?static void apparmor_file_free_security(struct file *file)
>>>>> ?{
>>>>> - aa_free_file_ctx(file_ctx(file));
>>>>> + struct aa_file_ctx *ctx = file_ctx(file);
>>>>> +
>>>>> + if (ctx)
>>>>> + aa_put_label(rcu_access_pointer(ctx->label));
>>>>> ?}
>>>>> ?
>>>>> ?static int common_file_perm(const char *op, struct file *file, u32
>>>>> mask)
>>>>> @@ -1078,6 +1078,7 @@ static void apparmor_sock_graft(struct sock
>>>>> *sk, struct socket *parent)
>>>>> ?
>>>>> ?struct lsm_blob_sizes apparmor_blob_sizes = {
>>>>> ? .lbs_cred = sizeof(struct aa_task_ctx),
>>>>> + .lbs_file = sizeof(struct aa_file_ctx),
>>>>> ?};
>>>>> ?
>>>>> ?static struct security_hook_list apparmor_hooks[]
>>>>> __lsm_ro_after_init = {
>>>>> diff --git a/security/security.c b/security/security.c
>>>>> index 6fadc3860fb0..4d8e702fa22f 100644
>>>>> --- a/security/security.c
>>>>> +++ b/security/security.c
>>>>> @@ -37,6 +37,8 @@
>>>>> ?struct security_hook_heads security_hook_heads __lsm_ro_after_init;
>>>>> ?static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
>>>>> ?
>>>>> +static struct kmem_cache *lsm_file_cache;
>>>>> +
>>>>> ?char *lsm_names;
>>>>> ?static struct lsm_blob_sizes blob_sizes;
>>>>> ?
>>>>> @@ -83,6 +85,13 @@ int __init security_init(void)
>>>>> ? do_security_initcalls();
>>>>> ?
>>>>> ? /*
>>>>> + ?* Create any kmem_caches needed for blobs
>>>>> + ?*/
>>>>> + if (blob_sizes.lbs_file)
>>>>> + lsm_file_cache = kmem_cache_create("lsm_file_cache",
>>>>> + ???blob_sizes.lbs_fi
>>>>> le, 0,
>>>>> + ???SLAB_PANIC,
>>>>> NULL);
>>>>> + /*
>>>>> ? ?* The second call to a module specific init function
>>>>> ? ?* adds hooks to the hook lists and does any other early
>>>>> ? ?* initializations required.
>>>>> @@ -91,6 +100,7 @@ int __init security_init(void)
>>>>> ?
>>>>> ?#ifdef CONFIG_SECURITY_LSM_DEBUG
>>>>> ? pr_info("LSM: cred blob size???????= %d\n",
>>>>> blob_sizes.lbs_cred);
>>>>> + pr_info("LSM: file blob size???????= %d\n",
>>>>> blob_sizes.lbs_file);
>>>>> ?#endif
>>>>> ?
>>>>> ? return 0;
>>>>> @@ -267,6 +277,26 @@ static void __init lsm_set_size(int *need, int
>>>>> *lbs)
>>>>> ?void __init security_add_blobs(struct lsm_blob_sizes *needed)
>>>>> ?{
>>>>> ? lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
>>>>> + lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
>>>>> +}
>>>>> +
>>>>> +/**
>>>>> + * lsm_file_alloc - allocate a composite file blob
>>>>> + * @file: the file that needs a blob
>>>>> + *
>>>>> + * Allocate the file blob for all the modules
>>>>> + *
>>>>> + * Returns 0, or -ENOMEM if memory can't be allocated.
>>>>> + */
>>>>> +int lsm_file_alloc(struct file *file)
>>>>> +{
>>>>> + if (!lsm_file_cache)
>>>>> + return 0;
>>>>> +
>>>>> + file->f_security = kmem_cache_zalloc(lsm_file_cache,
>>>>> GFP_KERNEL);
>>>>> + if (file->f_security == NULL)
>>>>> + return -ENOMEM;
>>>>> + return 0;
>>>>> ?}
>>>>> ?
>>>>> ?/*
>>>>> @@ -952,12 +982,25 @@ int security_file_permission(struct file *file,
>>>>> int mask)
>>>>> ?
>>>>> ?int security_file_alloc(struct file *file)
>>>>> ?{
>>>>> + int rc = lsm_file_alloc(file);
>>>>> +
>>>>> + if (rc)
>>>>> + return rc;
>>>>> ? return call_int_hook(file_alloc_security, 0, file);
>>>> Suppose that a module's file_alloc_security() hook returns an error.
>>>> What should happen to the blob allocated by lsm_file_alloc()? In
>>>> general, callers assumes that security_file_alloc() handles cleanup
>>>> internally if it returns an error and do not call security_file_free();
>>>> this is also true of other similar alloc hooks I believe. ?Further, if
>>>> we allow the module file_alloc_security() hooks to perform any
>>>> allocation themselves, then we have a similar problem with regard to
>>>> cleanup if any one of them fails; to be fully safe, we'd need to call
>>>> the file_free_security() hook on the ones that had previously returned
>>>> success. Either we need to handle such errors within
>>>> security_file_alloc(), or we need to dispense with the ability to
>>>> allocate and return an error code from the module's
>>>> file_alloc_security(), i.e. make them return void, and probably rename
>>>> them to file_init_security() or similar.
>>> I like the idea of changing file_alloc_security() to file_init_security()
>>> or maybe file_setup_security() and making the hook a void function. If a
>>> module wants to allocate space on its own it will need to deal with the
>>> fact that it may have been unable to do so. I hesitate to prohibit modules
>>> from allocating their own space because someone is going to want to have a
>>> list of attributes. Trying to manage memory that you don't know about is
>>> a loosing proposition.
>>>
>> Changing it to a void is just going to lead to LSMs that handle this them
>> selves having to deny every access of the object, because that is the only
>> sane thing they can do if the data they need isn't present.
> It's also not going to work for the IPC cases where SELinux is
> doing access checks in the alloc functions. I sure wasn't expecting
> that. But the reality is that no security module does additional
> allocation, and I don't see any initialization that requires cleanup.
> Life will be a whole lot simpler if we keep it that way.
>
> Or, we can have a post_file_alloc_security() hook which takes a boolean
> that tells the function to complete or delete the action. The boolean
> would be set depending on whether security_file_alloc() succeeded or
> failed. It would be called in security_file_alloc() after the
> file_alloc_security() functions. Hm. That would keep it contained and
> mean that only modules that do their own management would have to have
> a hook. Brilliant! Messy, but workable. And best of all, nothing needs
> to be done until we have a module that needs it.
>
>> It far better to have the one failure upfront than having an LSM rejecting
>> every access to the object after the fact. And looking down the road to
>> namespacing for containers I don't see away to handle some of the things
>> that will be needed without an LSM doing allocations and managing stuff
>> internally, but thats an argument for a different patch series.
> OK, I'll buy that. Let's plan for post_file_alloc entries when the need
> arises, and leave the code the way it is for now.
Here's what I think it would look like, in case I wasn't clear:
int security_file_alloc(struct file *file)
{
int rc = lsm_file_alloc(file);
if (rc)
return rc;
rc = call_int_hook(file_alloc_security, 0, file);
call_void_hook(post_file_alloc_security, file, rc != 0);
return rc;
}
The 3rd argument to the post_file_alloc_security functions is true
if the data should be deleted and false if the operation should be
completed. The post_file_alloc_security functions are not allowed to
fail. They can't make access control checks.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 3/9] LSM: Manage file security blobs
2017-10-31 21:30 ` Casey Schaufler
2017-10-31 21:57 ` Casey Schaufler
@ 2017-11-01 12:20 ` Stephen Smalley
1 sibling, 0 replies; 27+ messages in thread
From: Stephen Smalley @ 2017-11-01 12:20 UTC (permalink / raw)
To: linux-security-module
On Tue, 2017-10-31 at 14:30 -0700, Casey Schaufler wrote:
> On 10/31/2017 10:32 AM, John Johansen wrote:
> > On 10/31/2017 09:16 AM, Casey Schaufler wrote:
> > > On 10/31/2017 8:25 AM, Stephen Smalley wrote:
> > > > On Fri, 2017-10-27 at 14:45 -0700, Casey Schaufler wrote:
> > > > > Subject: [PATCH 3/9] LSM: Manage file security blobs
> > > > >
> > > > > Move the management of file security blobs from the
> > > > > individual
> > > > > security modules to the security infrastructure. The security
> > > > > modules
> > > > > using file blobs have been updated accordingly. Modules are
> > > > > required
> > > > > to identify the space they need at module initialization. In
> > > > > some
> > > > > cases a module no longer needs to supply a blob management
> > > > > hook, in
> > > > > which case the hook has been removed.
> > > > >
> > > > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > > > > ---
> > > > > ?include/linux/lsm_hooks.h???????????|??1 +
> > > > > ?security/apparmor/include/context.h |??5 +++++
> > > > > ?security/apparmor/include/file.h????|??2 +-
> > > > > ?security/apparmor/lsm.c?????????????| 19 ++++++++--------
> > > > > ?security/security.c?????????????????| 43
> > > > > +++++++++++++++++++++++++++++++++++++
> > > > > ?security/selinux/hooks.c????????????| 41 +++++++++--------
> > > > > --------
> > > > > ----------
> > > > > ?security/selinux/include/objsec.h???|??5 +++++
> > > > > ?security/smack/smack.h??????????????|??5 +++++
> > > > > ?security/smack/smack_lsm.c??????????| 26 ++++++++-----------
> > > > > ---
> > > > > ?9 files changed, 89 insertions(+), 58 deletions(-)
> > > > >
> > > > > diff --git a/include/linux/lsm_hooks.h
> > > > > b/include/linux/lsm_hooks.h
> > > > > index ee4fcc51fa91..e5d0f1e01b81 100644
> > > > > --- a/include/linux/lsm_hooks.h
> > > > > +++ b/include/linux/lsm_hooks.h
> > > > > @@ -1919,6 +1919,7 @@ struct security_hook_list {
> > > > > ? */
> > > > > ?struct lsm_blob_sizes {
> > > > > ? int lbs_cred;
> > > > > + int lbs_file;
> > > > > ?};
> > > > > ?
> > > > > ?/*
> > > > > diff --git a/security/apparmor/include/context.h
> > > > > b/security/apparmor/include/context.h
> > > > > index 301ab3a0dd04..c6e106a533e8 100644
> > > > > --- a/security/apparmor/include/context.h
> > > > > +++ b/security/apparmor/include/context.h
> > > > > @@ -87,6 +87,11 @@ static inline struct aa_label
> > > > > *aa_get_newest_cred_label(const struct cred *cred)
> > > > > ? return aa_get_newest_label(aa_cred_raw_label(cred));
> > > > > ?}
> > > > > ?
> > > > > +static inline struct aa_file_ctx *apparmor_file(const struct
> > > > > file
> > > > > *file)
> > > > > +{
> > > > > + return file->f_security;
> > > > > +}
> > > > > +
> > > > > ?/**
> > > > > ? * __aa_task_raw_label - retrieve another task's label
> > > > > ? * @task: task to query??(NOT NULL)
> > > > > diff --git a/security/apparmor/include/file.h
> > > > > b/security/apparmor/include/file.h
> > > > > index 4c2c8ac8842f..b9efe6bc226b 100644
> > > > > --- a/security/apparmor/include/file.h
> > > > > +++ b/security/apparmor/include/file.h
> > > > > @@ -32,7 +32,7 @@ struct path;
> > > > > ? ?AA_MAY_CHMOD | AA_MAY_CHOWN
> > > > > |
> > > > > AA_MAY_LOCK | \
> > > > > ? ?AA_EXEC_MMAP | AA_MAY_LINK)
> > > > > ?
> > > > > -#define file_ctx(X) ((struct aa_file_ctx *)(X)->f_security)
> > > > > +#define file_ctx(X) apparmor_file(X)
> > > > > ?
> > > > > ?/* struct aa_file_ctx - the AppArmor context the file was
> > > > > opened in
> > > > > ? * @lock: lock to update the ctx
> > > > > diff --git a/security/apparmor/lsm.c
> > > > > b/security/apparmor/lsm.c
> > > > > index d80293bde5bf..f2814ba84481 100644
> > > > > --- a/security/apparmor/lsm.c
> > > > > +++ b/security/apparmor/lsm.c
> > > > > @@ -402,21 +402,21 @@ static int apparmor_file_open(struct
> > > > > file
> > > > > *file, const struct cred *cred)
> > > > > ?
> > > > > ?static int apparmor_file_alloc_security(struct file *file)
> > > > > ?{
> > > > > - int error = 0;
> > > > > -
> > > > > - /* freed by apparmor_file_free_security */
> > > > > + struct aa_file_ctx *ctx = file_ctx(file);
> > > > > ? struct aa_label *label =
> > > > > begin_current_label_crit_section();
> > > > > - file->f_security = aa_alloc_file_ctx(label,
> > > > > GFP_KERNEL);
> > > > > - if (!file_ctx(file))
> > > > > - error = -ENOMEM;
> > > > > - end_current_label_crit_section(label);
> > > > > ?
> > > > > - return error;
> > > > > + spin_lock_init(&ctx->lock);
> > > > > + rcu_assign_pointer(ctx->label, aa_get_label(label));
> > > > > + end_current_label_crit_section(label);
> > > > > + return 0;
> > > > > ?}
> > > > > ?
> > > > > ?static void apparmor_file_free_security(struct file *file)
> > > > > ?{
> > > > > - aa_free_file_ctx(file_ctx(file));
> > > > > + struct aa_file_ctx *ctx = file_ctx(file);
> > > > > +
> > > > > + if (ctx)
> > > > > + aa_put_label(rcu_access_pointer(ctx-
> > > > > >label));
> > > > > ?}
> > > > > ?
> > > > > ?static int common_file_perm(const char *op, struct file
> > > > > *file, u32
> > > > > mask)
> > > > > @@ -1078,6 +1078,7 @@ static void apparmor_sock_graft(struct
> > > > > sock
> > > > > *sk, struct socket *parent)
> > > > > ?
> > > > > ?struct lsm_blob_sizes apparmor_blob_sizes = {
> > > > > ? .lbs_cred = sizeof(struct aa_task_ctx),
> > > > > + .lbs_file = sizeof(struct aa_file_ctx),
> > > > > ?};
> > > > > ?
> > > > > ?static struct security_hook_list apparmor_hooks[]
> > > > > __lsm_ro_after_init = {
> > > > > diff --git a/security/security.c b/security/security.c
> > > > > index 6fadc3860fb0..4d8e702fa22f 100644
> > > > > --- a/security/security.c
> > > > > +++ b/security/security.c
> > > > > @@ -37,6 +37,8 @@
> > > > > ?struct security_hook_heads security_hook_heads
> > > > > __lsm_ro_after_init;
> > > > > ?static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
> > > > > ?
> > > > > +static struct kmem_cache *lsm_file_cache;
> > > > > +
> > > > > ?char *lsm_names;
> > > > > ?static struct lsm_blob_sizes blob_sizes;
> > > > > ?
> > > > > @@ -83,6 +85,13 @@ int __init security_init(void)
> > > > > ? do_security_initcalls();
> > > > > ?
> > > > > ? /*
> > > > > + ?* Create any kmem_caches needed for blobs
> > > > > + ?*/
> > > > > + if (blob_sizes.lbs_file)
> > > > > + lsm_file_cache =
> > > > > kmem_cache_create("lsm_file_cache",
> > > > > + ???blob_size
> > > > > s.lbs_fi
> > > > > le, 0,
> > > > > + ???SLAB_PANI
> > > > > C,
> > > > > NULL);
> > > > > + /*
> > > > > ? ?* The second call to a module specific init
> > > > > function
> > > > > ? ?* adds hooks to the hook lists and does any other
> > > > > early
> > > > > ? ?* initializations required.
> > > > > @@ -91,6 +100,7 @@ int __init security_init(void)
> > > > > ?
> > > > > ?#ifdef CONFIG_SECURITY_LSM_DEBUG
> > > > > ? pr_info("LSM: cred blob size???????= %d\n",
> > > > > blob_sizes.lbs_cred);
> > > > > + pr_info("LSM: file blob size???????= %d\n",
> > > > > blob_sizes.lbs_file);
> > > > > ?#endif
> > > > > ?
> > > > > ? return 0;
> > > > > @@ -267,6 +277,26 @@ static void __init lsm_set_size(int
> > > > > *need, int
> > > > > *lbs)
> > > > > ?void __init security_add_blobs(struct lsm_blob_sizes
> > > > > *needed)
> > > > > ?{
> > > > > ? lsm_set_size(&needed->lbs_cred,
> > > > > &blob_sizes.lbs_cred);
> > > > > + lsm_set_size(&needed->lbs_file,
> > > > > &blob_sizes.lbs_file);
> > > > > +}
> > > > > +
> > > > > +/**
> > > > > + * lsm_file_alloc - allocate a composite file blob
> > > > > + * @file: the file that needs a blob
> > > > > + *
> > > > > + * Allocate the file blob for all the modules
> > > > > + *
> > > > > + * Returns 0, or -ENOMEM if memory can't be allocated.
> > > > > + */
> > > > > +int lsm_file_alloc(struct file *file)
> > > > > +{
> > > > > + if (!lsm_file_cache)
> > > > > + return 0;
> > > > > +
> > > > > + file->f_security = kmem_cache_zalloc(lsm_file_cache,
> > > > > GFP_KERNEL);
> > > > > + if (file->f_security == NULL)
> > > > > + return -ENOMEM;
> > > > > + return 0;
> > > > > ?}
> > > > > ?
> > > > > ?/*
> > > > > @@ -952,12 +982,25 @@ int security_file_permission(struct
> > > > > file *file,
> > > > > int mask)
> > > > > ?
> > > > > ?int security_file_alloc(struct file *file)
> > > > > ?{
> > > > > + int rc = lsm_file_alloc(file);
> > > > > +
> > > > > + if (rc)
> > > > > + return rc;
> > > > > ? return call_int_hook(file_alloc_security, 0, file);
> > > >
> > > > Suppose that a module's file_alloc_security() hook returns an
> > > > error.?
> > > > What should happen to the blob allocated by lsm_file_alloc()?
> > > > In
> > > > general, callers assumes that security_file_alloc() handles
> > > > cleanup
> > > > internally if it returns an error and do not call
> > > > security_file_free();
> > > > this is also true of other similar alloc hooks I believe.
> > > > ?Further, if
> > > > we allow the module file_alloc_security() hooks to perform any
> > > > allocation themselves, then we have a similar problem with
> > > > regard to
> > > > cleanup if any one of them fails; to be fully safe, we'd need
> > > > to call
> > > > the file_free_security() hook on the ones that had previously
> > > > returned
> > > > success. Either we need to handle such errors within
> > > > security_file_alloc(), or we need to dispense with the ability
> > > > to
> > > > allocate and return an error code from the module's
> > > > file_alloc_security(), i.e. make them return void, and probably
> > > > rename
> > > > them to file_init_security() or similar.
> > >
> > > I like the idea of changing file_alloc_security() to
> > > file_init_security()
> > > or maybe file_setup_security() and making the hook a void
> > > function. If a
> > > module wants to allocate space on its own it will need to deal
> > > with the
> > > fact that it may have been unable to do so. I hesitate to
> > > prohibit modules
> > > from allocating their own space because someone is going to want
> > > to have a
> > > list of attributes. Trying to manage memory that you don't know
> > > about is
> > > a loosing proposition.
> > >
> >
> > Changing it to a void is just going to lead to LSMs that handle
> > this them
> > selves having to deny every access of the object, because that is
> > the only
> > sane thing they can do if the data they need isn't present.
>
> It's also not going to work for the IPC cases where SELinux is
> doing access checks in the alloc functions. I sure wasn't expecting
> that. But the reality is that no security module does additional
> allocation, and I don't see any initialization that requires cleanup.
> Life will be a whole lot simpler if we keep it that way.
>
> Or, we can have a post_file_alloc_security() hook which takes a
> boolean
> that tells the function to complete or delete the action. The boolean
> would be set depending on whether security_file_alloc() succeeded or
> failed. It would be called in security_file_alloc() after the
> file_alloc_security() functions. Hm. That would keep it contained and
> mean that only modules that do their own management would have to
> have
> a hook. Brilliant! Messy, but workable. And best of all, nothing
> needs
> to be done until we have a module that needs it.
>
> > It far better to have the one failure upfront than having an LSM
> > rejecting
> > every access to the object after the fact. And looking down the
> > road to
> > namespacing for containers I don't see away to handle some of the
> > things
> > that will be needed without an LSM doing allocations and managing
> > stuff
> > internally, but thats an argument for a different patch series.
>
> OK, I'll buy that. Let's plan for post_file_alloc entries when the
> need
> arises, and leave the code the way it is for now.?
At a minimum, you need to change the code to free the lsm blob if any
of the hook calls fail; otherwise, you'll leak memory.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 4/9] LSM: Manage task security blobs
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
` (2 preceding siblings ...)
2017-10-27 21:45 ` [PATCH 3/9] LSM: Manage file " Casey Schaufler
@ 2017-10-27 21:45 ` Casey Schaufler
2017-10-27 21:45 ` [PATCH 5/9] LSM: Manage remaining " Casey Schaufler
` (6 subsequent siblings)
10 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-10-27 21:45 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 4/9] LSM: Manage task security blobs
Move management of task security blobs into the security
infrastructure. Modules are required to identify the space
they require. At this time there are no modules that use
task blobs.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/security.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index e5d0f1e01b81..44f8619d93d6 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1920,6 +1920,7 @@ struct security_hook_list {
struct lsm_blob_sizes {
int lbs_cred;
int lbs_file;
+ int lbs_task;
};
/*
diff --git a/security/security.c b/security/security.c
index 4d8e702fa22f..70740b902e16 100644
--- a/security/security.c
+++ b/security/security.c
@@ -101,6 +101,7 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
+ pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task);
#endif
return 0;
@@ -278,6 +279,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+ lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task);
}
/**
@@ -299,6 +301,29 @@ int lsm_file_alloc(struct file *file)
return 0;
}
+/**
+ * lsm_task_alloc - allocate a composite task blob
+ * @task: the task that needs a blob
+ *
+ * Allocate the task blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_task_alloc(struct task_struct *task)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (task->security)
+ pr_info("%s: Inbound task blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_task == 0)
+ return 0;
+
+ task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
+ if (task->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
/*
* Hook list operation macros.
*
@@ -1102,12 +1127,19 @@ int security_file_open(struct file *file, const struct cred *cred)
int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
{
+ int rc = lsm_task_alloc(task);
+
+ if (rc)
+ return rc;
return call_int_hook(task_alloc, 0, task, clone_flags);
}
void security_task_free(struct task_struct *task)
{
call_void_hook(task_free, task);
+
+ kfree(task->security);
+ task->security = NULL;
}
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [PATCH 5/9] LSM: Manage remaining security blobs
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
` (3 preceding siblings ...)
2017-10-27 21:45 ` [PATCH 4/9] LSM: Manage task " Casey Schaufler
@ 2017-10-27 21:45 ` Casey Schaufler
2017-11-29 11:21 ` Tetsuo Handa
2017-10-27 21:45 ` [PATCH 6/9] LSM: General stacking Casey Schaufler
` (5 subsequent siblings)
10 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2017-10-27 21:45 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 5/9] LSM: Manage remaining security blobs
Move management of the inode, ipc, key, msg_msg, sock and superblock
security blobs from the security modules to the infrastructure.
Use of the blob pointers is abstracted in the security modules.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 8 +
security/apparmor/include/net.h | 6 +
security/apparmor/lsm.c | 22 +--
security/security.c | 258 +++++++++++++++++++++++++++-
security/selinux/hooks.c | 333 ++++++++++++------------------------
security/selinux/include/objsec.h | 65 ++++++-
security/selinux/netlabel.c | 15 +-
security/selinux/selinuxfs.c | 4 +-
security/selinux/ss/services.c | 3 +-
security/smack/smack.h | 61 ++++++-
security/smack/smack_lsm.c | 349 +++++++++++---------------------------
security/smack/smack_netfilter.c | 8 +-
12 files changed, 610 insertions(+), 522 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 44f8619d93d6..cae3f6591044 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1920,6 +1920,12 @@ struct security_hook_list {
struct lsm_blob_sizes {
int lbs_cred;
int lbs_file;
+ int lbs_inode;
+ int lbs_ipc;
+ int lbs_key;
+ int lbs_msg_msg;
+ int lbs_sock;
+ int lbs_superblock;
int lbs_task;
};
@@ -1983,9 +1989,11 @@ static inline void loadpin_add_hooks(void) { };
#endif
extern int lsm_cred_alloc(struct cred *cred, gfp_t gfp);
+extern int lsm_inode_alloc(struct inode *inode);
#ifdef CONFIG_SECURITY
void lsm_early_cred(struct cred *cred);
+void lsm_early_inode(struct inode *inode);
#endif
#endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
index 140c8efcf364..c0400c3a24f7 100644
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -56,8 +56,14 @@ struct aa_sk_ctx {
struct path path;
};
+#ifdef CONFIG_SECURITY_STACKING
+#define SK_CTX(X) ((X)->sk_security + apparmor_blob_sizes.lbs_sock)
+#define SOCK_ctx(X) (SOCK_INODE(X)->i_security + apparmor_blob_sizes.lbs_inode)
+#else
#define SK_CTX(X) ((X)->sk_security)
#define SOCK_ctx(X) SOCK_INODE(X)->i_security
+#endif
+
#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
struct lsm_network_audit NAME ## _net = { .sk = (SK), \
.family = (F)}; \
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f2814ba84481..8edbf79062cd 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -715,33 +715,15 @@ static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
}
/**
- * apparmor_sk_alloc_security - allocate and attach the sk_security field
- */
-static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
-{
- struct aa_sk_ctx *ctx;
-
- ctx = kzalloc(sizeof(*ctx), flags);
- if (!ctx)
- return -ENOMEM;
-
- SK_CTX(sk) = ctx;
-
- return 0;
-}
-
-/**
* apparmor_sk_free_security - free the sk_security field
*/
static void apparmor_sk_free_security(struct sock *sk)
{
struct aa_sk_ctx *ctx = SK_CTX(sk);
- SK_CTX(sk) = NULL;
aa_put_label(ctx->label);
aa_put_label(ctx->peer);
path_put(&ctx->path);
- kfree(ctx);
}
/**
@@ -1079,6 +1061,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
struct lsm_blob_sizes apparmor_blob_sizes = {
.lbs_cred = sizeof(struct aa_task_ctx),
.lbs_file = sizeof(struct aa_file_ctx),
+ .lbs_sock = sizeof(struct aa_sk_ctx),
};
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
@@ -1115,7 +1098,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
- LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
@@ -1487,6 +1469,8 @@ static int __init apparmor_init(void)
if (!finish) {
if (apparmor_enabled && security_module_enable("apparmor"))
security_add_blobs(&apparmor_blob_sizes);
+ else
+ apparmor_enabled = 0;
finish = 1;
return 0;
}
diff --git a/security/security.c b/security/security.c
index 70740b902e16..8439acd36160 100644
--- a/security/security.c
+++ b/security/security.c
@@ -27,7 +27,9 @@
#include <linux/personality.h>
#include <linux/backing-dev.h>
#include <linux/string.h>
+#include <linux/msg.h>
#include <net/flow.h>
+#include <net/sock.h>
#define MAX_LSM_EVM_XATTR 2
@@ -38,6 +40,7 @@ struct security_hook_heads security_hook_heads __lsm_ro_after_init;
static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
static struct kmem_cache *lsm_file_cache;
+static struct kmem_cache *lsm_inode_cache;
char *lsm_names;
static struct lsm_blob_sizes blob_sizes;
@@ -91,6 +94,10 @@ int __init security_init(void)
lsm_file_cache = kmem_cache_create("lsm_file_cache",
blob_sizes.lbs_file, 0,
SLAB_PANIC, NULL);
+ if (blob_sizes.lbs_inode)
+ lsm_inode_cache = kmem_cache_create("lsm_inode_cache",
+ blob_sizes.lbs_inode, 0,
+ SLAB_PANIC, NULL);
/*
* The second call to a module specific init function
* adds hooks to the hook lists and does any other early
@@ -101,8 +108,16 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
+ pr_info("LSM: inode blob size = %d\n", blob_sizes.lbs_inode);
+ pr_info("LSM: ipc blob size = %d\n", blob_sizes.lbs_ipc);
+#ifdef CONFIG_KEYS
+ pr_info("LSM: key blob size = %d\n", blob_sizes.lbs_key);
+#endif /* CONFIG_KEYS */
+ pr_info("LSM: msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
+ pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock);
+ pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock);
pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task);
-#endif
+#endif /* CONFIG_SECURITY_LSM_DEBUG */
return 0;
}
@@ -279,7 +294,19 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+ lsm_set_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
+ lsm_set_size(&needed->lbs_key, &blob_sizes.lbs_key);
+ lsm_set_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
+ lsm_set_size(&needed->lbs_sock, &blob_sizes.lbs_sock);
+ lsm_set_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task);
+ /*
+ * The inode blob gets an rcu_head in addition to
+ * what the modules might need.
+ */
+ if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
+ blob_sizes.lbs_inode = sizeof(struct rcu_head);
+ lsm_set_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
}
/**
@@ -324,6 +351,162 @@ int lsm_task_alloc(struct task_struct *task)
return 0;
}
+/**
+ * lsm_inode_alloc - allocate a composite inode blob
+ * @inode: the inode that needs a blob
+ *
+ * Allocate the inode blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_inode_alloc(struct inode *inode)
+{
+ if (!lsm_inode_cache)
+ return 0;
+
+ inode->i_security = kmem_cache_zalloc(lsm_inode_cache, GFP_KERNEL);
+ if (inode->i_security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_early_inode - during initialization allocate a composite inode blob
+ * @inode: the inode that needs a blob
+ *
+ * Allocate the inode blob for all the modules if it's not already there
+ */
+void lsm_early_inode(struct inode *inode)
+{
+ int rc;
+
+ if (inode == NULL)
+ panic("%s: NULL inode.\n", __func__);
+ if (inode->i_security != NULL)
+ return;
+ rc = lsm_inode_alloc(inode);
+ if (rc)
+ panic("%s: Early inode alloc failed.\n", __func__);
+}
+
+/**
+ * lsm_ipc_alloc - allocate a composite ipc blob
+ * @kip: the ipc that needs a blob
+ *
+ * Allocate the ipc blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_ipc_alloc(struct kern_ipc_perm *kip)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (kip->security)
+ pr_info("%s: Inbound ipc blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_ipc == 0)
+ return 0;
+
+ kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
+ if (kip->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+#ifdef CONFIG_KEYS
+/**
+ * lsm_key_alloc - allocate a composite key blob
+ * @key: the key that needs a blob
+ *
+ * Allocate the key blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_key_alloc(struct key *key)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (key->security)
+ pr_info("%s: Inbound key blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_key == 0)
+ return 0;
+
+ key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
+ if (key->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+#endif /* CONFIG_KEYS */
+
+/**
+ * lsm_msg_msg_alloc - allocate a composite msg_msg blob
+ * @mp: the msg_msg that needs a blob
+ *
+ * Allocate the ipc blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_msg_msg_alloc(struct msg_msg *mp)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (mp->security)
+ pr_info("%s: Inbound msg_msg blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_msg_msg == 0)
+ return 0;
+
+ mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
+ if (mp->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_sock_alloc - allocate a composite sock blob
+ * @sock: the sock that needs a blob
+ * @priority: allocation mode
+ *
+ * Allocate the sock blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_sock_alloc(struct sock *sock, gfp_t priority)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (sock->sk_security)
+ pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_sock == 0)
+ return 0;
+
+ sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
+ if (sock->sk_security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
+/**
+ * lsm_superblock_alloc - allocate a composite superblock blob
+ * @sb: the superblock that needs a blob
+ *
+ * Allocate the superblock blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_superblock_alloc(struct super_block *sb)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (sb->s_security)
+ pr_info("%s: Inbound superblock blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_superblock == 0)
+ return 0;
+
+ sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL);
+ if (sb->s_security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
/*
* Hook list operation macros.
*
@@ -491,12 +674,18 @@ void security_bprm_committed_creds(struct linux_binprm *bprm)
int security_sb_alloc(struct super_block *sb)
{
+ int rc = lsm_superblock_alloc(sb);
+
+ if (rc)
+ return rc;
return call_int_hook(sb_alloc_security, 0, sb);
}
void security_sb_free(struct super_block *sb)
{
call_void_hook(sb_free_security, sb);
+ kfree(sb->s_security);
+ sb->s_security = NULL;
}
int security_sb_copy_data(char *orig, char *copy)
@@ -570,14 +759,37 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
int security_inode_alloc(struct inode *inode)
{
- inode->i_security = NULL;
+ int rc = lsm_inode_alloc(inode);
+
+ if (rc)
+ return rc;
return call_int_hook(inode_alloc_security, 0, inode);
}
+static void inode_free_by_rcu(struct rcu_head *head)
+{
+ /*
+ * The rcu head is at the start of the inode blob
+ */
+ kmem_cache_free(lsm_inode_cache, head);
+}
+
void security_inode_free(struct inode *inode)
{
integrity_inode_free(inode);
call_void_hook(inode_free_security, inode);
+ /*
+ * The inode may still be referenced in a path walk and
+ * a call to security_inode_permission() can be made
+ * after inode_free_security() is called. Ideally, the VFS
+ * wouldn't do this, but fixing that is a much harder
+ * job. For now, simply free the i_security via RCU, and
+ * leave the current inode->i_security pointer intact.
+ * The inode will be freed after the RCU grace period too.
+ */
+ if (inode->i_security)
+ call_rcu((struct rcu_head *)inode->i_security,
+ inode_free_by_rcu);
}
int security_dentry_init_security(struct dentry *dentry, int mode,
@@ -1325,22 +1537,36 @@ void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
int security_msg_msg_alloc(struct msg_msg *msg)
{
+ int rc = lsm_msg_msg_alloc(msg);
+
+ if (rc)
+ return rc;
return call_int_hook(msg_msg_alloc_security, 0, msg);
}
void security_msg_msg_free(struct msg_msg *msg)
{
call_void_hook(msg_msg_free_security, msg);
+ kfree(msg->security);
+ msg->security = NULL;
}
int security_msg_queue_alloc(struct msg_queue *msq)
{
+ int rc = lsm_ipc_alloc(&msq->q_perm);
+
+ if (rc)
+ return rc;
return call_int_hook(msg_queue_alloc_security, 0, msq);
}
void security_msg_queue_free(struct msg_queue *msq)
{
+ struct kern_ipc_perm *kip = &msq->q_perm;
+
call_void_hook(msg_queue_free_security, msq);
+ kfree(kip->security);
+ kip->security = NULL;
}
int security_msg_queue_associate(struct msg_queue *msq, int msqflg)
@@ -1367,12 +1593,20 @@ int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
int security_shm_alloc(struct shmid_kernel *shp)
{
+ int rc = lsm_ipc_alloc(&shp->shm_perm);
+
+ if (rc)
+ return rc;
return call_int_hook(shm_alloc_security, 0, shp);
}
void security_shm_free(struct shmid_kernel *shp)
{
+ struct kern_ipc_perm *kip = &shp->shm_perm;
+
call_void_hook(shm_free_security, shp);
+ kfree(kip->security);
+ kip->security = NULL;
}
int security_shm_associate(struct shmid_kernel *shp, int shmflg)
@@ -1392,12 +1626,20 @@ int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmfl
int security_sem_alloc(struct sem_array *sma)
{
+ int rc = lsm_ipc_alloc(&sma->sem_perm);
+
+ if (rc)
+ return rc;
return call_int_hook(sem_alloc_security, 0, sma);
}
void security_sem_free(struct sem_array *sma)
{
+ struct kern_ipc_perm *kip = &sma->sem_perm;
+
call_void_hook(sem_free_security, sma);
+ kfree(kip->security);
+ kip->security = NULL;
}
int security_sem_associate(struct sem_array *sma, int semflg)
@@ -1609,12 +1851,18 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
{
+ int rc = lsm_sock_alloc(sk, priority);
+
+ if (rc)
+ return rc;
return call_int_hook(sk_alloc_security, 0, sk, family, priority);
}
void security_sk_free(struct sock *sk)
{
call_void_hook(sk_free_security, sk);
+ kfree(sk->sk_security);
+ sk->sk_security = NULL;
}
void security_sk_clone(const struct sock *sk, struct sock *newsk)
@@ -1844,12 +2092,18 @@ EXPORT_SYMBOL(security_skb_classify_flow);
int security_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
+ int rc = lsm_key_alloc(key);
+
+ if (rc)
+ return rc;
return call_int_hook(key_alloc, 0, key, cred, flags);
}
void security_key_free(struct key *key)
{
call_void_hook(key_free, key);
+ kfree(key->security);
+ key->security = NULL;
}
int security_key_permission(key_ref_t key_ref,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 28e641f829b2..cfee70096f97 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -128,8 +128,6 @@ __setup("selinux=", selinux_enabled_setup);
int selinux_enabled = 1;
#endif
-static struct kmem_cache *sel_inode_cache;
-
/**
* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
*
@@ -223,13 +221,9 @@ static inline u32 task_sid(const struct task_struct *task)
static int inode_alloc_security(struct inode *inode)
{
- struct inode_security_struct *isec;
+ struct inode_security_struct *isec = selinux_inode(inode);
u32 sid = current_sid();
- isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
- if (!isec)
- return -ENOMEM;
-
spin_lock_init(&isec->lock);
INIT_LIST_HEAD(&isec->list);
isec->inode = inode;
@@ -237,7 +231,6 @@ static int inode_alloc_security(struct inode *inode)
isec->sclass = SECCLASS_FILE;
isec->task_sid = sid;
isec->initialized = LABEL_INVALID;
- inode->i_security = isec;
return 0;
}
@@ -255,7 +248,7 @@ static int __inode_security_revalidate(struct inode *inode,
struct dentry *opt_dentry,
bool may_sleep)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
might_sleep_if(may_sleep);
@@ -275,7 +268,7 @@ static int __inode_security_revalidate(struct inode *inode,
static struct inode_security_struct *inode_security_novalidate(struct inode *inode)
{
- return inode->i_security;
+ return selinux_inode(inode);
}
static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)
@@ -285,7 +278,7 @@ static struct inode_security_struct *inode_security_rcu(struct inode *inode, boo
error = __inode_security_revalidate(inode, NULL, !rcu);
if (error)
return ERR_PTR(error);
- return inode->i_security;
+ return selinux_inode(inode);
}
/*
@@ -294,14 +287,14 @@ static struct inode_security_struct *inode_security_rcu(struct inode *inode, boo
static struct inode_security_struct *inode_security(struct inode *inode)
{
__inode_security_revalidate(inode, NULL, true);
- return inode->i_security;
+ return selinux_inode(inode);
}
static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)
{
struct inode *inode = d_backing_inode(dentry);
- return inode->i_security;
+ return selinux_inode(inode);
}
/*
@@ -312,21 +305,14 @@ static struct inode_security_struct *backing_inode_security(struct dentry *dentr
struct inode *inode = d_backing_inode(dentry);
__inode_security_revalidate(inode, dentry, true);
- return inode->i_security;
-}
-
-static void inode_free_rcu(struct rcu_head *head)
-{
- struct inode_security_struct *isec;
-
- isec = container_of(head, struct inode_security_struct, rcu);
- kmem_cache_free(sel_inode_cache, isec);
+ return selinux_inode(inode);
}
static void inode_free_security(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
+ struct superblock_security_struct *sbsec =
+ selinux_superblock(inode->i_sb);
/*
* As not all inode security structures are in a list, we check for
@@ -343,17 +329,6 @@ static void inode_free_security(struct inode *inode)
list_del_init(&isec->list);
spin_unlock(&sbsec->isec_lock);
}
-
- /*
- * The inode may still be referenced in a path walk and
- * a call to selinux_inode_permission() can be made
- * after inode_free_security() is called. Ideally, the VFS
- * wouldn't do this, but fixing that is a much harder
- * job. For now, simply free the i_security via RCU, and
- * leave the current inode->i_security pointer intact.
- * The inode will be freed after the RCU grace period too.
- */
- call_rcu(&isec->rcu, inode_free_rcu);
}
static int file_alloc_security(struct file *file)
@@ -369,11 +344,7 @@ static int file_alloc_security(struct file *file)
static int superblock_alloc_security(struct super_block *sb)
{
- struct superblock_security_struct *sbsec;
-
- sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
- if (!sbsec)
- return -ENOMEM;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
mutex_init(&sbsec->lock);
INIT_LIST_HEAD(&sbsec->isec_head);
@@ -382,18 +353,10 @@ static int superblock_alloc_security(struct super_block *sb)
sbsec->sid = SECINITSID_UNLABELED;
sbsec->def_sid = SECINITSID_FILE;
sbsec->mntpoint_sid = SECINITSID_UNLABELED;
- sb->s_security = sbsec;
return 0;
}
-static void superblock_free_security(struct super_block *sb)
-{
- struct superblock_security_struct *sbsec = sb->s_security;
- sb->s_security = NULL;
- kfree(sbsec);
-}
-
static inline int inode_doinit(struct inode *inode)
{
return inode_doinit_with_dentry(inode, NULL);
@@ -457,7 +420,7 @@ static int may_context_mount_inode_relabel(u32 sid,
static int selinux_is_sblabel_mnt(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
return sbsec->behavior == SECURITY_FS_USE_XATTR ||
sbsec->behavior == SECURITY_FS_USE_TRANS ||
@@ -476,7 +439,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
static int sb_finish_set_opts(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
struct dentry *root = sb->s_root;
struct inode *root_inode = d_backing_inode(root);
int rc = 0;
@@ -559,7 +522,7 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
struct security_mnt_opts *opts)
{
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
char *context = NULL;
u32 len;
char tmp;
@@ -622,7 +585,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct dentry *root = sbsec->sb->s_root;
- struct inode_security_struct *isec = backing_inode_security(root);
+ struct inode_security_struct *isec =
+ backing_inode_security(root);
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
@@ -675,7 +639,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
{
const struct cred *cred = current_cred();
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
const char *name = sb->s_type->name;
struct dentry *root = sbsec->sb->s_root;
struct inode_security_struct *root_isec;
@@ -926,8 +890,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
static int selinux_cmp_sb_context(const struct super_block *oldsb,
const struct super_block *newsb)
{
- struct superblock_security_struct *old = oldsb->s_security;
- struct superblock_security_struct *new = newsb->s_security;
+ struct superblock_security_struct *old = selinux_superblock(oldsb);
+ struct superblock_security_struct *new = selinux_superblock(newsb);
char oldflags = old->flags & SE_MNTMASK;
char newflags = new->flags & SE_MNTMASK;
@@ -959,8 +923,9 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
unsigned long *set_kern_flags)
{
int rc = 0;
- const struct superblock_security_struct *oldsbsec = oldsb->s_security;
- struct superblock_security_struct *newsbsec = newsb->s_security;
+ const struct superblock_security_struct *oldsbsec =
+ selinux_superblock(oldsb);
+ struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
int set_context = (oldsbsec->flags & CONTEXT_MNT);
@@ -1013,14 +978,17 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
if (!set_fscontext)
newsbsec->sid = sid;
if (!set_rootcontext) {
- struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
+ struct inode_security_struct *newisec =
+ backing_inode_security(newsb->s_root);
newisec->sid = sid;
}
newsbsec->mntpoint_sid = sid;
}
if (set_rootcontext) {
- const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root);
- struct inode_security_struct *newisec = backing_inode_security(newsb->s_root);
+ const struct inode_security_struct *oldisec =
+ backing_inode_security(oldsb->s_root);
+ struct inode_security_struct *newisec =
+ backing_inode_security(newsb->s_root);
newisec->sid = oldisec->sid;
}
@@ -1464,7 +1432,7 @@ static int selinux_genfs_get_sid(struct dentry *dentry,
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
{
struct superblock_security_struct *sbsec = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
u32 task_sid, sid = 0;
u16 sclass;
struct dentry *dentry;
@@ -1483,7 +1451,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
if (isec->sclass == SECCLASS_FILE)
isec->sclass = inode_mode_to_security_class(inode->i_mode);
- sbsec = inode->i_sb->s_security;
+ sbsec = selinux_superblock(inode->i_sb);
if (!(sbsec->flags & SE_SBINITIALIZED)) {
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
@@ -1749,7 +1717,7 @@ static int inode_has_perm(const struct cred *cred,
return 0;
sid = cred_sid(cred);
- isec = inode->i_security;
+ isec = selinux_inode(inode);
return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
}
@@ -1846,7 +1814,8 @@ selinux_determine_inode_label(const struct task_security_struct *tsec,
const struct qstr *name, u16 tclass,
u32 *_new_isid)
{
- const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
+ const struct superblock_security_struct *sbsec =
+ selinux_superblock(dir->i_sb);
if ((sbsec->flags & SE_SBINITIALIZED) &&
(sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
@@ -1876,7 +1845,7 @@ static int may_create(struct inode *dir,
int rc;
dsec = inode_security(dir);
- sbsec = dir->i_sb->s_security;
+ sbsec = selinux_superblock(dir->i_sb);
sid = tsec->sid;
@@ -2015,7 +1984,7 @@ static int superblock_has_perm(const struct cred *cred,
struct superblock_security_struct *sbsec;
u32 sid = cred_sid(cred);
- sbsec = sb->s_security;
+ sbsec = selinux_superblock(sb);
return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
}
@@ -2614,11 +2583,6 @@ static int selinux_sb_alloc_security(struct super_block *sb)
return superblock_alloc_security(sb);
}
-static void selinux_sb_free_security(struct super_block *sb)
-{
- superblock_free_security(sb);
-}
-
static inline int match_prefix(char *prefix, int plen, char *option, int olen)
{
if (plen > olen)
@@ -2715,7 +2679,7 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
int rc, i, *flags;
struct security_mnt_opts opts;
char *secdata, **mount_options;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
if (!(sbsec->flags & SE_SBINITIALIZED))
return 0;
@@ -2906,7 +2870,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
int rc;
char *context;
- sbsec = dir->i_sb->s_security;
+ sbsec = selinux_superblock(dir->i_sb);
sid = tsec->sid;
newsid = tsec->create_sid;
@@ -2920,7 +2884,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
/* Possibly defer initialization to selinux_complete_init. */
if (sbsec->flags & SE_SBINITIALIZED) {
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
isec->sclass = inode_mode_to_security_class(inode->i_mode);
isec->sid = newsid;
isec->initialized = LABEL_INITIALIZED;
@@ -3018,7 +2982,7 @@ static noinline int audit_inode_permission(struct inode *inode,
unsigned flags)
{
struct common_audit_data ad;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
int rc;
ad.type = LSM_AUDIT_DATA_INODE;
@@ -3154,7 +3118,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
- sbsec = inode->i_sb->s_security;
+ sbsec = selinux_superblock(inode->i_sb);
if (!(sbsec->flags & SBLABEL_MNT))
return -EOPNOTSUPP;
@@ -3987,7 +3951,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
static void selinux_task_to_inode(struct task_struct *p,
struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
u32 sid = task_sid(p);
spin_lock(&isec->lock);
@@ -4273,7 +4237,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
static int sock_has_perm(struct sock *sk, u32 perms)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4328,7 +4292,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
isec->initialized = LABEL_INITIALIZED;
if (sock->sk) {
- sksec = sock->sk->sk_security;
+ sksec = selinux_sock(sock->sk);
sksec->sclass = sclass;
sksec->sid = sid;
err = selinux_netlbl_socket_post_create(sock->sk, family);
@@ -4359,7 +4323,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
family = sk->sk_family;
if (family == PF_INET || family == PF_INET6) {
char *addrp;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
struct sockaddr_in *addr4 = NULL;
@@ -4452,7 +4416,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
int err;
err = sock_has_perm(sk, SOCKET__CONNECT);
@@ -4584,9 +4548,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
struct sock *other,
struct sock *newsk)
{
- struct sk_security_struct *sksec_sock = sock->sk_security;
- struct sk_security_struct *sksec_other = other->sk_security;
- struct sk_security_struct *sksec_new = newsk->sk_security;
+ struct sk_security_struct *sksec_sock = selinux_sock(sock);
+ struct sk_security_struct *sksec_other = selinux_sock(other);
+ struct sk_security_struct *sksec_new = selinux_sock(newsk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
int err;
@@ -4617,8 +4581,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
static int selinux_socket_unix_may_send(struct socket *sock,
struct socket *other)
{
- struct sk_security_struct *ssec = sock->sk->sk_security;
- struct sk_security_struct *osec = other->sk->sk_security;
+ struct sk_security_struct *ssec = selinux_sock(sock->sk);
+ struct sk_security_struct *osec = selinux_sock(other->sk);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4657,7 +4621,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
u16 family)
{
int err = 0;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4689,7 +4653,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
int err;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
@@ -4755,13 +4719,15 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
return err;
}
-static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
- int __user *optlen, unsigned len)
+static int selinux_socket_getpeersec_stream(struct socket *sock,
+ __user char *optval,
+ __user int *optlen,
+ unsigned int len)
{
int err = 0;
char *scontext;
u32 scontext_len;
- struct sk_security_struct *sksec = sock->sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sock->sk);
u32 peer_sid = SECSID_NULL;
if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
@@ -4819,34 +4785,27 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
{
- struct sk_security_struct *sksec;
-
- sksec = kzalloc(sizeof(*sksec), priority);
- if (!sksec)
- return -ENOMEM;
+ struct sk_security_struct *sksec = selinux_sock(sk);
sksec->peer_sid = SECINITSID_UNLABELED;
sksec->sid = SECINITSID_UNLABELED;
sksec->sclass = SECCLASS_SOCKET;
selinux_netlbl_sk_security_reset(sksec);
- sk->sk_security = sksec;
return 0;
}
static void selinux_sk_free_security(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
- sk->sk_security = NULL;
selinux_netlbl_sk_security_free(sksec);
- kfree(sksec);
}
static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
{
- struct sk_security_struct *sksec = sk->sk_security;
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
+ struct sk_security_struct *newsksec = selinux_sock(newsk);
newsksec->sid = sksec->sid;
newsksec->peer_sid = sksec->peer_sid;
@@ -4860,7 +4819,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
if (!sk)
*secid = SECINITSID_ANY_SOCKET;
else {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
*secid = sksec->sid;
}
@@ -4870,7 +4829,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{
struct inode_security_struct *isec =
inode_security_novalidate(SOCK_INODE(parent));
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
sk->sk_family == PF_UNIX)
@@ -4881,7 +4840,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
struct request_sock *req)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
int err;
u16 family = req->rsk_ops->family;
u32 connsid;
@@ -4902,7 +4861,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void selinux_inet_csk_clone(struct sock *newsk,
const struct request_sock *req)
{
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *newsksec = selinux_sock(newsk);
newsksec->sid = req->secid;
newsksec->peer_sid = req->peer_secid;
@@ -4919,7 +4878,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
{
u16 family = sk->sk_family;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
/* handle mapped IPv4 packets arriving via IPv6 sockets */
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -4999,7 +4958,7 @@ static int selinux_tun_dev_attach_queue(void *security)
static int selinux_tun_dev_attach(struct sock *sk, void *security)
{
struct tun_security_struct *tunsec = security;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
/* we don't currently perform any NetLabel based labeling here and it
* isn't clear that we would want to do so anyway; while we could apply
@@ -5038,7 +4997,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
int err = 0;
u32 perm;
struct nlmsghdr *nlh;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (skb->len < NLMSG_HDRLEN) {
err = -EINVAL;
@@ -5177,7 +5136,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
return NF_ACCEPT;
/* standard practice, label using the parent socket */
- sksec = sk->sk_security;
+ sksec = selinux_sock(sk);
sid = sksec->sid;
} else
sid = SECINITSID_KERNEL;
@@ -5216,7 +5175,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
if (sk == NULL)
return NF_ACCEPT;
- sksec = sk->sk_security;
+ sksec = selinux_sock(sk);
ad.type = LSM_AUDIT_DATA_NET;
ad.u.net = &net;
@@ -5307,7 +5266,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
u32 skb_sid;
struct sk_security_struct *sksec;
- sksec = sk->sk_security;
+ sksec = selinux_sock(sk);
if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
return NF_DROP;
/* At this point, if the returned skb peerlbl is SECSID_NULL
@@ -5336,7 +5295,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
} else {
/* Locally generated packet, fetch the security label from the
* associated socket. */
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
peer_sid = sksec->sid;
secmark_perm = PACKET__SEND;
}
@@ -5396,51 +5355,22 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
return selinux_nlmsg_perm(sk, skb);
}
-static int ipc_alloc_security(struct kern_ipc_perm *perm,
- u16 sclass)
+static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
{
- struct ipc_security_struct *isec;
-
- isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
- if (!isec)
- return -ENOMEM;
-
isec->sclass = sclass;
isec->sid = current_sid();
- perm->security = isec;
-
- return 0;
-}
-
-static void ipc_free_security(struct kern_ipc_perm *perm)
-{
- struct ipc_security_struct *isec = perm->security;
- perm->security = NULL;
- kfree(isec);
}
static int msg_msg_alloc_security(struct msg_msg *msg)
{
struct msg_security_struct *msec;
- msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
- if (!msec)
- return -ENOMEM;
-
+ msec = selinux_msg_msg(msg);
msec->sid = SECINITSID_UNLABELED;
- msg->security = msec;
return 0;
}
-static void msg_msg_free_security(struct msg_msg *msg)
-{
- struct msg_security_struct *msec = msg->security;
-
- msg->security = NULL;
- kfree(msec);
-}
-
static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
u32 perms)
{
@@ -5448,7 +5378,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
struct common_audit_data ad;
u32 sid = current_sid();
- isec = ipc_perms->security;
+ isec = selinux_ipc(ipc_perms);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = ipc_perms->key;
@@ -5461,11 +5391,6 @@ static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
return msg_msg_alloc_security(msg);
}
-static void selinux_msg_msg_free_security(struct msg_msg *msg)
-{
- msg_msg_free_security(msg);
-}
-
/* message queue security operations */
static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
{
@@ -5474,27 +5399,15 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
u32 sid = current_sid();
int rc;
- rc = ipc_alloc_security(&msq->q_perm, SECCLASS_MSGQ);
- if (rc)
- return rc;
-
- isec = msq->q_perm.security;
+ isec = selinux_ipc(&msq->q_perm);
+ ipc_init_security(isec, SECCLASS_MSGQ);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
MSGQ__CREATE, &ad);
- if (rc) {
- ipc_free_security(&msq->q_perm);
- return rc;
- }
- return 0;
-}
-
-static void selinux_msg_queue_free_security(struct msg_queue *msq)
-{
- ipc_free_security(&msq->q_perm);
+ return rc;
}
static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
@@ -5503,7 +5416,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = msq->q_perm.security;
+ isec = selinux_ipc(&msq->q_perm);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -5549,8 +5462,8 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = current_sid();
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = selinux_ipc(&msq->q_perm);
+ msec = selinux_msg_msg(msg);
/*
* First time through, need to assign label to the message
@@ -5594,8 +5507,8 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = task_sid(target);
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = selinux_ipc(&msq->q_perm);
+ msec = selinux_msg_msg(msg);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -5616,27 +5529,15 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
u32 sid = current_sid();
int rc;
- rc = ipc_alloc_security(&shp->shm_perm, SECCLASS_SHM);
- if (rc)
- return rc;
-
- isec = shp->shm_perm.security;
+ isec = selinux_ipc(&shp->shm_perm);
+ ipc_init_security(isec, SECCLASS_SHM);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
SHM__CREATE, &ad);
- if (rc) {
- ipc_free_security(&shp->shm_perm);
- return rc;
- }
- return 0;
-}
-
-static void selinux_shm_free_security(struct shmid_kernel *shp)
-{
- ipc_free_security(&shp->shm_perm);
+ return rc;
}
static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
@@ -5645,7 +5546,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = shp->shm_perm.security;
+ isec = selinux_ipc(&shp->shm_perm);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
@@ -5709,27 +5610,15 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
u32 sid = current_sid();
int rc;
- rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM);
- if (rc)
- return rc;
-
- isec = sma->sem_perm.security;
+ isec = selinux_ipc(&sma->sem_perm);
+ ipc_init_security(isec, SECCLASS_SEM);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
SEM__CREATE, &ad);
- if (rc) {
- ipc_free_security(&sma->sem_perm);
- return rc;
- }
- return 0;
-}
-
-static void selinux_sem_free_security(struct sem_array *sma)
-{
- ipc_free_security(&sma->sem_perm);
+ return rc;
}
static int selinux_sem_associate(struct sem_array *sma, int semflg)
@@ -5738,7 +5627,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = sma->sem_perm.security;
+ isec = selinux_ipc(&sma->sem_perm);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
@@ -5821,7 +5710,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- struct ipc_security_struct *isec = ipcp->security;
+ struct ipc_security_struct *isec = selinux_ipc(ipcp);
*secid = isec->sid;
}
@@ -6031,7 +5920,7 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
static void selinux_inode_invalidate_secctx(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = selinux_inode(inode);
spin_lock(&isec->lock);
isec->initialized = LABEL_INVALID;
@@ -6070,11 +5959,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
unsigned long flags)
{
const struct task_security_struct *tsec;
- struct key_security_struct *ksec;
-
- ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
- if (!ksec)
- return -ENOMEM;
+ struct key_security_struct *ksec = selinux_key(k);
tsec = selinux_cred(cred);
if (tsec->keycreate_sid)
@@ -6082,18 +5967,9 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
else
ksec->sid = tsec->sid;
- k->security = ksec;
return 0;
}
-static void selinux_key_free(struct key *k)
-{
- struct key_security_struct *ksec = k->security;
-
- k->security = NULL;
- kfree(ksec);
-}
-
static int selinux_key_permission(key_ref_t key_ref,
const struct cred *cred,
unsigned perm)
@@ -6111,14 +5987,14 @@ static int selinux_key_permission(key_ref_t key_ref,
sid = cred_sid(cred);
key = key_ref_to_ptr(key_ref);
- ksec = key->security;
+ ksec = selinux_key(key);
return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
}
static int selinux_key_getsecurity(struct key *key, char **_buffer)
{
- struct key_security_struct *ksec = key->security;
+ struct key_security_struct *ksec = selinux_key(key);
char *context = NULL;
unsigned len;
int rc;
@@ -6198,6 +6074,14 @@ static void selinux_ib_free_security(void *ib_sec)
struct lsm_blob_sizes selinux_blob_sizes = {
.lbs_cred = sizeof(struct task_security_struct),
.lbs_file = sizeof(struct file_security_struct),
+ .lbs_inode = sizeof(struct inode_security_struct),
+ .lbs_ipc = sizeof(struct ipc_security_struct),
+#ifdef CONFIG_KEYS
+ .lbs_key = sizeof(struct key_security_struct),
+#endif /* CONFIG_KEYS */
+ .lbs_msg_msg = sizeof(struct msg_security_struct),
+ .lbs_sock = sizeof(struct sk_security_struct),
+ .lbs_superblock = sizeof(struct superblock_security_struct),
};
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
@@ -6223,7 +6107,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
- LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
LSM_HOOK_INIT(sb_copy_data, selinux_sb_copy_data),
LSM_HOOK_INIT(sb_remount, selinux_sb_remount),
LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount),
@@ -6306,24 +6189,20 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
LSM_HOOK_INIT(msg_msg_alloc_security, selinux_msg_msg_alloc_security),
- LSM_HOOK_INIT(msg_msg_free_security, selinux_msg_msg_free_security),
LSM_HOOK_INIT(msg_queue_alloc_security,
selinux_msg_queue_alloc_security),
- LSM_HOOK_INIT(msg_queue_free_security, selinux_msg_queue_free_security),
LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
LSM_HOOK_INIT(msg_queue_msgsnd, selinux_msg_queue_msgsnd),
LSM_HOOK_INIT(msg_queue_msgrcv, selinux_msg_queue_msgrcv),
LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security),
- LSM_HOOK_INIT(shm_free_security, selinux_shm_free_security),
LSM_HOOK_INIT(shm_associate, selinux_shm_associate),
LSM_HOOK_INIT(shm_shmctl, selinux_shm_shmctl),
LSM_HOOK_INIT(shm_shmat, selinux_shm_shmat),
LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
- LSM_HOOK_INIT(sem_free_security, selinux_sem_free_security),
LSM_HOOK_INIT(sem_associate, selinux_sem_associate),
LSM_HOOK_INIT(sem_semctl, selinux_sem_semctl),
LSM_HOOK_INIT(sem_semop, selinux_sem_semop),
@@ -6405,7 +6284,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
#ifdef CONFIG_KEYS
LSM_HOOK_INIT(key_alloc, selinux_key_alloc),
- LSM_HOOK_INIT(key_free, selinux_key_free),
LSM_HOOK_INIT(key_permission, selinux_key_permission),
LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
#endif
@@ -6445,9 +6323,6 @@ static __init int selinux_init(void)
default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
- sel_inode_cache = kmem_cache_create("selinux_inode_security",
- sizeof(struct inode_security_struct),
- 0, SLAB_PANIC, NULL);
avc_init();
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 504e15ed234f..f2f1e2d15eb8 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -59,10 +59,7 @@ enum label_initialized {
struct inode_security_struct {
struct inode *inode; /* back pointer to inode object */
- union {
- struct list_head list; /* list of inode_security_struct */
- struct rcu_head rcu; /* for freeing the inode_security_struct */
- };
+ struct list_head list; /* list of inode_security_struct */
u32 task_sid; /* SID of creating task */
u32 sid; /* SID of this object */
u16 sclass; /* security class of this object */
@@ -166,4 +163,64 @@ static inline struct file_security_struct *selinux_file(const struct file *file)
return file->f_security;
}
+static inline struct inode_security_struct *selinux_inode(
+ const struct inode *inode)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return inode->i_security + selinux_blob_sizes.lbs_inode;
+#else
+ return inode->i_security;
+#endif
+}
+
+static inline struct superblock_security_struct *selinux_superblock(
+ const struct super_block *superblock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return superblock->s_security + selinux_blob_sizes.lbs_superblock;
+#else
+ return superblock->s_security;
+#endif
+}
+
+static inline struct msg_security_struct *selinux_msg_msg(
+ const struct msg_msg *msg_msg)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return msg_msg->security + selinux_blob_sizes.lbs_msg_msg;
+#else
+ return msg_msg->security;
+#endif
+}
+
+static inline struct ipc_security_struct *selinux_ipc(
+ const struct kern_ipc_perm *ipc)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return ipc->security + selinux_blob_sizes.lbs_ipc;
+#else
+ return ipc->security;
+#endif
+}
+
+#ifdef CONFIG_KEYS
+static inline struct key_security_struct *selinux_key(const struct key *key)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return key->security + selinux_blob_sizes.lbs_key;
+#else
+ return key->security;
+#endif
+}
+#endif /* CONFIG_KEYS */
+
+static inline struct sk_security_struct *selinux_sock(const struct sock *sock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return sock->sk_security + selinux_blob_sizes.lbs_sock;
+#else
+ return sock->sk_security;
+#endif
+}
+
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index aaba6677ee2e..0b0091c04688 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -32,6 +32,7 @@
#include <linux/gfp.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
+#include <linux/lsm_hooks.h>
#include <net/sock.h>
#include <net/netlabel.h>
#include <net/ip.h>
@@ -82,7 +83,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_secattr != NULL)
@@ -114,7 +115,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
const struct sock *sk,
u32 sid)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr;
if (secattr == NULL)
@@ -249,7 +250,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
* being labeled by it's parent socket, if it is just exit */
sk = skb_to_full_sk(skb);
if (sk != NULL) {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (sksec->nlbl_state != NLBL_REQSKB)
return 0;
secattr = selinux_netlbl_sock_getattr(sk, sid);
@@ -311,7 +312,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
*/
void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
if (family == PF_INET)
sksec->nlbl_state = NLBL_LABELED;
@@ -332,7 +333,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr;
if (family != PF_INET && family != PF_INET6)
@@ -446,7 +447,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
{
int rc = 0;
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr secattr;
if (selinux_netlbl_option(level, optname) &&
@@ -482,7 +483,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = selinux_sock(sk);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_state != NLBL_REQSKB &&
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 855a13053a81..1b4bed79101e 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1300,7 +1300,7 @@ static int sel_make_bools(void)
if (len >= PAGE_SIZE)
goto out;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = (struct inode_security_struct *)selinux_inode(inode);
ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
if (ret) {
pr_warn_ratelimited("SELinux: no sid found, defaulting to security isid for %s\n",
@@ -1841,7 +1841,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
goto err;
inode->i_ino = ++sel_last_ino;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = (struct inode_security_struct *)selinux_inode(inode);
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = LABEL_INITIALIZED;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e4a1c0dc561a..bfd09d0ddfd2 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -52,6 +52,7 @@
#include <linux/selinux.h>
#include <linux/flex_array.h>
#include <linux/vmalloc.h>
+#include <linux/lsm_hooks.h>
#include <net/netlabel.h>
#include "flask.h"
@@ -2659,7 +2660,7 @@ int security_fs_use(struct super_block *sb)
{
int rc = 0;
struct ocontext *c;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec = selinux_superblock(sb);
const char *fstype = sb->s_type->name;
read_lock(&policy_rwlock);
diff --git a/security/smack/smack.h b/security/smack/smack.h
index d14e8d17eea0..1b875c2f3d9d 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -366,12 +366,69 @@ static inline struct smack_known **smack_file(const struct file *file)
return file->f_security;
}
+static inline struct inode_smack *smack_inode(const struct inode *inode)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return inode->i_security + smack_blob_sizes.lbs_inode;
+#else
+ return inode->i_security;
+#endif
+}
+
+static inline struct socket_smack *smack_sock(const struct sock *sock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return sock->sk_security + smack_blob_sizes.lbs_sock;
+#else
+ return sock->sk_security;
+#endif
+}
+
+static inline struct superblock_smack *smack_superblock(
+ const struct super_block *superblock)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return superblock->s_security + smack_blob_sizes.lbs_superblock;
+#else
+ return superblock->s_security;
+#endif
+}
+
+static inline struct smack_known **smack_msg_msg(const struct msg_msg *msg)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return msg->security + smack_blob_sizes.lbs_msg_msg;
+#else
+ return msg->security;
+#endif
+}
+
+static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return ipc->security + smack_blob_sizes.lbs_ipc;
+#else
+ return ipc->security;
+#endif
+}
+
+#ifdef CONFIG_KEYS
+static inline struct smack_known **smack_key(const struct key *key)
+{
+#ifdef CONFIG_SECURITY_STACKING
+ return key->security + smack_blob_sizes.lbs_key;
+#else
+ return key->security;
+#endif
+}
+#endif /* CONFIG_KEYS */
+
/*
* Is the directory transmuting?
*/
static inline int smk_inode_transmutable(const struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = smack_inode(isp);
return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
}
@@ -380,7 +437,7 @@ static inline int smk_inode_transmutable(const struct inode *isp)
*/
static inline struct smack_known *smk_of_inode(const struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = smack_inode(isp);
return sip->smk_inode;
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a807624aff9a..4588c48aab86 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -165,7 +165,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc)
static int smk_bu_inode(struct inode *inode, int mode, int rc)
{
struct task_smack *tsp = smack_cred(current_cred());
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (isp->smk_flags & SMK_INODE_IMPURE)
@@ -197,7 +197,7 @@ static int smk_bu_file(struct file *file, int mode, int rc)
struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (isp->smk_flags & SMK_INODE_IMPURE)
@@ -227,7 +227,7 @@ static int smk_bu_credfile(const struct cred *cred, struct file *file,
struct task_smack *tsp = smack_cred(cred);
struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file);
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
char acc[SMK_NUM_ACCESS_TYPE + 1];
if (isp->smk_flags & SMK_INODE_IMPURE)
@@ -287,24 +287,18 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip,
}
/**
- * new_inode_smack - allocate an inode security blob
+ * init_inode_smack - initialize an inode security blob
+ * @isp: the blob to initialize
* @skp: a pointer to the Smack label entry to use in the blob
*
- * Returns the new blob or NULL if there's no memory available
*/
-static struct inode_smack *new_inode_smack(struct smack_known *skp)
+static void init_inode_smack(struct inode *inode, struct smack_known *skp)
{
- struct inode_smack *isp;
-
- isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS);
- if (isp == NULL)
- return NULL;
+ struct inode_smack *isp = smack_inode(inode);
isp->smk_inode = skp;
isp->smk_flags = 0;
mutex_init(&isp->smk_lock);
-
- return isp;
}
/**
@@ -525,12 +519,7 @@ static int smack_syslog(int typefrom_file)
*/
static int smack_sb_alloc_security(struct super_block *sb)
{
- struct superblock_smack *sbsp;
-
- sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL);
-
- if (sbsp == NULL)
- return -ENOMEM;
+ struct superblock_smack *sbsp = smack_superblock(sb);
sbsp->smk_root = &smack_known_floor;
sbsp->smk_default = &smack_known_floor;
@@ -539,23 +528,11 @@ static int smack_sb_alloc_security(struct super_block *sb)
/*
* SMK_SB_INITIALIZED will be zero from kzalloc.
*/
- sb->s_security = sbsp;
return 0;
}
/**
- * smack_sb_free_security - free a superblock blob
- * @sb: the superblock getting the blob
- *
- */
-static void smack_sb_free_security(struct super_block *sb)
-{
- kfree(sb->s_security);
- sb->s_security = NULL;
-}
-
-/**
* smack_sb_copy_data - copy mount options data for processing
* @orig: where to start
* @smackopts: mount options string
@@ -745,7 +722,7 @@ static int smack_set_mnt_opts(struct super_block *sb,
{
struct dentry *root = sb->s_root;
struct inode *inode = d_backing_inode(root);
- struct superblock_smack *sp = sb->s_security;
+ struct superblock_smack *sp = smack_superblock(sb);
struct inode_smack *isp;
struct smack_known *skp;
int i;
@@ -823,17 +800,13 @@ static int smack_set_mnt_opts(struct super_block *sb,
/*
* Initialize the root inode.
*/
- isp = inode->i_security;
- if (isp == NULL) {
- isp = new_inode_smack(sp->smk_root);
- if (isp == NULL)
- return -ENOMEM;
- inode->i_security = isp;
- } else
- isp->smk_inode = sp->smk_root;
+ lsm_early_inode(inode);
+ init_inode_smack(inode, sp->smk_root);
- if (transmute)
+ if (transmute) {
+ isp = smack_inode(inode);
isp->smk_flags |= SMK_INODE_TRANSMUTE;
+ }
return 0;
}
@@ -878,7 +851,7 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
*/
static int smack_sb_statfs(struct dentry *dentry)
{
- struct superblock_smack *sbp = dentry->d_sb->s_security;
+ struct superblock_smack *sbp = smack_superblock(dentry->d_sb);
int rc;
struct smk_audit_info ad;
@@ -911,11 +884,11 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->called_set_creds)
return 0;
- isp = inode->i_security;
+ isp = smack_inode(inode);
if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
return 0;
- sbsp = inode->i_sb->s_security;
+ sbsp = smack_superblock(inode->i_sb);
if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) &&
isp->smk_task != sbsp->smk_root)
return 0;
@@ -962,49 +935,11 @@ static int smack_inode_alloc_security(struct inode *inode)
{
struct smack_known *skp = smk_of_current();
- inode->i_security = new_inode_smack(skp);
- if (inode->i_security == NULL)
- return -ENOMEM;
+ init_inode_smack(inode, skp);
return 0;
}
/**
- * smack_inode_free_rcu - Free inode_smack blob from cache
- * @head: the rcu_head for getting inode_smack pointer
- *
- * Call back function called from call_rcu() to free
- * the i_security blob pointer in inode
- */
-static void smack_inode_free_rcu(struct rcu_head *head)
-{
- struct inode_smack *issp;
-
- issp = container_of(head, struct inode_smack, smk_rcu);
- kmem_cache_free(smack_inode_cache, issp);
-}
-
-/**
- * smack_inode_free_security - free an inode blob using call_rcu()
- * @inode: the inode with a blob
- *
- * Clears the blob pointer in inode using RCU
- */
-static void smack_inode_free_security(struct inode *inode)
-{
- struct inode_smack *issp = inode->i_security;
-
- /*
- * The inode may still be referenced in a path walk and
- * a call to smack_inode_permission() can be made
- * after smack_inode_free_security() is called.
- * To avoid race condition free the i_security via RCU
- * and leave the current inode->i_security pointer intact.
- * The inode will be freed after the RCU grace period too.
- */
- call_rcu(&issp->smk_rcu, smack_inode_free_rcu);
-}
-
-/**
* smack_inode_init_security - copy out the smack from an inode
* @inode: the newly created inode
* @dir: containing directory object
@@ -1019,7 +954,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr, const char **name,
void **value, size_t *len)
{
- struct inode_smack *issp = inode->i_security;
+ struct inode_smack *issp = smack_inode(inode);
struct smack_known *skp = smk_of_current();
struct smack_known *isp = smk_of_inode(inode);
struct smack_known *dsp = smk_of_inode(dir);
@@ -1204,7 +1139,7 @@ static int smack_inode_rename(struct inode *old_inode,
*/
static int smack_inode_permission(struct inode *inode, int mask)
{
- struct superblock_smack *sbsp = inode->i_sb->s_security;
+ struct superblock_smack *sbsp = smack_superblock(inode->i_sb);
struct smk_audit_info ad;
int no_block = mask & MAY_NOT_BLOCK;
int rc;
@@ -1357,7 +1292,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
struct smack_known *skp;
- struct inode_smack *isp = d_backing_inode(dentry)->i_security;
+ struct inode_smack *isp = smack_inode(d_backing_inode(dentry));
if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
isp->smk_flags |= SMK_INODE_TRANSMUTE;
@@ -1438,7 +1373,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
if (rc != 0)
return rc;
- isp = d_backing_inode(dentry)->i_security;
+ isp = smack_inode(d_backing_inode(dentry));
/*
* Don't do anything special for these.
* XATTR_NAME_SMACKIPIN
@@ -1446,7 +1381,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
*/
if (strcmp(name, XATTR_NAME_SMACK) == 0) {
struct super_block *sbp = dentry->d_sb;
- struct superblock_smack *sbsp = sbp->s_security;
+ struct superblock_smack *sbsp = smack_superblock(sbp);
isp->smk_inode = sbsp->smk_default;
} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
@@ -1498,7 +1433,7 @@ static int smack_inode_getsecurity(struct inode *inode,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
isp = ssp->smk_in;
@@ -1541,7 +1476,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
*/
static void smack_inode_getsecid(struct inode *inode, u32 *secid)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
*secid = isp->smk_inode->smk_secid;
}
@@ -1718,10 +1653,10 @@ static int smack_mmap_file(struct file *file,
if (unlikely(IS_PRIVATE(file_inode(file))))
return 0;
- isp = file_inode(file)->i_security;
+ isp = smack_inode(file_inode(file));
if (isp->smk_mmap == NULL)
return 0;
- sbsp = file_inode(file)->i_sb->s_security;
+ sbsp = smack_superblock(file_inode(file)->i_sb);
if (sbsp->smk_flags & SMK_SB_UNTRUSTED &&
isp->smk_mmap != sbsp->smk_root)
return -EACCES;
@@ -1874,7 +1809,7 @@ static int smack_file_receive(struct file *file)
if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
sock = SOCKET_I(inode);
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
tsp = smack_cred(current_cred());
/*
* If the receiving process can't write to the
@@ -2043,7 +1978,7 @@ static int smack_kernel_act_as(struct cred *new, u32 secid)
static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
struct task_smack *tsp = smack_cred(new);
tsp->smk_forked = isp->smk_inode;
@@ -2245,7 +2180,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
*/
static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = smack_inode(inode);
struct smack_known *skp = smk_of_task_struct(p);
isp->smk_inode = skp;
@@ -2268,11 +2203,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
{
struct smack_known *skp = smk_of_current();
- struct socket_smack *ssp;
-
- ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
- if (ssp == NULL)
- return -ENOMEM;
+ struct socket_smack *ssp = smack_sock(sk);
/*
* Sockets created by kernel threads receive web label.
@@ -2286,11 +2217,10 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
}
ssp->smk_packet = NULL;
- sk->sk_security = ssp;
-
return 0;
}
+#ifdef SMACK_IPV6_PORT_LABELING
/**
* smack_sk_free_security - Free a socket blob
* @sk: the socket
@@ -2299,7 +2229,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
*/
static void smack_sk_free_security(struct sock *sk)
{
-#ifdef SMACK_IPV6_PORT_LABELING
struct smk_port_label *spp;
if (sk->sk_family == PF_INET6) {
@@ -2312,9 +2241,8 @@ static void smack_sk_free_security(struct sock *sk)
}
rcu_read_unlock();
}
-#endif
- kfree(sk->sk_security);
}
+#endif
/**
* smack_ipv4host_label - check host based restrictions
@@ -2432,7 +2360,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
static int smack_netlabel(struct sock *sk, int labeled)
{
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
int rc = 0;
/*
@@ -2477,7 +2405,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
int rc;
int sk_lbl;
struct smack_known *hkp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smk_audit_info ad;
rcu_read_lock();
@@ -2553,7 +2481,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
{
struct sock *sk = sock->sk;
struct sockaddr_in6 *addr6;
- struct socket_smack *ssp = sock->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
struct smk_port_label *spp;
unsigned short port = 0;
@@ -2640,7 +2568,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
int act)
{
struct smk_port_label *spp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smack_known *skp = NULL;
unsigned short port;
struct smack_known *object;
@@ -2707,7 +2635,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
struct smack_known *skp;
- struct inode_smack *nsp = inode->i_security;
+ struct inode_smack *nsp = smack_inode(inode);
struct socket_smack *ssp;
struct socket *sock;
int rc = 0;
@@ -2734,7 +2662,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
ssp->smk_in = skp;
@@ -2782,7 +2710,7 @@ static int smack_socket_post_create(struct socket *sock, int family,
* Sockets created by kernel threads receive web label.
*/
if (unlikely(current->flags & PF_KTHREAD)) {
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
ssp->smk_in = &smack_known_web;
ssp->smk_out = &smack_known_web;
}
@@ -2834,7 +2762,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
#endif
#ifdef SMACK_IPV6_SECMARK_LABELING
struct smack_known *rsp;
- struct socket_smack *ssp = sock->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
#endif
if (sock->sk == NULL)
@@ -2891,35 +2819,13 @@ static int smack_flags_to_may(int flags)
*/
static int smack_msg_msg_alloc_security(struct msg_msg *msg)
{
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_msg_msg(msg);
- msg->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_msg_msg_free_security - Clear the security blob for msg_msg
- * @msg: the object
- *
- * Clears the blob pointer
- */
-static void smack_msg_msg_free_security(struct msg_msg *msg)
-{
- msg->security = NULL;
-}
-
-/**
- * smack_of_shm - the smack pointer for the shm
- * @shp: the object
- *
- * Returns a pointer to the smack value
- */
-static struct smack_known *smack_of_shm(struct shmid_kernel *shp)
-{
- return (struct smack_known *)shp->shm_perm.security;
-}
-
-/**
* smack_shm_alloc_security - Set the security blob for shm
* @shp: the object
*
@@ -2927,27 +2833,13 @@ static struct smack_known *smack_of_shm(struct shmid_kernel *shp)
*/
static int smack_shm_alloc_security(struct shmid_kernel *shp)
{
- struct kern_ipc_perm *isp = &shp->shm_perm;
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_ipc(&shp->shm_perm);
- isp->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_shm_free_security - Clear the security blob for shm
- * @shp: the object
- *
- * Clears the blob pointer
- */
-static void smack_shm_free_security(struct shmid_kernel *shp)
-{
- struct kern_ipc_perm *isp = &shp->shm_perm;
-
- isp->security = NULL;
-}
-
-/**
* smk_curacc_shm : check if current has access on shm
* @shp : the object
* @access : access requested
@@ -2956,7 +2848,8 @@ static void smack_shm_free_security(struct shmid_kernel *shp)
*/
static int smk_curacc_shm(struct shmid_kernel *shp, int access)
{
- struct smack_known *ssp = smack_of_shm(shp);
+ struct smack_known **blob = smack_ipc(&shp->shm_perm);
+ struct smack_known *ssp = *blob;
struct smk_audit_info ad;
int rc;
@@ -3036,17 +2929,6 @@ static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
}
/**
- * smack_of_sem - the smack pointer for the sem
- * @sma: the object
- *
- * Returns a pointer to the smack value
- */
-static struct smack_known *smack_of_sem(struct sem_array *sma)
-{
- return (struct smack_known *)sma->sem_perm.security;
-}
-
-/**
* smack_sem_alloc_security - Set the security blob for sem
* @sma: the object
*
@@ -3054,27 +2936,13 @@ static struct smack_known *smack_of_sem(struct sem_array *sma)
*/
static int smack_sem_alloc_security(struct sem_array *sma)
{
- struct kern_ipc_perm *isp = &sma->sem_perm;
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_ipc(&sma->sem_perm);
- isp->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_sem_free_security - Clear the security blob for sem
- * @sma: the object
- *
- * Clears the blob pointer
- */
-static void smack_sem_free_security(struct sem_array *sma)
-{
- struct kern_ipc_perm *isp = &sma->sem_perm;
-
- isp->security = NULL;
-}
-
-/**
* smk_curacc_sem : check if current has access on sem
* @sma : the object
* @access : access requested
@@ -3083,7 +2951,8 @@ static void smack_sem_free_security(struct sem_array *sma)
*/
static int smk_curacc_sem(struct sem_array *sma, int access)
{
- struct smack_known *ssp = smack_of_sem(sma);
+ struct smack_known **blob = smack_ipc(&sma->sem_perm);
+ struct smack_known *ssp = *blob;
struct smk_audit_info ad;
int rc;
@@ -3169,45 +3038,20 @@ static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
}
/**
- * smack_msg_alloc_security - Set the security blob for msg
+ * smack_msg_queue_alloc_security - Set the security blob for msg
* @msq: the object
*
* Returns 0
*/
static int smack_msg_queue_alloc_security(struct msg_queue *msq)
{
- struct kern_ipc_perm *kisp = &msq->q_perm;
- struct smack_known *skp = smk_of_current();
+ struct smack_known **blob = smack_ipc(&msq->q_perm);
- kisp->security = skp;
+ *blob = smk_of_current();
return 0;
}
/**
- * smack_msg_free_security - Clear the security blob for msg
- * @msq: the object
- *
- * Clears the blob pointer
- */
-static void smack_msg_queue_free_security(struct msg_queue *msq)
-{
- struct kern_ipc_perm *kisp = &msq->q_perm;
-
- kisp->security = NULL;
-}
-
-/**
- * smack_of_msq - the smack pointer for the msq
- * @msq: the object
- *
- * Returns a pointer to the smack label entry
- */
-static struct smack_known *smack_of_msq(struct msg_queue *msq)
-{
- return (struct smack_known *)msq->q_perm.security;
-}
-
-/**
* smk_curacc_msq : helper to check if current has access on msq
* @msq : the msq
* @access : access requested
@@ -3216,7 +3060,8 @@ static struct smack_known *smack_of_msq(struct msg_queue *msq)
*/
static int smk_curacc_msq(struct msg_queue *msq, int access)
{
- struct smack_known *msp = smack_of_msq(msq);
+ struct smack_known **blob = smack_ipc(&msq->q_perm);
+ struct smack_known *msp = *blob;
struct smk_audit_info ad;
int rc;
@@ -3319,7 +3164,8 @@ static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
*/
static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
{
- struct smack_known *iskp = ipp->security;
+ struct smack_known **blob = smack_ipc(ipp);
+ struct smack_known *iskp = *blob;
int may = smack_flags_to_may(flag);
struct smk_audit_info ad;
int rc;
@@ -3340,7 +3186,8 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
*/
static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
{
- struct smack_known *iskp = ipp->security;
+ struct smack_known **blob = smack_ipc(ipp);
+ struct smack_known *iskp = *blob;
*secid = iskp->smk_secid;
}
@@ -3368,7 +3215,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
if (inode == NULL)
return;
- isp = inode->i_security;
+ isp = smack_inode(inode);
mutex_lock(&isp->smk_lock);
/*
@@ -3379,7 +3226,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
goto unlockandout;
sbp = inode->i_sb;
- sbsp = sbp->s_security;
+ sbsp = smack_superblock(sbp);
/*
* We're going to use the superblock default label
* if there's no label on the file.
@@ -3673,9 +3520,9 @@ static int smack_unix_stream_connect(struct sock *sock,
{
struct smack_known *skp;
struct smack_known *okp;
- struct socket_smack *ssp = sock->sk_security;
- struct socket_smack *osp = other->sk_security;
- struct socket_smack *nsp = newsk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock);
+ struct socket_smack *osp = smack_sock(other);
+ struct socket_smack *nsp = smack_sock(newsk);
struct smk_audit_info ad;
int rc = 0;
#ifdef CONFIG_AUDIT
@@ -3721,8 +3568,8 @@ static int smack_unix_stream_connect(struct sock *sock,
*/
static int smack_unix_may_send(struct socket *sock, struct socket *other)
{
- struct socket_smack *ssp = sock->sk->sk_security;
- struct socket_smack *osp = other->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
+ struct socket_smack *osp = smack_sock(other->sk);
struct smk_audit_info ad;
int rc;
@@ -3759,7 +3606,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
#endif
#ifdef SMACK_IPV6_SECMARK_LABELING
- struct socket_smack *ssp = sock->sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sock->sk);
struct smack_known *rsp;
#endif
int rc = 0;
@@ -3923,7 +3770,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct netlbl_lsm_secattr secattr;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smack_known *skp = NULL;
int rc = 0;
struct smk_audit_info ad;
@@ -4032,7 +3879,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
int slen = 1;
int rc = 0;
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
if (ssp->smk_packet != NULL) {
rcp = ssp->smk_packet->smk_known;
slen = strlen(rcp) + 1;
@@ -4082,7 +3929,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
switch (family) {
case PF_UNIX:
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
s = ssp->smk_out->smk_secid;
break;
case PF_INET:
@@ -4095,7 +3942,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
* Translate what netlabel gave us.
*/
if (sock != NULL && sock->sk != NULL)
- ssp = sock->sk->sk_security;
+ ssp = smack_sock(sock->sk);
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0) {
@@ -4133,7 +3980,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
(sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
return;
- ssp = sk->sk_security;
+ ssp = smack_sock(sk);
ssp->smk_in = skp;
ssp->smk_out = skp;
/* cssp->smk_packet is already set in smack_inet_csk_clone() */
@@ -4153,7 +4000,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
{
u16 family = sk->sk_family;
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct netlbl_lsm_secattr secattr;
struct sockaddr_in addr;
struct iphdr *hdr;
@@ -4252,7 +4099,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void smack_inet_csk_clone(struct sock *sk,
const struct request_sock *req)
{
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = smack_sock(sk);
struct smack_known *skp;
if (req->peer_secid != 0) {
@@ -4284,24 +4131,14 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
+ struct smack_known **blob = smack_key(key);
struct smack_known *skp = smk_of_task(smack_cred(cred));
- key->security = skp;
+ *blob = skp;
return 0;
}
/**
- * smack_key_free - Clear the key security blob
- * @key: the object
- *
- * Clear the blob pointer
- */
-static void smack_key_free(struct key *key)
-{
- key->security = NULL;
-}
-
-/**
* smack_key_permission - Smack access on a key
* @key_ref: gets to the object
* @cred: the credentials to use
@@ -4313,6 +4150,8 @@ static void smack_key_free(struct key *key)
static int smack_key_permission(key_ref_t key_ref,
const struct cred *cred, unsigned perm)
{
+ struct smack_known **blob;
+ struct smack_known *skp;
struct key *keyp;
struct smk_audit_info ad;
struct smack_known *tkp = smk_of_task(smack_cred(cred));
@@ -4326,7 +4165,9 @@ static int smack_key_permission(key_ref_t key_ref,
* If the key hasn't been initialized give it access so that
* it may do so.
*/
- if (keyp->security == NULL)
+ blob = smack_key(keyp);
+ skp = *blob;
+ if (skp == NULL)
return 0;
/*
* This should not occur
@@ -4342,8 +4183,8 @@ static int smack_key_permission(key_ref_t key_ref,
request = MAY_READ;
if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
request = MAY_WRITE;
- rc = smk_access(tkp, keyp->security, request, &ad);
- rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
+ rc = smk_access(tkp, skp, request, &ad);
+ rc = smk_bu_note("key access", tkp, skp, request, rc);
return rc;
}
@@ -4358,11 +4199,12 @@ static int smack_key_permission(key_ref_t key_ref,
*/
static int smack_key_getsecurity(struct key *key, char **_buffer)
{
- struct smack_known *skp = key->security;
+ struct smack_known **blob = smack_key(key);
+ struct smack_known *skp = *blob;
size_t length;
char *copy;
- if (key->security == NULL) {
+ if (skp == NULL) {
*_buffer = NULL;
return 0;
}
@@ -4571,6 +4413,14 @@ static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
struct lsm_blob_sizes smack_blob_sizes = {
.lbs_cred = sizeof(struct task_smack),
.lbs_file = sizeof(struct smack_known *),
+ .lbs_inode = sizeof(struct inode_smack),
+ .lbs_ipc = sizeof(struct smack_known *),
+#ifdef CONFIG_KEYS
+ .lbs_key = sizeof(struct smack_known *),
+#endif /* CONFIG_KEYS */
+ .lbs_msg_msg = sizeof(struct smack_known *),
+ .lbs_sock = sizeof(struct socket_smack),
+ .lbs_superblock = sizeof(struct superblock_smack),
};
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
@@ -4579,7 +4429,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(syslog, smack_syslog),
LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security),
- LSM_HOOK_INIT(sb_free_security, smack_sb_free_security),
LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data),
LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount),
LSM_HOOK_INIT(sb_statfs, smack_sb_statfs),
@@ -4589,7 +4438,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds),
LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security),
- LSM_HOOK_INIT(inode_free_security, smack_inode_free_security),
LSM_HOOK_INIT(inode_init_security, smack_inode_init_security),
LSM_HOOK_INIT(inode_link, smack_inode_link),
LSM_HOOK_INIT(inode_unlink, smack_inode_unlink),
@@ -4642,23 +4490,19 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
- LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security),
LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security),
- LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security),
LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl),
LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd),
LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv),
LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security),
- LSM_HOOK_INIT(shm_free_security, smack_shm_free_security),
LSM_HOOK_INIT(shm_associate, smack_shm_associate),
LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl),
LSM_HOOK_INIT(shm_shmat, smack_shm_shmat),
LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security),
- LSM_HOOK_INIT(sem_free_security, smack_sem_free_security),
LSM_HOOK_INIT(sem_associate, smack_sem_associate),
LSM_HOOK_INIT(sem_semctl, smack_sem_semctl),
LSM_HOOK_INIT(sem_semop, smack_sem_semop),
@@ -4681,7 +4525,9 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream),
LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram),
LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security),
+#ifdef SMACK_IPV6_PORT_LABELING
LSM_HOOK_INIT(sk_free_security, smack_sk_free_security),
+#endif
LSM_HOOK_INIT(sock_graft, smack_sock_graft),
LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request),
LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone),
@@ -4689,7 +4535,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
/* key management security hooks */
#ifdef CONFIG_KEYS
LSM_HOOK_INIT(key_alloc, smack_key_alloc),
- LSM_HOOK_INIT(key_free, smack_key_free),
LSM_HOOK_INIT(key_permission, smack_key_permission),
LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity),
#endif /* CONFIG_KEYS */
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index e36d17835d4f..701a1cc1bdcc 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -31,8 +31,8 @@ static unsigned int smack_ipv6_output(void *priv,
struct socket_smack *ssp;
struct smack_known *skp;
- if (sk && sk->sk_security) {
- ssp = sk->sk_security;
+ if (sk && smack_sock(sk)) {
+ ssp = smack_sock(sk);
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
}
@@ -49,8 +49,8 @@ static unsigned int smack_ipv4_output(void *priv,
struct socket_smack *ssp;
struct smack_known *skp;
- if (sk && sk->sk_security) {
- ssp = sk->sk_security;
+ if (sk && smack_sock(sk)) {
+ ssp = smack_sock(sk);
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
}
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [PATCH 5/9] LSM: Manage remaining security blobs
2017-10-27 21:45 ` [PATCH 5/9] LSM: Manage remaining " Casey Schaufler
@ 2017-11-29 11:21 ` Tetsuo Handa
2017-11-29 15:47 ` Casey Schaufler
0 siblings, 1 reply; 27+ messages in thread
From: Tetsuo Handa @ 2017-11-29 11:21 UTC (permalink / raw)
To: linux-security-module
Hello.
I browsed https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734686
and found a problem with how security blob is initialized.
Casey Schaufler wrote:
> +/**
> + * lsm_sock_alloc - allocate a composite sock blob
> + * @sock: the sock that needs a blob
> + * @priority: allocation mode
> + *
> + * Allocate the sock blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +int lsm_sock_alloc(struct sock *sock, gfp_t priority)
> +{
> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> + if (sock->sk_security)
> + pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
> +#endif
If none of LSM modules use sock->sk_security, sock->sk_security is not
initialized to NULL (and sk_prot_alloc() does not always use __GFP_ZERO).
> + if (blob_sizes.lbs_sock == 0)
> + return 0;
> +
> + sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
> + if (sock->sk_security == NULL)
> + return -ENOMEM;
> + return 0;
> +}
> @@ -1609,12 +1851,18 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
>
> int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
> {
> + int rc = lsm_sock_alloc(sk, priority);
> +
> + if (rc)
> + return rc;
In that report, no major LSMs are active because apparmor=0 is passed at
kernel command line. Thus, security_sk_alloc() does not initialize
sk->sk_security field and
> return call_int_hook(sk_alloc_security, 0, sk, family, priority);
> }
>
> void security_sk_free(struct sock *sk)
> {
> call_void_hook(sk_free_security, sk);
causes random oops at kfree().
> + kfree(sk->sk_security);
> + sk->sk_security = NULL;
> }
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 5/9] LSM: Manage remaining security blobs
2017-11-29 11:21 ` Tetsuo Handa
@ 2017-11-29 15:47 ` Casey Schaufler
2017-12-05 10:29 ` Tetsuo Handa
0 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2017-11-29 15:47 UTC (permalink / raw)
To: linux-security-module
On 11/29/2017 3:21 AM, Tetsuo Handa wrote:
> Hello.
>
> I browsed https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734686
> and found a problem with how security blob is initialized.
>
> Casey Schaufler wrote:
>> +/**
>> + * lsm_sock_alloc - allocate a composite sock blob
>> + * @sock: the sock that needs a blob
>> + * @priority: allocation mode
>> + *
>> + * Allocate the sock blob for all the modules
>> + *
>> + * Returns 0, or -ENOMEM if memory can't be allocated.
>> + */
>> +int lsm_sock_alloc(struct sock *sock, gfp_t priority)
>> +{
>> +#ifdef CONFIG_SECURITY_LSM_DEBUG
>> + if (sock->sk_security)
>> + pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
>> +#endif
> If none of LSM modules use sock->sk_security, sock->sk_security is not
> initialized to NULL (and sk_prot_alloc() does not always use __GFP_ZERO).
Thank you. I will be working on the next revision real soon and
will include a fix for this.
>
>> + if (blob_sizes.lbs_sock == 0)
>> + return 0;
>> +
>> + sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
>> + if (sock->sk_security == NULL)
>> + return -ENOMEM;
>> + return 0;
>> +}
>> @@ -1609,12 +1851,18 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
>>
>> int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
>> {
>> + int rc = lsm_sock_alloc(sk, priority);
>> +
>> + if (rc)
>> + return rc;
> In that report, no major LSMs are active because apparmor=0 is passed at
> kernel command line. Thus, security_sk_alloc() does not initialize
> sk->sk_security field and
>
>> return call_int_hook(sk_alloc_security, 0, sk, family, priority);
>> }
>>
>> void security_sk_free(struct sock *sk)
>> {
>> call_void_hook(sk_free_security, sk);
> causes random oops at kfree().
>
>> + kfree(sk->sk_security);
>> + sk->sk_security = NULL;
>> }
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 5/9] LSM: Manage remaining security blobs
2017-11-29 15:47 ` Casey Schaufler
@ 2017-12-05 10:29 ` Tetsuo Handa
2017-12-05 16:29 ` Casey Schaufler
0 siblings, 1 reply; 27+ messages in thread
From: Tetsuo Handa @ 2017-12-05 10:29 UTC (permalink / raw)
To: linux-security-module
Casey Schaufler wrote:
> On 11/29/2017 3:21 AM, Tetsuo Handa wrote:
> > Hello.
> >
> > I browsed https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734686
> > and found a problem with how security blob is initialized.
> >
> > Casey Schaufler wrote:
> >> +/**
> >> + * lsm_sock_alloc - allocate a composite sock blob
> >> + * @sock: the sock that needs a blob
> >> + * @priority: allocation mode
> >> + *
> >> + * Allocate the sock blob for all the modules
> >> + *
> >> + * Returns 0, or -ENOMEM if memory can't be allocated.
> >> + */
> >> +int lsm_sock_alloc(struct sock *sock, gfp_t priority)
> >> +{
> >> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> >> + if (sock->sk_security)
> >> + pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
> >> +#endif
> > If none of LSM modules use sock->sk_security, sock->sk_security is not
> > initialized to NULL (and sk_prot_alloc() does not always use __GFP_ZERO).
>
> Thank you. I will be working on the next revision real soon and
> will include a fix for this.
>
Below is a patch to avoid uninitialized ->security field. (Strictly speaking,
we can remove more lines because kmalloc(0) != NULL. But this patch does not
remove such lines in case we want to check for ->security != NULL in future
code.)
----------
diff -ur linux-4.13.0-17.20.orig/security/security.c linux-4.13.0-17.20/security/security.c
--- linux-4.13.0-17.20.orig/security/security.c
+++ linux-4.13.0-17.20/security/security.c
@@ -324,12 +324,10 @@
*/
int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (cred->security)
- pr_info("%s: Inbound cred blob is not NULL.\n", __func__);
-#endif
- if (blob_sizes.lbs_cred == 0)
+ if (blob_sizes.lbs_cred == 0) {
+ cred->security = NULL;
return 0;
+ }
cred->security = kzalloc(blob_sizes.lbs_cred, gfp);
if (cred->security == NULL)
@@ -406,12 +404,10 @@
*/
int lsm_file_alloc(struct file *file)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (file->f_security)
- pr_info("%s: Inbound file blob is not NULL.\n", __func__);
-#endif
- if (blob_sizes.lbs_file == 0)
+ if (blob_sizes.lbs_file == 0) {
+ file->f_security = NULL;
return 0;
+ }
file->f_security = kzalloc(blob_sizes.lbs_file, GFP_KERNEL);
if (file->f_security == NULL)
@@ -487,12 +483,10 @@
*/
int lsm_task_alloc(struct task_struct *task)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (task->security)
- pr_info("%s: Inbound task blob is not NULL.\n", __func__);
-#endif
- if (blob_sizes.lbs_task == 0)
+ if (blob_sizes.lbs_task == 0) {
+ task->security = NULL;
return 0;
+ }
task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
if (task->security == NULL)
@@ -518,12 +512,10 @@
*/
int lsm_inode_alloc(struct inode *inode)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (inode->i_security)
- pr_info("%s: Inbound inode blob is not NULL.\n", __func__);
-#endif
- if (blob_sizes.lbs_inode == 0)
+ if (blob_sizes.lbs_inode == 0) {
+ inode->i_security = NULL;
return 0;
+ }
inode->i_security = kzalloc(blob_sizes.lbs_inode, GFP_KERNEL);
if (inode->i_security == NULL)
@@ -560,12 +552,10 @@
*/
int lsm_ipc_alloc(struct kern_ipc_perm *kip)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (kip->security)
- pr_info("%s: Inbound ipc blob is not NULL.\n", __func__);
-#endif
- if (blob_sizes.lbs_ipc == 0)
+ if (blob_sizes.lbs_ipc == 0) {
+ kip->security = NULL;
return 0;
+ }
kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
if (kip->security == NULL)
@@ -584,12 +574,10 @@
*/
int lsm_key_alloc(struct key *key)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (key->security)
- pr_info("%s: Inbound key blob is not NULL.\n", __func__);
-#endif
- if (blob_sizes.lbs_key == 0)
+ if (blob_sizes.lbs_key == 0) {
+ key->security = NULL;
return 0;
+ }
key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
if (key->security == NULL)
@@ -608,12 +596,10 @@
*/
int lsm_msg_msg_alloc(struct msg_msg *mp)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (mp->security)
- pr_info("%s: Inbound msg_msg blob is not NULL.\n", __func__);
-#endif
- if (blob_sizes.lbs_msg_msg == 0)
+ if (blob_sizes.lbs_msg_msg == 0) {
+ mp->security = NULL;
return 0;
+ }
mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
if (mp->security == NULL)
@@ -632,13 +618,10 @@
*/
int lsm_sock_alloc(struct sock *sock, gfp_t priority)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (sock->sk_security)
- pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
-#endif
- if (blob_sizes.lbs_sock == 0)
+ if (blob_sizes.lbs_sock == 0) {
+ sock->sk_security = NULL;
return 0;
-
+ }
sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
if (sock->sk_security == NULL)
return -ENOMEM;
@@ -655,12 +638,10 @@
*/
int lsm_superblock_alloc(struct super_block *sb)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (sb->s_security)
- pr_info("%s: Inbound superblock blob is not NULL.\n", __func__);
-#endif
- if (blob_sizes.lbs_superblock == 0)
+ if (blob_sizes.lbs_superblock == 0) {
+ sb->s_security = NULL;
return 0;
+ }
sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL);
if (sb->s_security == NULL)
----------
I noticed that Ubuntu 17.10 kernel crashes upon boot if the administrator tried to
specify one of (or none of) major LSM modules other than AppArmor using security=
parameter. It turned out that the cause is that we are failing to disable
AppArmor when security= parameter is used (and apparmor=0 is not used).
----------
[ 0.000000] Linux version 4.13.0-17-generic (buildd at lcy01-amd64-011) (gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)) #20-Ubuntu SMP Mon Nov 6 10:04:08 UTC 2017 (Ubuntu 4.13.0-17.20-generic 4.13.8)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=none
(...snipped...)
[ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=none
[ 0.000000] LSM: command line set 'none' security module(s).
(...snipped...)
[ 0.040322] Security Framework initialized
[ 0.041502] Yama: becoming mindful.
[ 0.050757] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[ 0.052000] IP: apparmor_init+0x26f/0x2fa
[ 0.052000] PGD 0
[ 0.052000] P4D 0
[ 0.052000]
[ 0.052000] Oops: 0002 [#1] SMP
[ 0.052000] Modules linked in:
[ 0.052000] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.0-17-generic #20-Ubuntu
[ 0.052000] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 0.052000] task: ffffffffa6410480 task.stack: ffffffffa6400000
[ 0.052000] RIP: 0010:apparmor_init+0x26f/0x2fa
[ 0.052000] RSP: 0000:ffffffffa6403e38 EFLAGS: 00010206
[ 0.052000] RAX: ffff8c6279012800 RBX: 0000000000000000 RCX: ffff8c6279012b98
[ 0.052000] RDX: 0000000000000020 RSI: 0000000000000080 RDI: 0000000000000000
[ 0.052000] RBP: ffffffffa6403e78 R08: ffff8c6278820000 R09: ffff8c6279006a00
[ 0.052000] R10: ffffffffa6403dd0 R11: 0000000000020120 R12: ffffffffa6457fe0
[ 0.052000] R13: 0000000000017210 R14: ffffffffa636e3e0 R15: 0000000000000000
[ 0.052000] FS: 0000000000000000(0000) GS:ffff8c6279600000(0000) knlGS:0000000000000000
[ 0.052000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.052000] CR2: 0000000000000020 CR3: 000000006bc09000 CR4: 00000000000406b0
[ 0.052000] Call Trace:
[ 0.052000] do_security_initcalls+0x1c/0x25
[ 0.052000] security_init+0x49/0x4d
[ 0.052000] start_kernel+0x465/0x4e1
[ 0.052000] ? early_idt_handler_array+0x120/0x120
[ 0.052000] x86_64_start_reservations+0x24/0x26
[ 0.052000] x86_64_start_kernel+0x13e/0x161
[ 0.052000] secondary_startup_64+0x9f/0x9f
[ 0.052000] Code: ff 48 8b 05 ac 43 3f 00 48 63 15 0d 2d e8 ff 49 03 54 24 78 48 8b 40 68 48 89 c1 48 81 c1 98 03 00 00 74 07 f0 ff 80 98 03 00 00 <48> 89 0a be 3b 00 00 00 48 c7 c2 13 96 2c a6 48 c7 c7 00 38 38
[ 0.052000] RIP: apparmor_init+0x26f/0x2fa RSP: ffffffffa6403e38
[ 0.052000] CR2: 0000000000000020
[ 0.052000] ---[ end trace 754b9ec1da9bb5fc ]---
[ 0.052000] Kernel panic - not syncing: Attempted to kill the idle task!
[ 0.052000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task!
[ 0.000000] Linux version 4.13.0-17-generic (buildd at lcy01-amd64-011) (gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)) #20-Ubuntu SMP Mon Nov 6 10:04:08 UTC 2017 (Ubuntu 4.13.0-17.20-generic 4.13.8)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=selinux
(...snipped...)
[ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=selinux
[ 0.000000] LSM: command line set 'selinux' security module(s).
(...snipped...)
[ 0.038014] Security Framework initialized
[ 0.039119] Yama: becoming mindful.
[ 0.040019] SELinux: Disabled at boot.
[ 0.049252] AppArmor: AppArmor initialized
[ 0.076808] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes)
[ 0.091667] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes)
[ 0.092461] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes)
[ 0.096417] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes)
[ 0.099552] Disabled fast string operations
[ 0.100007] CPU: Physical Processor ID: 0
[ 0.101090] ENERGY_PERF_BIAS: Set to 'normal', was 'performance'
[ 0.102650] ENERGY_PERF_BIAS: View and update with x86_energy_perf_policy(8)
[ 0.104008] mce: CPU supports 0 MCE banks
[ 0.105095] Last level iTLB entries: 4KB 512, 2MB 8, 4MB 8
[ 0.108003] Last level dTLB entries: 4KB 512, 2MB 32, 4MB 32, 1GB 0
[ 0.109930] Freeing SMP alternatives memory: 36K
[ 0.121143] smpboot: Max logical packages: 128
[ 0.124000] x2apic enabled
[ 0.124026] Switched APIC routing to physical x2apic.
[ 0.130183] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[ 0.132000] smpboot: CPU0: Intel(R) Core(TM) i7-2630QM CPU @ 2.00GHz (family: 0x6, model: 0x2a, stepping: 0x7)
[ 0.132556] Performance Events: SandyBridge events, core PMU driver.
[ 0.135024] core: CPUID marked event: 'cpu cycles' unavailable
[ 0.136007] core: CPUID marked event: 'instructions' unavailable
[ 0.138399] core: CPUID marked event: 'bus cycles' unavailable
[ 0.140008] core: CPUID marked event: 'cache references' unavailable
[ 0.142397] core: CPUID marked event: 'cache misses' unavailable
[ 0.144004] core: CPUID marked event: 'branch instructions' unavailable
[ 0.146528] core: CPUID marked event: 'branch misses' unavailable
[ 0.148022] ... version: 1
[ 0.149754] ... bit width: 48
[ 0.151620] ... generic registers: 4
[ 0.152006] ... value mask: 0000ffffffffffff
[ 0.154124] ... max period: 000000007fffffff
[ 0.156004] ... fixed-purpose events: 0
[ 0.157598] ... event mask: 000000000000000f
[ 0.159990] Hierarchical SRCU implementation.
[ 0.160195] BUG: unable to handle kernel NULL pointer dereference at 000000000000000b
[ 0.163303] IP: __kmalloc_node+0x135/0x2a0
[ 0.164000] PGD 0
[ 0.164000] P4D 0
[ 0.164000]
[ 0.164000] Oops: 0000 [#1] SMP
[ 0.164000] Modules linked in:
[ 0.164000] CPU: 0 PID: 2 Comm: kthreadd Not tainted 4.13.0-17-generic #20-Ubuntu
[ 0.164000] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 0.164000] task: ffff980cf8658000 task.stack: ffffb809c0654000
[ 0.164000] RIP: 0010:__kmalloc_node+0x135/0x2a0
[ 0.164000] RSP: 0000:ffffb809c0657c70 EFLAGS: 00010246
[ 0.164000] RAX: 0000000000000000 RBX: 00000000014080c0 RCX: 0000000000000178
[ 0.164000] RDX: 0000000000000177 RSI: 0000000000000000 RDI: 000000000001f420
[ 0.164000] RBP: ffffb809c0657cb0 R08: ffff980cf961f420 R09: ffff980cf9007900
[ 0.164000] R10: ffffffffffffc000 R11: ffffd809bfffffff R12: 00000000014080c0
[ 0.164000] R13: 0000000000000020 R14: 000000000000000b R15: ffff980cf9007900
[ 0.164000] FS: 0000000000000000(0000) GS:ffff980cf9600000(0000) knlGS:0000000000000000
[ 0.164000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.164000] CR2: 000000000000000b CR3: 000000012b009000 CR4: 00000000000406f0
[ 0.164000] Call Trace:
[ 0.164000] ? __vmalloc_node_range+0xd4/0x260
[ 0.164000] __vmalloc_node_range+0xd4/0x260
[ 0.164000] copy_process.part.31+0x662/0x1ae0
[ 0.164000] ? _do_fork+0xdf/0x3f0
[ 0.164000] ? kthread_create_on_node+0x70/0x70
[ 0.164000] ? pick_next_task_fair+0x48e/0x560
[ 0.164000] _do_fork+0xdf/0x3f0
[ 0.164000] ? __schedule+0x293/0x890
[ 0.164000] kernel_thread+0x29/0x30
[ 0.164000] kthreadd+0x29f/0x2f0
[ 0.164000] ? kthread_create_on_cpu+0xa0/0xa0
[ 0.164000] ret_from_fork+0x25/0x30
[ 0.164000] Code: 89 cf 4c 89 4d c0 e8 0b 7f 01 00 49 89 c7 4c 8b 4d c0 4d 85 ff 0f 85 47 ff ff ff 45 31 f6 eb 3c 49 63 47 20 49 8b 3f 48 8d 4a 01 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 0f 84 20 ff
[ 0.164000] RIP: __kmalloc_node+0x135/0x2a0 RSP: ffffb809c0657c70
[ 0.164000] CR2: 000000000000000b
[ 0.164000] ---[ end trace 8bd0169accb86cdb ]---
[ 0.000000] Linux version 4.13.0-17-generic (buildd at lcy01-amd64-011) (gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)) #20-Ubuntu SMP Mon Nov 6 10:04:08 UTC 2017 (Ubuntu 4.13.0-17.20-generic 4.13.8)
[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=tomoyo
(...snipped...)
[ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=tomoyo
[ 0.000000] LSM: command line set 'tomoyo' security module(s).
(...snipped...)
[ 0.038327] Security Framework initialized
[ 0.040005] Yama: becoming mindful.
[ 0.040999] TOMOYO Linux initialized
[ 0.049585] AppArmor: AppArmor initialized
[ 0.077621] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes)
[ 0.092942] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes)
[ 0.095309] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes)
[ 0.096408] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes)
[ 0.100988] Disabled fast string operations
[ 0.102220] CPU: Physical Processor ID: 0
[ 0.103379] ENERGY_PERF_BIAS: Set to 'normal', was 'performance'
[ 0.104004] ENERGY_PERF_BIAS: View and update with x86_energy_perf_policy(8)
[ 0.105951] mce: CPU supports 0 MCE banks
[ 0.108017] Last level iTLB entries: 4KB 512, 2MB 8, 4MB 8
[ 0.109524] Last level dTLB entries: 4KB 512, 2MB 32, 4MB 32, 1GB 0
[ 0.111426] Freeing SMP alternatives memory: 36K
[ 0.117374] BUG: unable to handle kernel NULL pointer dereference at 0000000000000003
[ 0.119676] IP: __kmalloc+0x9b/0x200
[ 0.120000] PGD 0
[ 0.120000] P4D 0
[ 0.120000]
[ 0.120000] Oops: 0000 [#1] SMP
[ 0.120000] Modules linked in:
[ 0.120000] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.0-17-generic #20-Ubuntu
[ 0.120000] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 0.120000] task: ffffffff9a810480 task.stack: ffffffff9a800000
[ 0.120000] RIP: 0010:__kmalloc+0x9b/0x200
[ 0.120000] RSP: 0000:ffffffff9a803c58 EFLAGS: 00010206
[ 0.120000] RAX: 0000000000000000 RBX: 0000000000008000 RCX: 0000000000000037
[ 0.120000] RDX: 0000000000000036 RSI: 0000000000000000 RDI: 000000000001f3e0
[ 0.120000] RBP: ffffffff9a803c88 R08: ffff9a55b961f3e0 R09: ffff9a55b9007c00
[ 0.120000] R10: 0000000000000000 R11: 00000000000200c8 R12: 0000000000000003
[ 0.120000] R13: 00000000014080c0 R14: 0000000000000008 R15: ffff9a55b9007c00
[ 0.120000] FS: 0000000000000000(0000) GS:ffff9a55b9600000(0000) knlGS:0000000000000000
[ 0.120000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.120000] CR2: 0000000000000003 CR3: 00000000ba809000 CR4: 00000000000406f0
[ 0.120000] Call Trace:
[ 0.120000] ? security_prepare_creds+0x73/0x90
[ 0.120000] security_prepare_creds+0x73/0x90
[ 0.120000] prepare_creds+0xbd/0xf0
[ 0.120000] copy_creds+0x2f/0x120
[ 0.120000] copy_process.part.31+0x2e5/0x1ae0
[ 0.120000] ? enqueue_task_fair+0xaf/0x6b0
[ 0.120000] ? kthread_create_on_cpu+0xa0/0xa0
[ 0.120000] ? sched_clock+0x9/0x10
[ 0.120000] _do_fork+0xdf/0x3f0
[ 0.120000] ? update_rq_clock+0x30/0x80
[ 0.120000] ? do_set_mempolicy+0x30/0x130
[ 0.120000] kernel_thread+0x29/0x30
[ 0.120000] rest_init+0x74/0xc0
[ 0.120000] start_kernel+0x4c0/0x4e1
[ 0.120000] ? early_idt_handler_array+0x120/0x120
[ 0.120000] x86_64_start_reservations+0x24/0x26
[ 0.120000] x86_64_start_kernel+0x13e/0x161
[ 0.120000] secondary_startup_64+0x9f/0x9f
[ 0.120000] Code: 08 65 4c 03 05 f7 07 3e 66 49 83 78 10 00 4d 8b 20 0f 84 f7 00 00 00 4d 85 e4 0f 84 ee 00 00 00 49 63 41 20 49 8b 39 48 8d 4a 01 <49> 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 49 63
[ 0.120000] RIP: __kmalloc+0x9b/0x200 RSP: ffffffff9a803c58
[ 0.120000] CR2: 0000000000000003
[ 0.120000] ---[ end trace bee324c32248c3f4 ]---
[ 0.120000] Kernel panic - not syncing: Attempted to kill the idle task!
[ 0.120000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task!
----------
cred->security for AppArmor will not be allocated (and therefore will trigger
NULL pointer dereference) because security_add_blobs(&apparmor_blob_sizes) is
not called when the administrator asked not to enable AppArmor. We need to
reset apparmor_enabled to 0 in order to prevent apparmor_init() from calling
set_init_ctx().
----------
static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
{
#ifdef CONFIG_SECURITY_STACKING
return cred->security + apparmor_blob_sizes.lbs_cred;
#else
return cred->security;
#endif
}
static int __init set_init_ctx(void)
{
struct cred *cred = (struct cred *)current->real_cred;
struct aa_task_ctx *ctx;
lsm_early_cred(cred);
ctx = apparmor_cred(cred);
ctx->label = aa_get_label(ns_unconfined(root_ns));
return 0;
}
----------
Thus, please also apply below patch.
----------
diff -ur linux-4.13.0-17.20.orig/security/apparmor/lsm.c linux-4.13.0-17.20/security/apparmor/lsm.c
--- linux-4.13.0-17.20.orig/security/apparmor/lsm.c
+++ linux-4.13.0-17.20/security/apparmor/lsm.c
@@ -1562,6 +1562,8 @@
security_module_enable("apparmor",
IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED)))
security_add_blobs(&apparmor_blob_sizes);
+ else
+ apparmor_enabled = 0;
finish = 1;
return 0;
}
----------
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 5/9] LSM: Manage remaining security blobs
2017-12-05 10:29 ` Tetsuo Handa
@ 2017-12-05 16:29 ` Casey Schaufler
0 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-12-05 16:29 UTC (permalink / raw)
To: linux-security-module
On 12/5/2017 2:29 AM, Tetsuo Handa wrote:
> Casey Schaufler wrote:
>> On 11/29/2017 3:21 AM, Tetsuo Handa wrote:
>>> Hello.
>>>
>>> I browsed https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1734686
>>> and found a problem with how security blob is initialized.
>>>
>>> Casey Schaufler wrote:
>>>> +/**
>>>> + * lsm_sock_alloc - allocate a composite sock blob
>>>> + * @sock: the sock that needs a blob
>>>> + * @priority: allocation mode
>>>> + *
>>>> + * Allocate the sock blob for all the modules
>>>> + *
>>>> + * Returns 0, or -ENOMEM if memory can't be allocated.
>>>> + */
>>>> +int lsm_sock_alloc(struct sock *sock, gfp_t priority)
>>>> +{
>>>> +#ifdef CONFIG_SECURITY_LSM_DEBUG
>>>> + if (sock->sk_security)
>>>> + pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
>>>> +#endif
>>> If none of LSM modules use sock->sk_security, sock->sk_security is not
>>> initialized to NULL (and sk_prot_alloc() does not always use __GFP_ZERO).
>> Thank you. I will be working on the next revision real soon and
>> will include a fix for this.
>>
> Below is a patch to avoid uninitialized ->security field. (Strictly speaking,
> we can remove more lines because kmalloc(0) != NULL. But this patch does not
> remove such lines in case we want to check for ->security != NULL in future
> code.)
Thank you. I will incorporate this.
>
> ----------
> diff -ur linux-4.13.0-17.20.orig/security/security.c linux-4.13.0-17.20/security/security.c
> --- linux-4.13.0-17.20.orig/security/security.c
> +++ linux-4.13.0-17.20/security/security.c
> @@ -324,12 +324,10 @@
> */
> int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
> {
> -#ifdef CONFIG_SECURITY_LSM_DEBUG
> - if (cred->security)
> - pr_info("%s: Inbound cred blob is not NULL.\n", __func__);
> -#endif
> - if (blob_sizes.lbs_cred == 0)
> + if (blob_sizes.lbs_cred == 0) {
> + cred->security = NULL;
> return 0;
> + }
>
> cred->security = kzalloc(blob_sizes.lbs_cred, gfp);
> if (cred->security == NULL)
> @@ -406,12 +404,10 @@
> */
> int lsm_file_alloc(struct file *file)
> {
> -#ifdef CONFIG_SECURITY_LSM_DEBUG
> - if (file->f_security)
> - pr_info("%s: Inbound file blob is not NULL.\n", __func__);
> -#endif
> - if (blob_sizes.lbs_file == 0)
> + if (blob_sizes.lbs_file == 0) {
> + file->f_security = NULL;
> return 0;
> + }
>
> file->f_security = kzalloc(blob_sizes.lbs_file, GFP_KERNEL);
> if (file->f_security == NULL)
> @@ -487,12 +483,10 @@
> */
> int lsm_task_alloc(struct task_struct *task)
> {
> -#ifdef CONFIG_SECURITY_LSM_DEBUG
> - if (task->security)
> - pr_info("%s: Inbound task blob is not NULL.\n", __func__);
> -#endif
> - if (blob_sizes.lbs_task == 0)
> + if (blob_sizes.lbs_task == 0) {
> + task->security = NULL;
> return 0;
> + }
>
> task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
> if (task->security == NULL)
> @@ -518,12 +512,10 @@
> */
> int lsm_inode_alloc(struct inode *inode)
> {
> -#ifdef CONFIG_SECURITY_LSM_DEBUG
> - if (inode->i_security)
> - pr_info("%s: Inbound inode blob is not NULL.\n", __func__);
> -#endif
> - if (blob_sizes.lbs_inode == 0)
> + if (blob_sizes.lbs_inode == 0) {
> + inode->i_security = NULL;
> return 0;
> + }
>
> inode->i_security = kzalloc(blob_sizes.lbs_inode, GFP_KERNEL);
> if (inode->i_security == NULL)
> @@ -560,12 +552,10 @@
> */
> int lsm_ipc_alloc(struct kern_ipc_perm *kip)
> {
> -#ifdef CONFIG_SECURITY_LSM_DEBUG
> - if (kip->security)
> - pr_info("%s: Inbound ipc blob is not NULL.\n", __func__);
> -#endif
> - if (blob_sizes.lbs_ipc == 0)
> + if (blob_sizes.lbs_ipc == 0) {
> + kip->security = NULL;
> return 0;
> + }
>
> kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
> if (kip->security == NULL)
> @@ -584,12 +574,10 @@
> */
> int lsm_key_alloc(struct key *key)
> {
> -#ifdef CONFIG_SECURITY_LSM_DEBUG
> - if (key->security)
> - pr_info("%s: Inbound key blob is not NULL.\n", __func__);
> -#endif
> - if (blob_sizes.lbs_key == 0)
> + if (blob_sizes.lbs_key == 0) {
> + key->security = NULL;
> return 0;
> + }
>
> key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
> if (key->security == NULL)
> @@ -608,12 +596,10 @@
> */
> int lsm_msg_msg_alloc(struct msg_msg *mp)
> {
> -#ifdef CONFIG_SECURITY_LSM_DEBUG
> - if (mp->security)
> - pr_info("%s: Inbound msg_msg blob is not NULL.\n", __func__);
> -#endif
> - if (blob_sizes.lbs_msg_msg == 0)
> + if (blob_sizes.lbs_msg_msg == 0) {
> + mp->security = NULL;
> return 0;
> + }
>
> mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
> if (mp->security == NULL)
> @@ -632,13 +618,10 @@
> */
> int lsm_sock_alloc(struct sock *sock, gfp_t priority)
> {
> -#ifdef CONFIG_SECURITY_LSM_DEBUG
> - if (sock->sk_security)
> - pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
> -#endif
> - if (blob_sizes.lbs_sock == 0)
> + if (blob_sizes.lbs_sock == 0) {
> + sock->sk_security = NULL;
> return 0;
> -
> + }
> sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
> if (sock->sk_security == NULL)
> return -ENOMEM;
> @@ -655,12 +638,10 @@
> */
> int lsm_superblock_alloc(struct super_block *sb)
> {
> -#ifdef CONFIG_SECURITY_LSM_DEBUG
> - if (sb->s_security)
> - pr_info("%s: Inbound superblock blob is not NULL.\n", __func__);
> -#endif
> - if (blob_sizes.lbs_superblock == 0)
> + if (blob_sizes.lbs_superblock == 0) {
> + sb->s_security = NULL;
> return 0;
> + }
>
> sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL);
> if (sb->s_security == NULL)
> ----------
>
> I noticed that Ubuntu 17.10 kernel crashes upon boot if the administrator tried to
> specify one of (or none of) major LSM modules other than AppArmor using security=
> parameter. It turned out that the cause is that we are failing to disable
> AppArmor when security= parameter is used (and apparmor=0 is not used).
>
> ----------
> [ 0.000000] Linux version 4.13.0-17-generic (buildd at lcy01-amd64-011) (gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)) #20-Ubuntu SMP Mon Nov 6 10:04:08 UTC 2017 (Ubuntu 4.13.0-17.20-generic 4.13.8)
> [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=none
> (...snipped...)
> [ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=none
> [ 0.000000] LSM: command line set 'none' security module(s).
> (...snipped...)
> [ 0.040322] Security Framework initialized
> [ 0.041502] Yama: becoming mindful.
> [ 0.050757] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
> [ 0.052000] IP: apparmor_init+0x26f/0x2fa
> [ 0.052000] PGD 0
> [ 0.052000] P4D 0
> [ 0.052000]
> [ 0.052000] Oops: 0002 [#1] SMP
> [ 0.052000] Modules linked in:
> [ 0.052000] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.0-17-generic #20-Ubuntu
> [ 0.052000] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
> [ 0.052000] task: ffffffffa6410480 task.stack: ffffffffa6400000
> [ 0.052000] RIP: 0010:apparmor_init+0x26f/0x2fa
> [ 0.052000] RSP: 0000:ffffffffa6403e38 EFLAGS: 00010206
> [ 0.052000] RAX: ffff8c6279012800 RBX: 0000000000000000 RCX: ffff8c6279012b98
> [ 0.052000] RDX: 0000000000000020 RSI: 0000000000000080 RDI: 0000000000000000
> [ 0.052000] RBP: ffffffffa6403e78 R08: ffff8c6278820000 R09: ffff8c6279006a00
> [ 0.052000] R10: ffffffffa6403dd0 R11: 0000000000020120 R12: ffffffffa6457fe0
> [ 0.052000] R13: 0000000000017210 R14: ffffffffa636e3e0 R15: 0000000000000000
> [ 0.052000] FS: 0000000000000000(0000) GS:ffff8c6279600000(0000) knlGS:0000000000000000
> [ 0.052000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 0.052000] CR2: 0000000000000020 CR3: 000000006bc09000 CR4: 00000000000406b0
> [ 0.052000] Call Trace:
> [ 0.052000] do_security_initcalls+0x1c/0x25
> [ 0.052000] security_init+0x49/0x4d
> [ 0.052000] start_kernel+0x465/0x4e1
> [ 0.052000] ? early_idt_handler_array+0x120/0x120
> [ 0.052000] x86_64_start_reservations+0x24/0x26
> [ 0.052000] x86_64_start_kernel+0x13e/0x161
> [ 0.052000] secondary_startup_64+0x9f/0x9f
> [ 0.052000] Code: ff 48 8b 05 ac 43 3f 00 48 63 15 0d 2d e8 ff 49 03 54 24 78 48 8b 40 68 48 89 c1 48 81 c1 98 03 00 00 74 07 f0 ff 80 98 03 00 00 <48> 89 0a be 3b 00 00 00 48 c7 c2 13 96 2c a6 48 c7 c7 00 38 38
> [ 0.052000] RIP: apparmor_init+0x26f/0x2fa RSP: ffffffffa6403e38
> [ 0.052000] CR2: 0000000000000020
> [ 0.052000] ---[ end trace 754b9ec1da9bb5fc ]---
> [ 0.052000] Kernel panic - not syncing: Attempted to kill the idle task!
> [ 0.052000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task!
>
>
>
> [ 0.000000] Linux version 4.13.0-17-generic (buildd at lcy01-amd64-011) (gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)) #20-Ubuntu SMP Mon Nov 6 10:04:08 UTC 2017 (Ubuntu 4.13.0-17.20-generic 4.13.8)
> [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=selinux
> (...snipped...)
> [ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=selinux
> [ 0.000000] LSM: command line set 'selinux' security module(s).
> (...snipped...)
> [ 0.038014] Security Framework initialized
> [ 0.039119] Yama: becoming mindful.
> [ 0.040019] SELinux: Disabled at boot.
> [ 0.049252] AppArmor: AppArmor initialized
> [ 0.076808] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes)
> [ 0.091667] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes)
> [ 0.092461] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes)
> [ 0.096417] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes)
> [ 0.099552] Disabled fast string operations
> [ 0.100007] CPU: Physical Processor ID: 0
> [ 0.101090] ENERGY_PERF_BIAS: Set to 'normal', was 'performance'
> [ 0.102650] ENERGY_PERF_BIAS: View and update with x86_energy_perf_policy(8)
> [ 0.104008] mce: CPU supports 0 MCE banks
> [ 0.105095] Last level iTLB entries: 4KB 512, 2MB 8, 4MB 8
> [ 0.108003] Last level dTLB entries: 4KB 512, 2MB 32, 4MB 32, 1GB 0
> [ 0.109930] Freeing SMP alternatives memory: 36K
> [ 0.121143] smpboot: Max logical packages: 128
> [ 0.124000] x2apic enabled
> [ 0.124026] Switched APIC routing to physical x2apic.
> [ 0.130183] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
> [ 0.132000] smpboot: CPU0: Intel(R) Core(TM) i7-2630QM CPU @ 2.00GHz (family: 0x6, model: 0x2a, stepping: 0x7)
> [ 0.132556] Performance Events: SandyBridge events, core PMU driver.
> [ 0.135024] core: CPUID marked event: 'cpu cycles' unavailable
> [ 0.136007] core: CPUID marked event: 'instructions' unavailable
> [ 0.138399] core: CPUID marked event: 'bus cycles' unavailable
> [ 0.140008] core: CPUID marked event: 'cache references' unavailable
> [ 0.142397] core: CPUID marked event: 'cache misses' unavailable
> [ 0.144004] core: CPUID marked event: 'branch instructions' unavailable
> [ 0.146528] core: CPUID marked event: 'branch misses' unavailable
> [ 0.148022] ... version: 1
> [ 0.149754] ... bit width: 48
> [ 0.151620] ... generic registers: 4
> [ 0.152006] ... value mask: 0000ffffffffffff
> [ 0.154124] ... max period: 000000007fffffff
> [ 0.156004] ... fixed-purpose events: 0
> [ 0.157598] ... event mask: 000000000000000f
> [ 0.159990] Hierarchical SRCU implementation.
> [ 0.160195] BUG: unable to handle kernel NULL pointer dereference at 000000000000000b
> [ 0.163303] IP: __kmalloc_node+0x135/0x2a0
> [ 0.164000] PGD 0
> [ 0.164000] P4D 0
> [ 0.164000]
> [ 0.164000] Oops: 0000 [#1] SMP
> [ 0.164000] Modules linked in:
> [ 0.164000] CPU: 0 PID: 2 Comm: kthreadd Not tainted 4.13.0-17-generic #20-Ubuntu
> [ 0.164000] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
> [ 0.164000] task: ffff980cf8658000 task.stack: ffffb809c0654000
> [ 0.164000] RIP: 0010:__kmalloc_node+0x135/0x2a0
> [ 0.164000] RSP: 0000:ffffb809c0657c70 EFLAGS: 00010246
> [ 0.164000] RAX: 0000000000000000 RBX: 00000000014080c0 RCX: 0000000000000178
> [ 0.164000] RDX: 0000000000000177 RSI: 0000000000000000 RDI: 000000000001f420
> [ 0.164000] RBP: ffffb809c0657cb0 R08: ffff980cf961f420 R09: ffff980cf9007900
> [ 0.164000] R10: ffffffffffffc000 R11: ffffd809bfffffff R12: 00000000014080c0
> [ 0.164000] R13: 0000000000000020 R14: 000000000000000b R15: ffff980cf9007900
> [ 0.164000] FS: 0000000000000000(0000) GS:ffff980cf9600000(0000) knlGS:0000000000000000
> [ 0.164000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 0.164000] CR2: 000000000000000b CR3: 000000012b009000 CR4: 00000000000406f0
> [ 0.164000] Call Trace:
> [ 0.164000] ? __vmalloc_node_range+0xd4/0x260
> [ 0.164000] __vmalloc_node_range+0xd4/0x260
> [ 0.164000] copy_process.part.31+0x662/0x1ae0
> [ 0.164000] ? _do_fork+0xdf/0x3f0
> [ 0.164000] ? kthread_create_on_node+0x70/0x70
> [ 0.164000] ? pick_next_task_fair+0x48e/0x560
> [ 0.164000] _do_fork+0xdf/0x3f0
> [ 0.164000] ? __schedule+0x293/0x890
> [ 0.164000] kernel_thread+0x29/0x30
> [ 0.164000] kthreadd+0x29f/0x2f0
> [ 0.164000] ? kthread_create_on_cpu+0xa0/0xa0
> [ 0.164000] ret_from_fork+0x25/0x30
> [ 0.164000] Code: 89 cf 4c 89 4d c0 e8 0b 7f 01 00 49 89 c7 4c 8b 4d c0 4d 85 ff 0f 85 47 ff ff ff 45 31 f6 eb 3c 49 63 47 20 49 8b 3f 48 8d 4a 01 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 0f 84 20 ff
> [ 0.164000] RIP: __kmalloc_node+0x135/0x2a0 RSP: ffffb809c0657c70
> [ 0.164000] CR2: 000000000000000b
> [ 0.164000] ---[ end trace 8bd0169accb86cdb ]---
>
>
>
> [ 0.000000] Linux version 4.13.0-17-generic (buildd at lcy01-amd64-011) (gcc version 7.2.0 (Ubuntu 7.2.0-8ubuntu3)) #20-Ubuntu SMP Mon Nov 6 10:04:08 UTC 2017 (Ubuntu 4.13.0-17.20-generic 4.13.8)
> [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=tomoyo
> (...snipped...)
> [ 0.000000] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.13.0-17-generic root=UUID=379f2d1d-c10e-4423-a3fd-a64863cda7b0 ro console=ttyS0,115200n8 console=tty security=tomoyo
> [ 0.000000] LSM: command line set 'tomoyo' security module(s).
> (...snipped...)
> [ 0.038327] Security Framework initialized
> [ 0.040005] Yama: becoming mindful.
> [ 0.040999] TOMOYO Linux initialized
> [ 0.049585] AppArmor: AppArmor initialized
> [ 0.077621] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes)
> [ 0.092942] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes)
> [ 0.095309] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes)
> [ 0.096408] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes)
> [ 0.100988] Disabled fast string operations
> [ 0.102220] CPU: Physical Processor ID: 0
> [ 0.103379] ENERGY_PERF_BIAS: Set to 'normal', was 'performance'
> [ 0.104004] ENERGY_PERF_BIAS: View and update with x86_energy_perf_policy(8)
> [ 0.105951] mce: CPU supports 0 MCE banks
> [ 0.108017] Last level iTLB entries: 4KB 512, 2MB 8, 4MB 8
> [ 0.109524] Last level dTLB entries: 4KB 512, 2MB 32, 4MB 32, 1GB 0
> [ 0.111426] Freeing SMP alternatives memory: 36K
> [ 0.117374] BUG: unable to handle kernel NULL pointer dereference at 0000000000000003
> [ 0.119676] IP: __kmalloc+0x9b/0x200
> [ 0.120000] PGD 0
> [ 0.120000] P4D 0
> [ 0.120000]
> [ 0.120000] Oops: 0000 [#1] SMP
> [ 0.120000] Modules linked in:
> [ 0.120000] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.0-17-generic #20-Ubuntu
> [ 0.120000] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
> [ 0.120000] task: ffffffff9a810480 task.stack: ffffffff9a800000
> [ 0.120000] RIP: 0010:__kmalloc+0x9b/0x200
> [ 0.120000] RSP: 0000:ffffffff9a803c58 EFLAGS: 00010206
> [ 0.120000] RAX: 0000000000000000 RBX: 0000000000008000 RCX: 0000000000000037
> [ 0.120000] RDX: 0000000000000036 RSI: 0000000000000000 RDI: 000000000001f3e0
> [ 0.120000] RBP: ffffffff9a803c88 R08: ffff9a55b961f3e0 R09: ffff9a55b9007c00
> [ 0.120000] R10: 0000000000000000 R11: 00000000000200c8 R12: 0000000000000003
> [ 0.120000] R13: 00000000014080c0 R14: 0000000000000008 R15: ffff9a55b9007c00
> [ 0.120000] FS: 0000000000000000(0000) GS:ffff9a55b9600000(0000) knlGS:0000000000000000
> [ 0.120000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 0.120000] CR2: 0000000000000003 CR3: 00000000ba809000 CR4: 00000000000406f0
> [ 0.120000] Call Trace:
> [ 0.120000] ? security_prepare_creds+0x73/0x90
> [ 0.120000] security_prepare_creds+0x73/0x90
> [ 0.120000] prepare_creds+0xbd/0xf0
> [ 0.120000] copy_creds+0x2f/0x120
> [ 0.120000] copy_process.part.31+0x2e5/0x1ae0
> [ 0.120000] ? enqueue_task_fair+0xaf/0x6b0
> [ 0.120000] ? kthread_create_on_cpu+0xa0/0xa0
> [ 0.120000] ? sched_clock+0x9/0x10
> [ 0.120000] _do_fork+0xdf/0x3f0
> [ 0.120000] ? update_rq_clock+0x30/0x80
> [ 0.120000] ? do_set_mempolicy+0x30/0x130
> [ 0.120000] kernel_thread+0x29/0x30
> [ 0.120000] rest_init+0x74/0xc0
> [ 0.120000] start_kernel+0x4c0/0x4e1
> [ 0.120000] ? early_idt_handler_array+0x120/0x120
> [ 0.120000] x86_64_start_reservations+0x24/0x26
> [ 0.120000] x86_64_start_kernel+0x13e/0x161
> [ 0.120000] secondary_startup_64+0x9f/0x9f
> [ 0.120000] Code: 08 65 4c 03 05 f7 07 3e 66 49 83 78 10 00 4d 8b 20 0f 84 f7 00 00 00 4d 85 e4 0f 84 ee 00 00 00 49 63 41 20 49 8b 39 48 8d 4a 01 <49> 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 49 63
> [ 0.120000] RIP: __kmalloc+0x9b/0x200 RSP: ffffffff9a803c58
> [ 0.120000] CR2: 0000000000000003
> [ 0.120000] ---[ end trace bee324c32248c3f4 ]---
> [ 0.120000] Kernel panic - not syncing: Attempted to kill the idle task!
> [ 0.120000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task!
> ----------
>
> cred->security for AppArmor will not be allocated (and therefore will trigger
> NULL pointer dereference) because security_add_blobs(&apparmor_blob_sizes) is
> not called when the administrator asked not to enable AppArmor. We need to
> reset apparmor_enabled to 0 in order to prevent apparmor_init() from calling
> set_init_ctx().
>
> ----------
> static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
> {
> #ifdef CONFIG_SECURITY_STACKING
> return cred->security + apparmor_blob_sizes.lbs_cred;
> #else
> return cred->security;
> #endif
> }
>
> static int __init set_init_ctx(void)
> {
> struct cred *cred = (struct cred *)current->real_cred;
> struct aa_task_ctx *ctx;
>
> lsm_early_cred(cred);
> ctx = apparmor_cred(cred);
>
> ctx->label = aa_get_label(ns_unconfined(root_ns));
>
> return 0;
> }
> ----------
>
> Thus, please also apply below patch.
Thank you. I will incorporate this, too.
>
> ----------
> diff -ur linux-4.13.0-17.20.orig/security/apparmor/lsm.c linux-4.13.0-17.20/security/apparmor/lsm.c
> --- linux-4.13.0-17.20.orig/security/apparmor/lsm.c
> +++ linux-4.13.0-17.20/security/apparmor/lsm.c
> @@ -1562,6 +1562,8 @@
> security_module_enable("apparmor",
> IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED)))
> security_add_blobs(&apparmor_blob_sizes);
> + else
> + apparmor_enabled = 0;
> finish = 1;
> return 0;
> }
> ----------
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 6/9] LSM: General stacking
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
` (4 preceding siblings ...)
2017-10-27 21:45 ` [PATCH 5/9] LSM: Manage remaining " Casey Schaufler
@ 2017-10-27 21:45 ` Casey Schaufler
2017-10-27 21:45 ` [PATCH 7/9] LSM: Shared secids Casey Schaufler
` (4 subsequent siblings)
10 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-10-27 21:45 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 6/9] LSM: General stacking
Leverage the infrastructure management of the security blobs
to allow stacking of security modules in all but the most
extreme case. Security modules are informed of the location
of their data within the blobs at module initialization.
Stacking is optional. If stacking is not configured the old
limit of one "major" security module applies. If stacking is
configured TOMOYO can be configured with an of the other
modules. SELinux, Smack and AppArmor use (or in the AppArmor
case, threaten to use) secids, which are not (yet) shareable.
A subdirectory has been added to /proc/.../attr for each of
SELinux and AppArmor (Smack introduced such a subdirectory earlier)
to disambiguate what data is provided in the proc/.../attr
interfaces.
Unlike earlier versions of this patch, there is no "context"
entry introduced. No mechanism is provided to get all of
the process security data at the same time.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/admin-guide/LSM/index.rst | 14 ++++--
fs/proc/base.c | 29 +++++++++++
include/linux/lsm_hooks.h | 2 +-
security/Kconfig | 86 +++++++++++++++++++++++++++++++++
security/apparmor/include/context.h | 10 ++++
security/apparmor/lsm.c | 8 ++-
security/security.c | 30 +++++++++++-
security/selinux/hooks.c | 3 +-
security/selinux/include/objsec.h | 8 +++
security/smack/smack.h | 9 ++++
security/smack/smack_lsm.c | 17 +++----
security/tomoyo/common.h | 12 ++++-
security/tomoyo/tomoyo.c | 3 +-
13 files changed, 210 insertions(+), 21 deletions(-)
diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
index 9842e21afd4a..d3d8af174042 100644
--- a/Documentation/admin-guide/LSM/index.rst
+++ b/Documentation/admin-guide/LSM/index.rst
@@ -17,10 +17,16 @@ MAC extensions, other extensions can be built using the LSM to provide
specific changes to system operation when these tweaks are not available
in the core functionality of Linux itself.
-The Linux capabilities modules will always be included. This may be
-followed by any number of "minor" modules and at most one "major" module.
-For more details on capabilities, see ``capabilities(7)`` in the Linux
-man-pages project.
+The Linux capabilities modules will always be included. For more details
+on capabilities, see ``capabilities(7)`` in the Linux man-pages project.
+
+Security modules that do not use the security data blobs maintained
+by the LSM infrastructure are considered "minor" modules. These may be
+included at compile time and stacked explicitly. Security modules that
+use the LSM maintained security blobs are considered "major" modules.
+These may only be stacked if the CONFIG_LSM_STACKED configuration
+option is used. If this is chosen all of the security modules selected
+will be used.
A list of the active security modules can be found by reading
``/sys/kernel/security/lsm``. This is a comma separated list, and
diff --git a/fs/proc/base.c b/fs/proc/base.c
index a096e90fc12e..e6ee90483916 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2593,6 +2593,18 @@ static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \
.setattr = proc_setattr, \
}
+#ifdef CONFIG_SECURITY_SELINUX
+static const struct pid_entry selinux_attr_dir_stuff[] = {
+ ATTR("selinux", "current", 0666),
+ ATTR("selinux", "prev", 0444),
+ ATTR("selinux", "exec", 0666),
+ ATTR("selinux", "fscreate", 0666),
+ ATTR("selinux", "keycreate", 0666),
+ ATTR("selinux", "sockcreate", 0666),
+};
+LSM_DIR_OPS(selinux);
+#endif
+
#ifdef CONFIG_SECURITY_SMACK
static const struct pid_entry smack_attr_dir_stuff[] = {
ATTR("smack", "current", 0666),
@@ -2600,6 +2612,15 @@ static const struct pid_entry smack_attr_dir_stuff[] = {
LSM_DIR_OPS(smack);
#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+static const struct pid_entry apparmor_attr_dir_stuff[] = {
+ ATTR("apparmor", "current", 0666),
+ ATTR("apparmor", "prev", 0444),
+ ATTR("apparmor", "exec", 0666),
+};
+LSM_DIR_OPS(apparmor);
+#endif
+
static const struct pid_entry attr_dir_stuff[] = {
ATTR(NULL, "current", 0666),
ATTR(NULL, "prev", 0444),
@@ -2607,10 +2628,18 @@ static const struct pid_entry attr_dir_stuff[] = {
ATTR(NULL, "fscreate", 0666),
ATTR(NULL, "keycreate", 0666),
ATTR(NULL, "sockcreate", 0666),
+#ifdef CONFIG_SECURITY_SELINUX
+ DIR("selinux", 0555,
+ proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops),
+#endif
#ifdef CONFIG_SECURITY_SMACK
DIR("smack", 0555,
proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+ DIR("apparmor", 0555,
+ proc_apparmor_attr_dir_inode_ops, proc_apparmor_attr_dir_ops),
+#endif
};
static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index cae3f6591044..84643a3ae378 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1975,7 +1975,7 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
#define __lsm_ro_after_init __ro_after_init
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
-extern int __init security_module_enable(const char *module);
+extern bool __init security_module_enable(const char *lsm, const bool stacked);
extern void __init capability_add_hooks(void);
#ifdef CONFIG_SECURITY_YAMA
extern void __init yama_add_hooks(void);
diff --git a/security/Kconfig b/security/Kconfig
index f3464fb5a8b0..a14d50b45b6c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -36,6 +36,28 @@ config SECURITY_WRITABLE_HOOKS
bool
default n
+config SECURITY_STACKING
+ bool "Security module stacking"
+ depends on SECURITY
+ help
+ Allows multiple major security modules to be stacked.
+ Modules are invoked in the order registered with a
+ "bail on fail" policy, in which the infrastructure
+ will stop processing once a denial is detected. Not
+ all modules can be stacked. SELinux and Smack are
+ known to be incompatible. User space components may
+ have trouble identifying the security module providing
+ data in some cases.
+
+ If you select this option you will have to select which
+ of the stackable modules you wish to be active. The
+ "Default security module" will be ignored. The boot line
+ "security=" option can be used to specify that one of
+ the modules identifed for stacking should be used instead
+ of the entire stack.
+
+ If you are unsure how to answer this question, answer N.
+
config SECURITY_LSM_DEBUG
bool "Enable debugging of the LSM infrastructure"
depends on SECURITY
@@ -225,6 +247,9 @@ source security/yama/Kconfig
source security/integrity/Kconfig
+menu "Security Module Selection"
+ visible if !SECURITY_STACKING
+
choice
prompt "Default security module"
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
@@ -264,3 +289,64 @@ config DEFAULT_SECURITY
endmenu
+menu "Security Module Stack"
+ visible if SECURITY_STACKING
+
+choice
+ prompt "Stacked 'extreme' security module"
+ default SECURITY_SELINUX_STACKED if SECURITY_SELINUX
+ default SECURITY_SMACK_STACKED if SECURITY_SMACK
+ default SECURITY_APPARMOR_STACKED if SECURITY_APPARMOR
+
+ help
+ Enable an extreme security module. These modules cannot
+ be used at the same time.
+
+ config SECURITY_SELINUX_STACKED
+ bool "SELinux" if SECURITY_SELINUX=y
+ help
+ This option instructs the system to use the SELinux checks.
+ At this time the Smack security module is incompatible with this
+ module.
+ At this time the AppArmor security module is incompatible with this
+ module.
+
+ config SECURITY_SMACK_STACKED
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+ help
+ This option instructs the system to use the Smack checks.
+ At this time the SELinux security module is incompatible with this
+ module.
+ At this time the AppArmor security module is incompatible with this
+ module.
+
+ config SECURITY_APPARMOR_STACKED
+ bool "AppArmor" if SECURITY_APPARMOR=y
+ help
+ This option instructs the system to use the AppArmor checks.
+ At this time the SELinux security module is incompatible with this
+ module.
+ At this time the Smack security module is incompatible with this
+ module.
+
+ config SECURITY_NOTHING_STACKED
+ bool "Use no 'extreme' security module"
+ help
+ Use none of the SELinux, Smack or AppArmor security module.
+
+endchoice
+
+config SECURITY_TOMOYO_STACKED
+ bool "TOMOYO support is enabled by default"
+ depends on SECURITY_TOMOYO && SECURITY_STACKING
+ default n
+ help
+ This option instructs the system to use the TOMOYO checks.
+ If not selected the module will not be invoked.
+ Stacked security modules may interact in unexpected ways.
+
+ If you are unsure how to answer this question, answer N.
+
+endmenu
+
+endmenu
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index c6e106a533e8..c6d5dbbd18b0 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -55,9 +55,15 @@ int aa_set_current_hat(struct aa_label *label, u64 token);
int aa_restore_previous_label(u64 cookie);
struct aa_label *aa_get_task_label(struct task_struct *task);
+extern struct lsm_blob_sizes apparmor_blob_sizes;
+
static inline struct aa_task_ctx *apparmor_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + apparmor_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
/**
@@ -89,7 +95,11 @@ static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
static inline struct aa_file_ctx *apparmor_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + apparmor_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
/**
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8edbf79062cd..b36d08f5ce1d 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1467,7 +1467,9 @@ static int __init apparmor_init(void)
int error;
if (!finish) {
- if (apparmor_enabled && security_module_enable("apparmor"))
+ if (apparmor_enabled &&
+ security_module_enable("apparmor",
+ IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED)))
security_add_blobs(&apparmor_blob_sizes);
else
apparmor_enabled = 0;
@@ -1475,7 +1477,9 @@ static int __init apparmor_init(void)
return 0;
}
- if (!apparmor_enabled || !security_module_enable("apparmor")) {
+ if (!apparmor_enabled ||
+ !security_module_enable("apparmor",
+ IS_ENABLED(CONFIG_SECURITY_APPARMOR_STACKED))) {
aa_info_message("AppArmor disabled by boot time parameter");
apparmor_enabled = 0;
return 0;
diff --git a/security/security.c b/security/security.c
index 8439acd36160..a306a5447d43 100644
--- a/security/security.c
+++ b/security/security.c
@@ -35,6 +35,7 @@
/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX 10
+#define MODULE_STACK "(stacking)"
struct security_hook_heads security_hook_heads __lsm_ro_after_init;
static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
@@ -47,7 +48,11 @@ static struct lsm_blob_sizes blob_sizes;
/* Boot-time LSM user choice */
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
+#ifdef CONFIG_SECURITY_STACKING
+ MODULE_STACK;
+#else
CONFIG_DEFAULT_SECURITY;
+#endif
static void __init do_security_initcalls(void)
{
@@ -167,6 +172,7 @@ static int lsm_append(char *new, char **result)
/**
* security_module_enable - Load given security module on boot ?
* @module: the name of the module
+ * @stacked: indicates that the module wants to be stacked
*
* Each LSM must pass this method before registering its own operations
* to avoid security registration races. This method may also be used
@@ -182,9 +188,29 @@ static int lsm_append(char *new, char **result)
*
* Otherwise, return false.
*/
-int __init security_module_enable(const char *module)
+bool __init security_module_enable(const char *lsm, const bool stacked)
{
- return !strcmp(module, chosen_lsm);
+#ifdef CONFIG_SECURITY_STACKING
+ /*
+ * Module defined on the command line security=XXXX
+ */
+ if (strcmp(chosen_lsm, MODULE_STACK)) {
+ if (!strcmp(lsm, chosen_lsm)) {
+ pr_info("Command line sets the %s security module.\n",
+ lsm);
+ return true;
+ }
+ return false;
+ }
+ /*
+ * Module configured as stacked.
+ */
+ return stacked;
+#else
+ if (strcmp(lsm, chosen_lsm) == 0)
+ return true;
+ return false;
+#endif
}
/**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cfee70096f97..a3466517c55c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6300,7 +6300,8 @@ static __init int selinux_init(void)
{
static int finish;
- if (!security_module_enable("selinux")) {
+ if (!security_module_enable("selinux",
+ IS_ENABLED(CONFIG_SECURITY_SELINUX_STACKED))) {
selinux_enabled = 0;
return 0;
}
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index f2f1e2d15eb8..7abb443c2ed2 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -155,12 +155,20 @@ extern struct lsm_blob_sizes selinux_blob_sizes;
static inline struct task_security_struct *selinux_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + selinux_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
static inline struct file_security_struct *selinux_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + selinux_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
static inline struct inode_security_struct *selinux_inode(
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 1b875c2f3d9d..e7611de071f1 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -336,6 +336,7 @@ extern struct smack_known *smack_syslog_label;
extern struct smack_known *smack_unconfined;
#endif
extern int smack_ptrace_rule;
+extern struct lsm_blob_sizes smack_blob_sizes;
extern struct smack_known smack_known_floor;
extern struct smack_known smack_known_hat;
@@ -358,12 +359,20 @@ extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
static inline struct task_smack *smack_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + smack_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
static inline struct smack_known **smack_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + smack_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
static inline struct inode_smack *smack_inode(const struct inode *inode)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 4588c48aab86..e3f32f4d322a 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3427,18 +3427,16 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
{
struct smack_known *skp = smk_of_task_struct(p);
char *cp;
- int slen;
- if (strcmp(name, "current") != 0)
+ if (strcmp(name, "current") == 0) {
+ cp = kstrdup(skp->smk_known, GFP_KERNEL);
+ if (cp == NULL)
+ return -ENOMEM;
+ } else
return -EINVAL;
- cp = kstrdup(skp->smk_known, GFP_KERNEL);
- if (cp == NULL)
- return -ENOMEM;
-
- slen = strlen(cp);
*value = cp;
- return slen;
+ return strlen(cp);
}
/**
@@ -4594,7 +4592,8 @@ static __init int smack_init(void)
struct cred *cred = (struct cred *) current->cred;
struct task_smack *tsp;
- if (!security_module_enable("smack"))
+ if (!security_module_enable("smack",
+ IS_ENABLED(CONFIG_SECURITY_SMACK_STACKED)))
return 0;
if (!finish) {
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index cbcfccc84784..2eed9d44eec1 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -1085,6 +1085,7 @@ extern struct tomoyo_domain_info tomoyo_kernel_domain;
extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];
+extern struct lsm_blob_sizes tomoyo_blob_sizes;
/********** Inlined functions. **********/
@@ -1204,7 +1205,11 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
*/
static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return cred->security + tomoyo_blob_sizes.lbs_cred;
+#else
return cred->security;
+#endif
}
/**
@@ -1214,8 +1219,13 @@ static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred)
*/
static inline struct tomoyo_domain_info *tomoyo_domain(void)
{
- struct tomoyo_domain_info **blob = tomoyo_cred(current_cred());
+ const struct cred *cred = current_cred();
+ struct tomoyo_domain_info **blob;
+
+ if (cred->security == NULL)
+ return NULL;
+ blob = tomoyo_cred(cred);
return *blob;
}
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 1224a59291fb..32173de284f8 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -561,7 +561,8 @@ static int __init tomoyo_init(void)
struct cred *cred = (struct cred *) current_cred();
struct tomoyo_domain_info **blob;
- if (!security_module_enable("tomoyo"))
+ if (!security_module_enable("tomoyo",
+ IS_ENABLED(CONFIG_SECURITY_TOMOYO_STACKED)))
return 0;
if (!finish) {
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [PATCH 7/9] LSM: Shared secids
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
` (5 preceding siblings ...)
2017-10-27 21:45 ` [PATCH 6/9] LSM: General stacking Casey Schaufler
@ 2017-10-27 21:45 ` Casey Schaufler
2017-10-27 21:45 ` [PATCH 8/9] LSM: Multiple security mount options Casey Schaufler
` (3 subsequent siblings)
10 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-10-27 21:45 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 7/9] LSM: Shared secids
Introduces a mechanism for mapping a set of security
module secids to and from a "token". The module interfaces
are changed to generally hide the mechanism from both the
security modules and the callers of the security hooks.
The implementation of the lsm_token functions is functional
but not production ready. At the least, it needs locking and
lifetime management which it lacks. The versions here do
work with Ubuntu 17.04 and Fedora 27 in workstation
configurations.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 43 +++++-
include/net/request_sock.h | 2 +
security/Makefile | 1 +
security/security.c | 292 ++++++++++++++++++++++++++++++++++++++-
security/selinux/hooks.c | 31 ++++-
security/selinux/include/xfrm.h | 2 +-
security/selinux/xfrm.c | 6 +-
security/smack/smack.h | 11 ++
security/smack/smack_lsm.c | 14 +-
security/smack/smack_netfilter.c | 6 +-
security/stacking.c | 188 +++++++++++++++++++++++++
11 files changed, 570 insertions(+), 26 deletions(-)
create mode 100644 security/stacking.c
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 84643a3ae378..d49d4f3544cf 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1624,7 +1624,7 @@ union security_list_options {
void (*secmark_refcount_inc)(void);
void (*secmark_refcount_dec)(void);
void (*req_classify_flow)(const struct request_sock *req,
- struct flowi *fl);
+ u32 *fl_secid);
int (*tun_dev_alloc_security)(void **security);
void (*tun_dev_free_security)(void *security);
int (*tun_dev_create)(void);
@@ -1660,7 +1660,7 @@ union security_list_options {
u8 dir);
int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
struct xfrm_policy *xp,
- const struct flowi *fl);
+ u32 fl_secid);
int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
@@ -1912,9 +1912,48 @@ struct security_hook_list {
struct list_head *head;
union security_list_options hook;
char *lsm;
+ int lsm_index;
} __randomize_layout;
/*
+ * The maximum number of major security modules.
+ * Used to avoid excessive memory management while
+ * mapping global and module specific secids.
+ *
+ * Currently SELinux, Smack, AppArmor, TOMOYO
+ * Oh, but Casey needs to come up with the right way
+ * to identify a "major" module, so use the total number
+ * of modules (including minor) for now.
+ * Minor: Capability, Yama, LoadPin
+ */
+#define LSM_MAX_MAJOR 8
+
+#ifdef CONFIG_SECURITY_STACKING
+struct lsm_secids {
+ u32 secid[LSM_MAX_MAJOR];
+};
+
+extern u32 lsm_secids_to_token(const struct lsm_secids *secids);
+extern void lsm_token_to_secids(const u32 token, struct lsm_secids *secids);
+extern u32 lsm_token_get_secid(const u32 token, int lsm);
+extern u32 lsm_token_set_secid(const u32 token, u32 lsecid, int lsm);
+extern u32 lsm_token_to_module_secid(const u32 token, int lsm);
+extern void lsm_secids_init(struct lsm_secids *secids);
+#else /* CONFIG_SECURITY_STACKING */
+
+static inline u32 lsm_token_get_secid(const u32 token, int lsm)
+{
+ return token;
+}
+
+static inline u32 lsm_token_set_secid(const u32 token, u32 lsecid, int lsm)
+{
+ return lsecid;
+}
+
+#endif /* CONFIG_SECURITY_STACKING */
+
+/*
* Security blob size or offset data.
*/
struct lsm_blob_sizes {
diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index 23e22054aa60..07c0e919c4e7 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h
@@ -102,6 +102,8 @@ reqsk_alloc(const struct request_sock_ops *ops, struct sock *sk_listener,
sk_tx_queue_clear(req_to_sk(req));
req->saved_syn = NULL;
refcount_set(&req->rsk_refcnt, 0);
+ req->secid = 0;
+ req->peer_secid = 0;
return req;
}
diff --git a/security/Makefile b/security/Makefile
index f2d71cdb8e19..05e6d525b5a1 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
+obj-$(CONFIG_SECURITY_STACKING) += stacking.o
# Object integrity file lists
subdir-$(CONFIG_INTEGRITY) += integrity
diff --git a/security/security.c b/security/security.c
index a306a5447d43..0269971b3b05 100644
--- a/security/security.c
+++ b/security/security.c
@@ -213,6 +213,11 @@ bool __init security_module_enable(const char *lsm, const bool stacked)
#endif
}
+/*
+ * Keep the order of major modules for mapping secids.
+ */
+static int lsm_next_major;
+
/**
* security_add_hooks - Add a modules hooks to the hook lists.
* @hooks: the hooks to add
@@ -225,9 +230,14 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
char *lsm)
{
int i;
+ int lsm_index = lsm_next_major++;
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ pr_info("LSM: Security module %s gets index %d\n", lsm, lsm_index);
+#endif
for (i = 0; i < count; i++) {
hooks[i].lsm = lsm;
+ hooks[i].lsm_index = lsm_index;
list_add_tail_rcu(&hooks[i].list, hooks[i].head);
}
if (lsm_append(lsm, &lsm_names) < 0)
@@ -1217,7 +1227,19 @@ EXPORT_SYMBOL(security_inode_listsecurity);
void security_inode_getsecid(struct inode *inode, u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.inode_getsecid, list)
+ hp->hook.inode_getsecid(inode, &secids.secid[hp->lsm_index]);
+
+ *secid = lsm_secids_to_token(&secids);
+#else
call_void_hook(inode_getsecid, inode, secid);
+#endif
}
int security_inode_copy_up(struct dentry *src, struct cred **new)
@@ -1415,7 +1437,28 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
int security_kernel_act_as(struct cred *new, u32 secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.kernel_act_as, list) {
+ /*
+ * Not all of the security modules may have gotten
+ * a secid when this token was created, so ignore 0.
+ */
+ if (secids.secid[hp->lsm_index] == 0)
+ continue;
+ rc = hp->hook.kernel_act_as(new, secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+ return rc;
+#else
return call_int_hook(kernel_act_as, 0, new, secid);
+#endif
}
int security_kernel_create_files_as(struct cred *new, struct inode *inode)
@@ -1474,8 +1517,20 @@ int security_task_getsid(struct task_struct *p)
void security_task_getsecid(struct task_struct *p, u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.task_getsecid, list)
+ hp->hook.task_getsecid(p, &secids.secid[hp->lsm_index]);
+
+ *secid = lsm_secids_to_token(&secids);
+#else
*secid = 0;
call_void_hook(task_getsecid, p, secid);
+#endif
}
EXPORT_SYMBOL(security_task_getsecid);
@@ -1524,7 +1579,23 @@ int security_task_movememory(struct task_struct *p)
int security_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.task_kill, list) {
+ rc = hp->hook.task_kill(p, info, sig,
+ secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+ return rc;
+#else
return call_int_hook(task_kill, 0, p, info, sig, secid);
+#endif
}
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
@@ -1557,8 +1628,20 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.ipc_getsecid, list)
+ hp->hook.ipc_getsecid(ipcp, &secids.secid[hp->lsm_index]);
+
+ *secid = lsm_secids_to_token(&secids);
+#else
*secid = 0;
call_void_hook(ipc_getsecid, ipcp, secid);
+#endif
}
int security_msg_msg_alloc(struct msg_msg *msg)
@@ -1731,15 +1814,52 @@ EXPORT_SYMBOL(security_ismaclabel);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = -EOPNOTSUPP;
+
+ lsm_token_to_secids(secid, &secids);
+
+ /*
+ * Return the first result regardless.
+ */
+ list_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
+ rc = hp->hook.secid_to_secctx(secids.secid[hp->lsm_index],
+ secdata, seclen);
+ if (rc != -EOPNOTSUPP)
+ break;
+ }
+ return rc;
+#else
return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
seclen);
+#endif
}
EXPORT_SYMBOL(security_secid_to_secctx);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
+ rc = hp->hook.secctx_to_secid(secdata, seclen,
+ &secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+
+ *secid = lsm_secids_to_token(&secids);
+ return rc;
+#else
*secid = 0;
return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+#endif
}
EXPORT_SYMBOL(security_secctx_to_secid);
@@ -1868,10 +1988,31 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
optval, optlen, len);
}
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+ u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = -ENOPROTOOPT;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
+ list) {
+ rc = hp->hook.socket_getpeersec_dgram(sock, skb,
+ &secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+
+ if (!rc)
+ *secid = lsm_secids_to_token(&secids);
+ return rc;
+#else
return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
skb, secid);
+#endif
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
@@ -1899,13 +2040,38 @@ EXPORT_SYMBOL(security_sk_clone);
void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.sk_getsecid, list)
+ hp->hook.sk_getsecid(sk, &secids.secid[hp->lsm_index]);
+
+ fl->flowi_secid = lsm_secids_to_token(&secids);
+#else
call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
+#endif
}
EXPORT_SYMBOL(security_sk_classify_flow);
-void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
+void security_req_classify_flow(const struct request_sock *req,
+ struct flowi *fl)
{
- call_void_hook(req_classify_flow, req, fl);
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.req_classify_flow, list)
+ hp->hook.req_classify_flow(req, &secids.secid[hp->lsm_index]);
+
+ fl->flowi_secid = lsm_secids_to_token(&secids);
+#else
+ call_void_hook(req_classify_flow, req, &fl->flowi_secid);
+#endif
}
EXPORT_SYMBOL(security_req_classify_flow);
@@ -1936,7 +2102,24 @@ void security_inet_conn_established(struct sock *sk,
int security_secmark_relabel_packet(u32 secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.secmark_relabel_packet,
+ list) {
+ rc = hp->hook.secmark_relabel_packet(
+ secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+ return rc;
+#else
return call_int_hook(secmark_relabel_packet, 0, secid);
+#endif
}
EXPORT_SYMBOL(security_secmark_relabel_packet);
@@ -2054,7 +2237,24 @@ EXPORT_SYMBOL(security_xfrm_state_alloc);
int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec, u32 secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.xfrm_state_alloc_acquire,
+ list) {
+ rc = hp->hook.xfrm_state_alloc_acquire(x, polsec,
+ secids.secid[hp->lsm_index]);
+ if (rc)
+ break;
+ }
+ return rc;
+#else
return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid);
+#endif
}
int security_xfrm_state_delete(struct xfrm_state *x)
@@ -2070,7 +2270,23 @@ void security_xfrm_state_free(struct xfrm_state *x)
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(fl_secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.xfrm_policy_lookup, list) {
+ rc = hp->hook.xfrm_policy_lookup(ctx,
+ secids.secid[hp->lsm_index], dir);
+ if (rc)
+ break;
+ }
+ return rc;
+#else
return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir);
+#endif
}
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
@@ -2078,6 +2294,9 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
const struct flowi *fl)
{
struct security_hook_list *hp;
+#ifdef CONFIG_SECURITY_STACKING
+ struct lsm_secids secids;
+#endif
int rc = 1;
/*
@@ -2089,9 +2308,18 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
* For speed optimization, we explicitly break the loop rather than
* using the macro
*/
+#ifdef CONFIG_SECURITY_STACKING
+ lsm_token_to_secids(fl->flowi_secid, &secids);
+#endif
+
list_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
- list) {
- rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl);
+ list) {
+#ifdef CONFIG_SECURITY_STACKING
+ rc = hp->hook.xfrm_state_pol_flow_match(x, xp,
+ secids.secid[hp->lsm_index]);
+#else
+ rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl->flowi_secid);
+#endif
break;
}
return rc;
@@ -2099,15 +2327,51 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.xfrm_decode_session,
+ list) {
+ rc = hp->hook.xfrm_decode_session(skb,
+ &secids.secid[hp->lsm_index], 1);
+ if (rc)
+ break;
+ }
+ if (!rc)
+ *secid = lsm_secids_to_token(&secids);
+ return rc;
+#else
return call_int_hook(xfrm_decode_session, 0, skb, secid, 1);
+#endif
}
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_secids_init(&secids);
+
+ list_for_each_entry(hp, &security_hook_heads.xfrm_decode_session,
+ list) {
+ rc = hp->hook.xfrm_decode_session(skb,
+ &secids.secid[hp->lsm_index], 0);
+ if (rc)
+ break;
+ }
+ BUG_ON(rc);
+ fl->flowi_secid = lsm_secids_to_token(&secids);
+#else
int rc = call_int_hook(xfrm_decode_session, 0, skb, &fl->flowi_secid,
0);
-
BUG_ON(rc);
+#endif
}
EXPORT_SYMBOL(security_skb_classify_flow);
@@ -2166,7 +2430,23 @@ void security_audit_rule_free(void *lsmrule)
int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_secids secids;
+ int rc = 0;
+
+ lsm_token_to_secids(secid, &secids);
+
+ list_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) {
+ rc = hp->hook.audit_rule_match(secids.secid[hp->lsm_index],
+ field, op, lsmrule, actx);
+ if (rc)
+ break;
+ }
+ return rc;
+#else
return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
actx);
+#endif
}
#endif /* CONFIG_AUDIT */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a3466517c55c..e6d6ab671493 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -100,6 +100,9 @@
/* SECMARK reference count */
static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
+/* Index into lsm_secids */
+static int selinux_secids_index;
+
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
int selinux_enforcing;
@@ -4617,6 +4620,11 @@ static int selinux_inet_sys_rcv_skb(struct net *ns, int ifindex,
SECCLASS_NODE, NODE__RECVFROM, ad);
}
+static u32 selinux_token_to_secid(u32 token)
+{
+ return lsm_token_get_secid(token, selinux_secids_index);
+}
+
static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
u16 family)
{
@@ -4636,7 +4644,9 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
return err;
if (selinux_secmark_enabled()) {
- err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ err = avc_has_perm(sk_sid,
+ selinux_token_to_secid(skb->secmark),
+ SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
@@ -4710,7 +4720,9 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
}
if (secmark_active) {
- err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
+ err = avc_has_perm(sk_sid,
+ selinux_token_to_secid(skb->secmark),
+ SECCLASS_PACKET,
PACKET__RECV, &ad);
if (err)
return err;
@@ -4909,9 +4921,9 @@ static void selinux_secmark_refcount_dec(void)
}
static void selinux_req_classify_flow(const struct request_sock *req,
- struct flowi *fl)
+ u32 *fl_secid)
{
- fl->flowi_secid = req->secid;
+ *fl_secid = req->secid;
}
static int selinux_tun_dev_alloc_security(void **security)
@@ -5073,7 +5085,8 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
}
if (secmark_active)
- if (avc_has_perm(peer_sid, skb->secmark,
+ if (avc_has_perm(peer_sid,
+ selinux_token_to_secid(skb->secmark),
SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
return NF_DROP;
@@ -5185,7 +5198,8 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
return NF_DROP;
if (selinux_secmark_enabled())
- if (avc_has_perm(sksec->sid, skb->secmark,
+ if (avc_has_perm(sksec->sid,
+ selinux_token_to_secid(skb->secmark),
SECCLASS_PACKET, PACKET__SEND, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
@@ -5308,7 +5322,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
return NF_DROP;
if (secmark_active)
- if (avc_has_perm(peer_sid, skb->secmark,
+ if (avc_has_perm(peer_sid,
+ selinux_token_to_secid(skb->secmark),
SECCLASS_PACKET, secmark_perm, &ad))
return NF_DROP_ERR(-ECONNREFUSED);
@@ -6328,6 +6343,8 @@ static __init int selinux_init(void)
security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
+ selinux_secids_index = selinux_hooks[0].lsm_index;
+
if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
panic("SELinux: Unable to register AVC netcache callback\n");
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 36a7ce9e11ff..0235b0cfd0ce 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -25,7 +25,7 @@ int selinux_xfrm_state_delete(struct xfrm_state *x);
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp,
- const struct flowi *fl);
+ u32 fl_secid);
#ifdef CONFIG_SECURITY_NETWORK_XFRM
extern atomic_t selinux_xfrm_refcount;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 789d07bd900f..d71e2c32b5da 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -174,7 +174,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
*/
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp,
- const struct flowi *fl)
+ u32 fl_secid)
{
u32 state_sid;
@@ -196,13 +196,13 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
state_sid = x->security->ctx_sid;
- if (fl->flowi_secid != state_sid)
+ if (fl_secid != state_sid)
return 0;
/* We don't need a separate SA Vs. policy polmatch check since the SA
* is now of the same label as the flow and a flow Vs. policy polmatch
* check had already happened in selinux_xfrm_policy_lookup() above. */
- return (avc_has_perm(fl->flowi_secid, state_sid,
+ return (avc_has_perm(fl_secid, state_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
NULL) ? 0 : 1);
}
diff --git a/security/smack/smack.h b/security/smack/smack.h
index e7611de071f1..b16846e3d1f1 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -328,6 +328,7 @@ void smk_destroy_label_list(struct list_head *list);
* Shared data.
*/
extern int smack_enabled;
+extern int smack_secids_index;
extern int smack_cipso_direct;
extern int smack_cipso_mapped;
extern struct smack_known *smack_net_ambient;
@@ -432,6 +433,16 @@ static inline struct smack_known **smack_key(const struct key *key)
}
#endif /* CONFIG_KEYS */
+static inline u32 smack_token_to_secid(u32 token)
+{
+ return lsm_token_get_secid(token, smack_secids_index);
+}
+
+static inline u32 smack_to_token(u32 token, u32 secid)
+{
+ return lsm_token_set_secid(token, secid, smack_secids_index);
+}
+
/*
* Is the directory transmuting?
*/
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index e3f32f4d322a..9031f2dc8bfb 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -57,6 +57,7 @@ static LIST_HEAD(smk_ipv6_port_list);
#endif
static struct kmem_cache *smack_inode_cache;
int smack_enabled;
+int smack_secids_index;
static const match_table_t smk_mount_tokens = {
{Opt_fsdefault, SMK_FSDEFAULT "%s"},
@@ -3789,7 +3790,8 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
* The secmark is assumed to reflect policy better.
*/
if (skb && skb->secmark != 0) {
- skp = smack_from_secid(skb->secmark);
+ skp = smack_from_secid(smack_token_to_secid(
+ skb->secmark));
goto access_check;
}
#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
@@ -3834,7 +3836,8 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
break;
#ifdef SMACK_IPV6_SECMARK_LABELING
if (skb && skb->secmark != 0)
- skp = smack_from_secid(skb->secmark);
+ skp = smack_from_secid(smack_token_to_secid(
+ skb->secmark));
else
skp = smack_ipv6host_label(&sadd);
if (skp == NULL)
@@ -3932,7 +3935,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
break;
case PF_INET:
#ifdef CONFIG_SECURITY_SMACK_NETFILTER
- s = skb->secmark;
+ s = smack_token_to_secid(skb->secmark);
if (s != 0)
break;
#endif
@@ -3951,7 +3954,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
break;
case PF_INET6:
#ifdef SMACK_IPV6_SECMARK_LABELING
- s = skb->secmark;
+ s = smack_token_to_secid(skb->secmark);
#endif
break;
}
@@ -4030,7 +4033,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
* The secmark is assumed to reflect policy better.
*/
if (skb && skb->secmark != 0) {
- skp = smack_from_secid(skb->secmark);
+ skp = smack_from_secid(smack_token_to_secid(skb->secmark));
goto access_check;
}
#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
@@ -4618,6 +4621,7 @@ static __init int smack_init(void)
* Register with LSM
*/
security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
+ smack_secids_index = smack_hooks[0].lsm_index;
smack_enabled = 1;
pr_info("Smack: Initializing.\n");
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 701a1cc1bdcc..ee2e16d0b1a3 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -34,7 +34,8 @@ static unsigned int smack_ipv6_output(void *priv,
if (sk && smack_sock(sk)) {
ssp = smack_sock(sk);
skp = ssp->smk_out;
- skb->secmark = skp->smk_secid;
+ skb->secmark = lsm_token_set_secid(skb->secmark,
+ skp->smk_secid, smack_secids_index);
}
return NF_ACCEPT;
@@ -52,7 +53,8 @@ static unsigned int smack_ipv4_output(void *priv,
if (sk && smack_sock(sk)) {
ssp = smack_sock(sk);
skp = ssp->smk_out;
- skb->secmark = skp->smk_secid;
+ skb->secmark = lsm_token_set_secid(skb->secmark,
+ skp->smk_secid, smack_secids_index);
}
return NF_ACCEPT;
diff --git a/security/stacking.c b/security/stacking.c
new file mode 100644
index 000000000000..f74b4f0512aa
--- /dev/null
+++ b/security/stacking.c
@@ -0,0 +1,188 @@
+/*
+ * Maintain a mapping between the secid used in networking
+ * and the set of secids used by the security modules.
+ *
+ * Author:
+ * Casey Schaufler <casey@schaufler-ca.com>
+ *
+ * Copyright (C) 2017 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) 2017 Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <linux/lsm_hooks.h>
+
+struct token_entry {
+ int used; /* relative age of the entry */
+ u32 token; /* token value */
+ struct lsm_secids secids; /* secids mapped to this token */
+};
+
+/*
+ * Add an entry to the table when asked for a mapping that
+ * isn't already present. If the table is full throw away the
+ * least recently used entry. If the entry is present undate
+ * when it was used.
+ */
+#define TOKEN_AGE_LIMIT (MAX_INT >> 2)
+#define TOKEN_LIMIT 0x20000000
+#define TOKEN_SET_SIZE 200
+#define TOKEN_BIT 0x80000000
+int token_used;
+u32 token_next;
+struct lsm_secids null_secids;
+struct token_entry token_set[TOKEN_SET_SIZE];
+
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+static void report_token(const char *msg, const struct token_entry *te)
+{
+ int i;
+
+ pr_info("LSM: %s token=%08x %u,%u,%u,%u,%u,%u,%u,%u\n", msg, te->token,
+ te->secids.secid[0], te->secids.secid[1], te->secids.secid[2],
+ te->secids.secid[3], te->secids.secid[4], te->secids.secid[5],
+ te->secids.secid[6], te->secids.secid[7]);
+ for (i = 0; i < LSM_MAX_MAJOR; i++)
+ if (te->secids.secid[i] & TOKEN_BIT)
+ pr_info("LSM: module %d provided a token.\n", i);
+}
+#else
+static inline void report_token(const char *msg, const struct token_entry *te)
+{
+}
+#endif
+
+static int next_used(void)
+{
+ if (token_next >= TOKEN_LIMIT) {
+ pr_info("LSM: Security token use overflow - safe reset\n");
+ token_used = 0;
+ }
+ return ++token_used;
+}
+
+static u32 next_token(void)
+{
+ if (token_next >= TOKEN_LIMIT) {
+ pr_info("LSM: Security token overflow - safe reset\n");
+ token_next = 0;
+ }
+ return ++token_next | TOKEN_BIT;
+}
+
+u32 lsm_secids_to_token(const struct lsm_secids *secids)
+{
+ int i;
+ int j;
+ int old;
+
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ for (i = 0; i < LSM_MAX_MAJOR; i++)
+ if (secids->secid[i] & TOKEN_BIT)
+ pr_info("LSM: %s secid[%d]=%08x has token bit\n",
+ __func__, i, secids->secid[i]);
+#endif
+
+ /*
+ * If none of the secids are set whoever sent this here
+ * was thinking "0".
+ */
+ if (!memcmp(secids, &null_secids, sizeof(*secids)))
+ return 0;
+
+ for (i = 0; i < TOKEN_SET_SIZE; i++) {
+ if (token_set[i].token == 0)
+ break;
+ if (!memcmp(secids, &token_set[i].secids, sizeof(*secids))) {
+ token_set[i].used = next_used();
+ return token_set[i].token;
+ }
+ }
+ if (i == TOKEN_SET_SIZE) {
+ old = token_used;
+ for (j = 0; j < TOKEN_SET_SIZE; j++) {
+ if (token_set[j].used < old) {
+ old = token_set[j].used;
+ i = j;
+ }
+ }
+ }
+ token_set[i].secids = *secids;
+ token_set[i].token = next_token();
+ token_set[i].used = next_used();
+
+ report_token("new", &token_set[i]);
+
+ return token_set[i].token;
+}
+
+void lsm_token_to_secids(const u32 token, struct lsm_secids *secids)
+{
+ int i;
+ struct lsm_secids fudge;
+
+ if (token) {
+ if (!(token & TOKEN_BIT)) {
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ pr_info("LSM: %s token=%08x has no token bit\n",
+ __func__, token);
+#endif
+ for (i = 0; i < LSM_MAX_MAJOR; i++)
+ fudge.secid[i] = token;
+ *secids = fudge;
+ return;
+ }
+ for (i = 0; i < TOKEN_SET_SIZE; i++) {
+ if (token_set[i].token == 0)
+ break;
+ if (token_set[i].token == token) {
+ *secids = token_set[i].secids;
+ token_set[i].used = next_used();
+ return;
+ }
+ }
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ pr_info("LSM: %s token=%u was not found\n", __func__, token);
+#endif
+ }
+ *secids = null_secids;
+}
+
+u32 lsm_token_get_secid(const u32 token, int lsm)
+{
+ struct lsm_secids secids;
+
+ lsm_token_to_secids(token, &secids);
+ return secids.secid[lsm];
+}
+
+u32 lsm_token_set_secid(const u32 token, u32 lsecid, int lsm)
+{
+ struct lsm_secids secids;
+
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (!(token & TOKEN_BIT)) {
+ if (token)
+ pr_info("LSM: %s token=%08x has no token bit\n",
+ __func__, token);
+#else
+ if (!token) {
+#endif
+ lsm_secids_init(&secids);
+ } else {
+ lsm_token_to_secids(token, &secids);
+ if (secids.secid[lsm] == lsecid)
+ return token;
+ }
+
+ secids.secid[lsm] = lsecid;
+ return lsm_secids_to_token(&secids);
+}
+
+void lsm_secids_init(struct lsm_secids *secids)
+{
+ *secids = null_secids;
+}
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info@ http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [PATCH 8/9] LSM: Multiple security mount options
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
` (6 preceding siblings ...)
2017-10-27 21:45 ` [PATCH 7/9] LSM: Shared secids Casey Schaufler
@ 2017-10-27 21:45 ` Casey Schaufler
2017-10-31 15:29 ` Stephen Smalley
2017-10-27 21:45 ` [PATCH 9/9] LSM: Full security module stacking Casey Schaufler
` (2 subsequent siblings)
10 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2017-10-27 21:45 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 8/9] LSM: Multiple security mount options
There needs to be separate data for each of the
security modules that support mount options.
Expand the security_mnt_opts structure to include
an entry for each security module that uses them.
It would be better to have a variable size blob,
but there isn't a convenient place to hang such.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/btrfs/super.c | 10 +++---
include/linux/security.h | 53 ++++++++++++++++++++-------
security/security.c | 15 ++++++--
security/selinux/hooks.c | 90 +++++++++++++++++++++++-----------------------
security/smack/smack_lsm.c | 54 ++++++++++++++--------------
5 files changed, 131 insertions(+), 91 deletions(-)
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 35a128acfbd1..f8f828267d45 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1512,15 +1512,15 @@ static int setup_security_options(struct btrfs_fs_info *fs_info,
return ret;
#ifdef CONFIG_SECURITY
- if (!fs_info->security_opts.num_mnt_opts) {
+ if (fs_info->security_opts.selinux.num_mnt_opts != 0 ||
+ fs_info->security_opts.smack.num_mnt_opts != 0) {
/* first time security setup, copy sec_opts to fs_info */
memcpy(&fs_info->security_opts, sec_opts, sizeof(*sec_opts));
} else {
/*
- * Since SELinux (the only one supporting security_mnt_opts)
- * does NOT support changing context during remount/mount of
- * the same sb, this must be the same or part of the same
- * security options, just free it.
+ * Since no modules support changing context during
+ * remount/mount of the same sb, this must be the same
+ * or part of the same security options, just free it.
*/
security_free_mnt_opts(sec_opts);
}
diff --git a/include/linux/security.h b/include/linux/security.h
index 46ec92658ad3..3a70b23a7dcc 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -163,34 +163,63 @@ typedef int (*initxattrs) (struct inode *inode,
#ifdef CONFIG_SECURITY
-struct security_mnt_opts {
+struct lsm_mnt_opts {
char **mnt_opts;
int *mnt_opts_flags;
int num_mnt_opts;
};
+
+struct security_mnt_opts {
+#ifdef CONFIG_SECURITY_STACKING
+ struct lsm_mnt_opts selinux;
+ struct lsm_mnt_opts smack;
+#else
+ union {
+ struct lsm_mnt_opts selinux;
+ struct lsm_mnt_opts smack;
+ };
+#endif
+};
+
int call_lsm_notifier(enum lsm_event event, void *data);
int register_lsm_notifier(struct notifier_block *nb);
int unregister_lsm_notifier(struct notifier_block *nb);
static inline void security_init_mnt_opts(struct security_mnt_opts *opts)
{
- opts->mnt_opts = NULL;
- opts->mnt_opts_flags = NULL;
- opts->num_mnt_opts = 0;
+ opts->selinux.mnt_opts = NULL;
+ opts->selinux.mnt_opts_flags = NULL;
+ opts->selinux.num_mnt_opts = 0;
+#ifdef CONFIG_SECURITY_STACKING
+ opts->smack.mnt_opts = NULL;
+ opts->smack.mnt_opts_flags = NULL;
+ opts->smack.num_mnt_opts = 0;
+#endif
}
static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
{
int i;
- if (opts->mnt_opts)
- for (i = 0; i < opts->num_mnt_opts; i++)
- kfree(opts->mnt_opts[i]);
- kfree(opts->mnt_opts);
- opts->mnt_opts = NULL;
- kfree(opts->mnt_opts_flags);
- opts->mnt_opts_flags = NULL;
- opts->num_mnt_opts = 0;
+ if (opts->selinux.mnt_opts)
+ for (i = 0; i < opts->selinux.num_mnt_opts; i++)
+ kfree(opts->selinux.mnt_opts[i]);
+ kfree(opts->selinux.mnt_opts);
+ opts->selinux.mnt_opts = NULL;
+ kfree(opts->selinux.mnt_opts_flags);
+ opts->selinux.mnt_opts_flags = NULL;
+ opts->selinux.num_mnt_opts = 0;
+
+#ifdef CONFIG_SECURITY_STACKING
+ if (opts->smack.mnt_opts)
+ for (i = 0; i < opts->smack.num_mnt_opts; i++)
+ kfree(opts->smack.mnt_opts[i]);
+ kfree(opts->smack.mnt_opts);
+ opts->smack.mnt_opts = NULL;
+ kfree(opts->smack.mnt_opts_flags);
+ opts->smack.mnt_opts_flags = NULL;
+ opts->smack.num_mnt_opts = 0;
+#endif
}
/* prototypes */
diff --git a/security/security.c b/security/security.c
index 0269971b3b05..7a004006e761 100644
--- a/security/security.c
+++ b/security/security.c
@@ -771,9 +771,18 @@ int security_sb_set_mnt_opts(struct super_block *sb,
unsigned long kern_flags,
unsigned long *set_kern_flags)
{
- return call_int_hook(sb_set_mnt_opts,
- opts->num_mnt_opts ? -EOPNOTSUPP : 0, sb,
- opts, kern_flags, set_kern_flags);
+ int nobody = 0;
+
+#ifdef SECURITY_EXTREME_STACKING
+ if (opts->selinux.num_mnt_opts != 0 || opts->smack.num_mnt_opts != 0)
+ nobody = -EOPNOTSUPP;
+#else
+ if (opts->selinux.num_mnt_opts != 0)
+ nobody = -EOPNOTSUPP;
+#endif
+
+ return call_int_hook(sb_set_mnt_opts, nobody, sb, opts, kern_flags,
+ set_kern_flags);
}
EXPORT_SYMBOL(security_sb_set_mnt_opts);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e6d6ab671493..395fbfa7bfac 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -545,21 +545,23 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
/* count the number of mount options for this sb */
for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
if (tmp & 0x01)
- opts->num_mnt_opts++;
+ opts->selinux.num_mnt_opts++;
tmp >>= 1;
}
/* Check if the Label support flag is set */
if (sbsec->flags & SBLABEL_MNT)
- opts->num_mnt_opts++;
+ opts->selinux.num_mnt_opts++;
- opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
- if (!opts->mnt_opts) {
+ opts->selinux.mnt_opts = kcalloc(opts->selinux.num_mnt_opts,
+ sizeof(char *), GFP_ATOMIC);
+ if (!opts->selinux.mnt_opts) {
rc = -ENOMEM;
goto out_free;
}
- opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
- if (!opts->mnt_opts_flags) {
+ opts->selinux.mnt_opts_flags = kcalloc(opts->selinux.num_mnt_opts,
+ sizeof(int), GFP_ATOMIC);
+ if (!opts->selinux.mnt_opts_flags) {
rc = -ENOMEM;
goto out_free;
}
@@ -569,22 +571,22 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
rc = security_sid_to_context(sbsec->sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = FSCONTEXT_MNT;
}
if (sbsec->flags & CONTEXT_MNT) {
rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = CONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = CONTEXT_MNT;
}
if (sbsec->flags & DEFCONTEXT_MNT) {
rc = security_sid_to_context(sbsec->def_sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = DEFCONTEXT_MNT;
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct dentry *root = sbsec->sb->s_root;
@@ -594,15 +596,15 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
goto out_free;
- opts->mnt_opts[i] = context;
- opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
+ opts->selinux.mnt_opts[i] = context;
+ opts->selinux.mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
}
if (sbsec->flags & SBLABEL_MNT) {
- opts->mnt_opts[i] = NULL;
- opts->mnt_opts_flags[i++] = SBLABEL_MNT;
+ opts->selinux.mnt_opts[i] = NULL;
+ opts->selinux.mnt_opts_flags[i++] = SBLABEL_MNT;
}
- BUG_ON(i != opts->num_mnt_opts);
+ BUG_ON(i != opts->selinux.num_mnt_opts);
return 0;
@@ -648,9 +650,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
struct inode_security_struct *root_isec;
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0;
- char **mount_options = opts->mnt_opts;
- int *flags = opts->mnt_opts_flags;
- int num_opts = opts->num_mnt_opts;
+ char **mount_options = opts->selinux.mnt_opts;
+ int *flags = opts->selinux.mnt_opts_flags;
+ int num_opts = opts->selinux.num_mnt_opts;
mutex_lock(&sbsec->lock);
@@ -1010,7 +1012,7 @@ static int selinux_parse_opts_str(char *options,
char *fscontext = NULL, *rootcontext = NULL;
int rc, num_mnt_opts = 0;
- opts->num_mnt_opts = 0;
+ opts->selinux.num_mnt_opts = 0;
/* Standard string-based options. */
while ((p = strsep(&options, "|")) != NULL) {
@@ -1077,41 +1079,39 @@ static int selinux_parse_opts_str(char *options,
case Opt_labelsupport:
break;
default:
- rc = -EINVAL;
printk(KERN_WARNING "SELinux: unknown mount option\n");
- goto out_err;
-
+ break;
}
}
rc = -ENOMEM;
- opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
- if (!opts->mnt_opts)
+ opts->selinux.mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_KERNEL);
+ if (!opts->selinux.mnt_opts)
goto out_err;
- opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
+ opts->selinux.mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int),
GFP_KERNEL);
- if (!opts->mnt_opts_flags)
+ if (!opts->selinux.mnt_opts_flags)
goto out_err;
if (fscontext) {
- opts->mnt_opts[num_mnt_opts] = fscontext;
- opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = fscontext;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
}
if (context) {
- opts->mnt_opts[num_mnt_opts] = context;
- opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = context;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
}
if (rootcontext) {
- opts->mnt_opts[num_mnt_opts] = rootcontext;
- opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = rootcontext;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
}
if (defcontext) {
- opts->mnt_opts[num_mnt_opts] = defcontext;
- opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
+ opts->selinux.mnt_opts[num_mnt_opts] = defcontext;
+ opts->selinux.mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
}
- opts->num_mnt_opts = num_mnt_opts;
+ opts->selinux.num_mnt_opts = num_mnt_opts;
return 0;
out_err:
@@ -1156,15 +1156,15 @@ static void selinux_write_opts(struct seq_file *m,
int i;
char *prefix;
- for (i = 0; i < opts->num_mnt_opts; i++) {
+ for (i = 0; i < opts->selinux.num_mnt_opts; i++) {
char *has_comma;
- if (opts->mnt_opts[i])
- has_comma = strchr(opts->mnt_opts[i], ',');
+ if (opts->selinux.mnt_opts[i])
+ has_comma = strchr(opts->selinux.mnt_opts[i], ',');
else
has_comma = NULL;
- switch (opts->mnt_opts_flags[i]) {
+ switch (opts->selinux.mnt_opts_flags[i]) {
case CONTEXT_MNT:
prefix = CONTEXT_STR;
break;
@@ -1190,7 +1190,7 @@ static void selinux_write_opts(struct seq_file *m,
seq_puts(m, prefix);
if (has_comma)
seq_putc(m, '\"');
- seq_escape(m, opts->mnt_opts[i], "\"\n\\");
+ seq_escape(m, opts->selinux.mnt_opts[i], "\"\n\\");
if (has_comma)
seq_putc(m, '\"');
}
@@ -2705,10 +2705,10 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
if (rc)
goto out_free_secdata;
- mount_options = opts.mnt_opts;
- flags = opts.mnt_opts_flags;
+ mount_options = opts.selinux.mnt_opts;
+ flags = opts.selinux.mnt_opts_flags;
- for (i = 0; i < opts.num_mnt_opts; i++) {
+ for (i = 0; i < opts.selinux.num_mnt_opts; i++) {
u32 sid;
if (flags[i] == SBLABEL_MNT)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 9031f2dc8bfb..9fb9148cf4b5 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -602,7 +602,7 @@ static int smack_parse_opts_str(char *options,
int num_mnt_opts = 0;
int token;
- opts->num_mnt_opts = 0;
+ opts->smack.num_mnt_opts = 0;
if (!options)
return 0;
@@ -652,43 +652,45 @@ static int smack_parse_opts_str(char *options,
goto out_err;
break;
default:
- rc = -EINVAL;
pr_warn("Smack: unknown mount option\n");
- goto out_err;
+ break;
}
}
- opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_KERNEL);
- if (!opts->mnt_opts)
+ opts->smack.mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *),
+ GFP_KERNEL);
+ if (!opts->smack.mnt_opts)
goto out_err;
- opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int),
- GFP_KERNEL);
- if (!opts->mnt_opts_flags)
+ opts->smack.mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int),
+ GFP_KERNEL);
+ if (!opts->smack.mnt_opts_flags) {
+ kfree(opts->smack.mnt_opts);
goto out_err;
+ }
if (fsdefault) {
- opts->mnt_opts[num_mnt_opts] = fsdefault;
- opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fsdefault;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT;
}
if (fsfloor) {
- opts->mnt_opts[num_mnt_opts] = fsfloor;
- opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fsfloor;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT;
}
if (fshat) {
- opts->mnt_opts[num_mnt_opts] = fshat;
- opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fshat;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT;
}
if (fsroot) {
- opts->mnt_opts[num_mnt_opts] = fsroot;
- opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fsroot;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT;
}
if (fstransmute) {
- opts->mnt_opts[num_mnt_opts] = fstransmute;
- opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT;
+ opts->smack.mnt_opts[num_mnt_opts] = fstransmute;
+ opts->smack.mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT;
}
- opts->num_mnt_opts = num_mnt_opts;
+ opts->smack.num_mnt_opts = num_mnt_opts;
return 0;
out_opt_err:
@@ -727,7 +729,7 @@ static int smack_set_mnt_opts(struct super_block *sb,
struct inode_smack *isp;
struct smack_known *skp;
int i;
- int num_opts = opts->num_mnt_opts;
+ int num_opts = opts->smack.num_mnt_opts;
int transmute = 0;
if (sp->smk_flags & SMK_SB_INITIALIZED)
@@ -761,33 +763,33 @@ static int smack_set_mnt_opts(struct super_block *sb,
sp->smk_flags |= SMK_SB_INITIALIZED;
for (i = 0; i < num_opts; i++) {
- switch (opts->mnt_opts_flags[i]) {
+ switch (opts->smack.mnt_opts_flags[i]) {
case FSDEFAULT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_default = skp;
break;
case FSFLOOR_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_floor = skp;
break;
case FSHAT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_hat = skp;
break;
case FSROOT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_root = skp;
break;
case FSTRANS_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_import_entry(opts->smack.mnt_opts[i], 0);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_root = skp;
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [PATCH 8/9] LSM: Multiple security mount options
2017-10-27 21:45 ` [PATCH 8/9] LSM: Multiple security mount options Casey Schaufler
@ 2017-10-31 15:29 ` Stephen Smalley
2017-10-31 16:27 ` Casey Schaufler
0 siblings, 1 reply; 27+ messages in thread
From: Stephen Smalley @ 2017-10-31 15:29 UTC (permalink / raw)
To: linux-security-module
On Fri, 2017-10-27 at 14:45 -0700, Casey Schaufler wrote:
> Subject: [PATCH 8/9] LSM: Multiple security mount options
>
> There needs to be separate data for each of the
> security modules that support mount options.
> Expand the security_mnt_opts structure to include
> an entry for each security module that uses them.
>
> It would be better to have a variable size blob,
> but there isn't a convenient place to hang such.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> ?fs/btrfs/super.c???????????| 10 +++---
> ?include/linux/security.h???| 53 ++++++++++++++++++++-------
> ?security/security.c????????| 15 ++++++--
> ?security/selinux/hooks.c???| 90 +++++++++++++++++++++++-------------
> ----------
> ?security/smack/smack_lsm.c | 54 ++++++++++++++--------------
> ?5 files changed, 131 insertions(+), 91 deletions(-)
>
> diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
> index 35a128acfbd1..f8f828267d45 100644
> --- a/fs/btrfs/super.c
> +++ b/fs/btrfs/super.c
> @@ -1512,15 +1512,15 @@ static int setup_security_options(struct
> btrfs_fs_info *fs_info,
> ? return ret;
> ?
> ?#ifdef CONFIG_SECURITY
> - if (!fs_info->security_opts.num_mnt_opts) {
> + if (fs_info->security_opts.selinux.num_mnt_opts != 0 ||
> + ????fs_info->security_opts.smack.num_mnt_opts != 0) {
> ? /* first time security setup, copy sec_opts to
> fs_info */
> ? memcpy(&fs_info->security_opts, sec_opts,
> sizeof(*sec_opts));
> ? } else {
> ? /*
> - ?* Since SELinux (the only one supporting
> security_mnt_opts)
> - ?* does NOT support changing context during
> remount/mount of
> - ?* the same sb, this must be the same or part of the
> same
> - ?* security options, just free it.
> + ?* Since no modules support changing context during
> + ?* remount/mount of the same sb, this must be the
> same
> + ?* or part of the same security options, just free
> it.
> ? ?*/
> ? security_free_mnt_opts(sec_opts);
> ? }
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 46ec92658ad3..3a70b23a7dcc 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -163,34 +163,63 @@ typedef int (*initxattrs) (struct inode *inode,
> ?
> ?#ifdef CONFIG_SECURITY
> ?
> -struct security_mnt_opts {
> +struct lsm_mnt_opts {
> ? char **mnt_opts;
> ? int *mnt_opts_flags;
> ? int num_mnt_opts;
> ?};
> ?
> +
> +struct security_mnt_opts {
> +#ifdef CONFIG_SECURITY_STACKING
> + struct lsm_mnt_opts?????selinux;
> + struct lsm_mnt_opts?????smack;
> +#else
> + union {
> + struct lsm_mnt_opts?????selinux;
> + struct lsm_mnt_opts?????smack;
> + };
> +#endif
> +};
> +
> ?int call_lsm_notifier(enum lsm_event event, void *data);
> ?int register_lsm_notifier(struct notifier_block *nb);
> ?int unregister_lsm_notifier(struct notifier_block *nb);
> ?
> ?static inline void security_init_mnt_opts(struct security_mnt_opts
> *opts)
> ?{
> - opts->mnt_opts = NULL;
> - opts->mnt_opts_flags = NULL;
> - opts->num_mnt_opts = 0;
> + opts->selinux.mnt_opts = NULL;
> + opts->selinux.mnt_opts_flags = NULL;
> + opts->selinux.num_mnt_opts = 0;
> +#ifdef CONFIG_SECURITY_STACKING
> + opts->smack.mnt_opts = NULL;
> + opts->smack.mnt_opts_flags = NULL;
> + opts->smack.num_mnt_opts = 0;
> +#endif
> ?}
> ?
> ?static inline void security_free_mnt_opts(struct security_mnt_opts
> *opts)
> ?{
> ? int i;
> - if (opts->mnt_opts)
> - for (i = 0; i < opts->num_mnt_opts; i++)
> - kfree(opts->mnt_opts[i]);
> - kfree(opts->mnt_opts);
> - opts->mnt_opts = NULL;
> - kfree(opts->mnt_opts_flags);
> - opts->mnt_opts_flags = NULL;
> - opts->num_mnt_opts = 0;
> + if (opts->selinux.mnt_opts)
> + for (i = 0; i < opts->selinux.num_mnt_opts; i++)
> + kfree(opts->selinux.mnt_opts[i]);
> + kfree(opts->selinux.mnt_opts);
> + opts->selinux.mnt_opts = NULL;
> + kfree(opts->selinux.mnt_opts_flags);
> + opts->selinux.mnt_opts_flags = NULL;
> + opts->selinux.num_mnt_opts = 0;
> +
> +#ifdef CONFIG_SECURITY_STACKING
> + if (opts->smack.mnt_opts)
> + for (i = 0; i < opts->smack.num_mnt_opts; i++)
> + kfree(opts->smack.mnt_opts[i]);
> + kfree(opts->smack.mnt_opts);
> + opts->smack.mnt_opts = NULL;
> + kfree(opts->smack.mnt_opts_flags);
> + opts->smack.mnt_opts_flags = NULL;
> + opts->smack.num_mnt_opts = 0;
> +#endif
> ?}
> ?
> ?/* prototypes */
> diff --git a/security/security.c b/security/security.c
> index 0269971b3b05..7a004006e761 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -771,9 +771,18 @@ int security_sb_set_mnt_opts(struct super_block
> *sb,
> ? unsigned long kern_flags,
> ? unsigned long *set_kern_flags)
> ?{
> - return call_int_hook(sb_set_mnt_opts,
> - opts->num_mnt_opts ? -EOPNOTSUPP :
> 0, sb,
> - opts, kern_flags, set_kern_flags);
> + int nobody = 0;
> +
> +#ifdef SECURITY_EXTREME_STACKING
> + if (opts->selinux.num_mnt_opts != 0 || opts-
> >smack.num_mnt_opts != 0)
> + nobody = -EOPNOTSUPP;
> +#else
> + if (opts->selinux.num_mnt_opts != 0)
> + nobody = -EOPNOTSUPP;
> +#endif
> +
> + return call_int_hook(sb_set_mnt_opts, nobody, sb, opts,
> kern_flags,
> + set_kern_flags);
> ?}
> ?EXPORT_SYMBOL(security_sb_set_mnt_opts);
> ?
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index e6d6ab671493..395fbfa7bfac 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -545,21 +545,23 @@ static int selinux_get_mnt_opts(const struct
> super_block *sb,
> ? /* count the number of mount options for this sb */
> ? for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
> ? if (tmp & 0x01)
> - opts->num_mnt_opts++;
> + opts->selinux.num_mnt_opts++;
> ? tmp >>= 1;
> ? }
> ? /* Check if the Label support flag is set */
> ? if (sbsec->flags & SBLABEL_MNT)
> - opts->num_mnt_opts++;
> + opts->selinux.num_mnt_opts++;
> ?
> - opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *),
> GFP_ATOMIC);
> - if (!opts->mnt_opts) {
> + opts->selinux.mnt_opts = kcalloc(opts->selinux.num_mnt_opts,
> + sizeof(char *),
> GFP_ATOMIC);
> + if (!opts->selinux.mnt_opts) {
> ? rc = -ENOMEM;
> ? goto out_free;
> ? }
> ?
> - opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts,
> sizeof(int), GFP_ATOMIC);
> - if (!opts->mnt_opts_flags) {
> + opts->selinux.mnt_opts_flags = kcalloc(opts-
> >selinux.num_mnt_opts,
> + sizeof(int),
> GFP_ATOMIC);
> + if (!opts->selinux.mnt_opts_flags) {
> ? rc = -ENOMEM;
> ? goto out_free;
> ? }
> @@ -569,22 +571,22 @@ static int selinux_get_mnt_opts(const struct
> super_block *sb,
> ? rc = security_sid_to_context(sbsec->sid, &context,
> &len);
> ? if (rc)
> ? goto out_free;
> - opts->mnt_opts[i] = context;
> - opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
> + opts->selinux.mnt_opts[i] = context;
> + opts->selinux.mnt_opts_flags[i++] = FSCONTEXT_MNT;
> ? }
> ? if (sbsec->flags & CONTEXT_MNT) {
> ? rc = security_sid_to_context(sbsec->mntpoint_sid,
> &context, &len);
> ? if (rc)
> ? goto out_free;
> - opts->mnt_opts[i] = context;
> - opts->mnt_opts_flags[i++] = CONTEXT_MNT;
> + opts->selinux.mnt_opts[i] = context;
> + opts->selinux.mnt_opts_flags[i++] = CONTEXT_MNT;
> ? }
> ? if (sbsec->flags & DEFCONTEXT_MNT) {
> ? rc = security_sid_to_context(sbsec->def_sid,
> &context, &len);
> ? if (rc)
> ? goto out_free;
> - opts->mnt_opts[i] = context;
> - opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
> + opts->selinux.mnt_opts[i] = context;
> + opts->selinux.mnt_opts_flags[i++] = DEFCONTEXT_MNT;
> ? }
> ? if (sbsec->flags & ROOTCONTEXT_MNT) {
> ? struct dentry *root = sbsec->sb->s_root;
> @@ -594,15 +596,15 @@ static int selinux_get_mnt_opts(const struct
> super_block *sb,
> ? rc = security_sid_to_context(isec->sid, &context,
> &len);
> ? if (rc)
> ? goto out_free;
> - opts->mnt_opts[i] = context;
> - opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
> + opts->selinux.mnt_opts[i] = context;
> + opts->selinux.mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
> ? }
> ? if (sbsec->flags & SBLABEL_MNT) {
> - opts->mnt_opts[i] = NULL;
> - opts->mnt_opts_flags[i++] = SBLABEL_MNT;
> + opts->selinux.mnt_opts[i] = NULL;
> + opts->selinux.mnt_opts_flags[i++] = SBLABEL_MNT;
> ? }
> ?
> - BUG_ON(i != opts->num_mnt_opts);
> + BUG_ON(i != opts->selinux.num_mnt_opts);
> ?
> ? return 0;
> ?
> @@ -648,9 +650,9 @@ static int selinux_set_mnt_opts(struct
> super_block *sb,
> ? struct inode_security_struct *root_isec;
> ? u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
> ? u32 defcontext_sid = 0;
> - char **mount_options = opts->mnt_opts;
> - int *flags = opts->mnt_opts_flags;
> - int num_opts = opts->num_mnt_opts;
> + char **mount_options = opts->selinux.mnt_opts;
> + int *flags = opts->selinux.mnt_opts_flags;
> + int num_opts = opts->selinux.num_mnt_opts;
> ?
> ? mutex_lock(&sbsec->lock);
> ?
> @@ -1010,7 +1012,7 @@ static int selinux_parse_opts_str(char
> *options,
> ? char *fscontext = NULL, *rootcontext = NULL;
> ? int rc, num_mnt_opts = 0;
> ?
> - opts->num_mnt_opts = 0;
> + opts->selinux.num_mnt_opts = 0;
> ?
> ? /* Standard string-based options. */
> ? while ((p = strsep(&options, "|")) != NULL) {
> @@ -1077,41 +1079,39 @@ static int selinux_parse_opts_str(char
> *options,
> ? case Opt_labelsupport:
> ? break;
> ? default:
> - rc = -EINVAL;
> ? printk(KERN_WARNING "SELinux:??unknown mount
> option\n");
> - goto out_err;
> -
> + break;
You've changed what was a fatal error on mount() to just a warning.
I can see why - otherwise enabling Smack+SELinux together causes
systemd to pass both sets of options to mount() and then SELinux fails
on the unrecognized Smack mount option. But doesn't this also mean
that we will fail to catch errors where a truly unknown mount option is
used? Can't really rely on people to monitor their logs and act on such
warnings. It seems like we need to split the options to the security
modules so that each one only sees the ones it owns, or otherwise have
a validity check at the end that all of the options were consumed by at
least one module.
> ? }
> ? }
> ?
> ? rc = -ENOMEM;
> - opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *),
> GFP_KERNEL);
> - if (!opts->mnt_opts)
> + opts->selinux.mnt_opts = kcalloc(NUM_SEL_MNT_OPTS,
> sizeof(char *), GFP_KERNEL);
> + if (!opts->selinux.mnt_opts)
> ? goto out_err;
> ?
> - opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS,
> sizeof(int),
> + opts->selinux.mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS,
> sizeof(int),
> ? ???????GFP_KERNEL);
> - if (!opts->mnt_opts_flags)
> + if (!opts->selinux.mnt_opts_flags)
> ? goto out_err;
> ?
> ? if (fscontext) {
> - opts->mnt_opts[num_mnt_opts] = fscontext;
> - opts->mnt_opts_flags[num_mnt_opts++] =
> FSCONTEXT_MNT;
> + opts->selinux.mnt_opts[num_mnt_opts] = fscontext;
> + opts->selinux.mnt_opts_flags[num_mnt_opts++] =
> FSCONTEXT_MNT;
> ? }
> ? if (context) {
> - opts->mnt_opts[num_mnt_opts] = context;
> - opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
> + opts->selinux.mnt_opts[num_mnt_opts] = context;
> + opts->selinux.mnt_opts_flags[num_mnt_opts++] =
> CONTEXT_MNT;
> ? }
> ? if (rootcontext) {
> - opts->mnt_opts[num_mnt_opts] = rootcontext;
> - opts->mnt_opts_flags[num_mnt_opts++] =
> ROOTCONTEXT_MNT;
> + opts->selinux.mnt_opts[num_mnt_opts] = rootcontext;
> + opts->selinux.mnt_opts_flags[num_mnt_opts++] =
> ROOTCONTEXT_MNT;
> ? }
> ? if (defcontext) {
> - opts->mnt_opts[num_mnt_opts] = defcontext;
> - opts->mnt_opts_flags[num_mnt_opts++] =
> DEFCONTEXT_MNT;
> + opts->selinux.mnt_opts[num_mnt_opts] = defcontext;
> + opts->selinux.mnt_opts_flags[num_mnt_opts++] =
> DEFCONTEXT_MNT;
> ? }
> ?
> - opts->num_mnt_opts = num_mnt_opts;
> + opts->selinux.num_mnt_opts = num_mnt_opts;
> ? return 0;
> ?
> ?out_err:
> @@ -1156,15 +1156,15 @@ static void selinux_write_opts(struct
> seq_file *m,
> ? int i;
> ? char *prefix;
> ?
> - for (i = 0; i < opts->num_mnt_opts; i++) {
> + for (i = 0; i < opts->selinux.num_mnt_opts; i++) {
> ? char *has_comma;
> ?
> - if (opts->mnt_opts[i])
> - has_comma = strchr(opts->mnt_opts[i], ',');
> + if (opts->selinux.mnt_opts[i])
> + has_comma = strchr(opts-
> >selinux.mnt_opts[i], ',');
> ? else
> ? has_comma = NULL;
> ?
> - switch (opts->mnt_opts_flags[i]) {
> + switch (opts->selinux.mnt_opts_flags[i]) {
> ? case CONTEXT_MNT:
> ? prefix = CONTEXT_STR;
> ? break;
> @@ -1190,7 +1190,7 @@ static void selinux_write_opts(struct seq_file
> *m,
> ? seq_puts(m, prefix);
> ? if (has_comma)
> ? seq_putc(m, '\"');
> - seq_escape(m, opts->mnt_opts[i], "\"\n\\");
> + seq_escape(m, opts->selinux.mnt_opts[i], "\"\n\\");
> ? if (has_comma)
> ? seq_putc(m, '\"');
> ? }
> @@ -2705,10 +2705,10 @@ static int selinux_sb_remount(struct
> super_block *sb, void *data)
> ? if (rc)
> ? goto out_free_secdata;
> ?
> - mount_options = opts.mnt_opts;
> - flags = opts.mnt_opts_flags;
> + mount_options = opts.selinux.mnt_opts;
> + flags = opts.selinux.mnt_opts_flags;
> ?
> - for (i = 0; i < opts.num_mnt_opts; i++) {
> + for (i = 0; i < opts.selinux.num_mnt_opts; i++) {
> ? u32 sid;
> ?
> ? if (flags[i] == SBLABEL_MNT)
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 9031f2dc8bfb..9fb9148cf4b5 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -602,7 +602,7 @@ static int smack_parse_opts_str(char *options,
> ? int num_mnt_opts = 0;
> ? int token;
> ?
> - opts->num_mnt_opts = 0;
> + opts->smack.num_mnt_opts = 0;
> ?
> ? if (!options)
> ? return 0;
> @@ -652,43 +652,45 @@ static int smack_parse_opts_str(char *options,
> ? goto out_err;
> ? break;
> ? default:
> - rc = -EINVAL;
> ? pr_warn("Smack:??unknown mount option\n");
> - goto out_err;
> + break;
> ? }
> ? }
> ?
> - opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *),
> GFP_KERNEL);
> - if (!opts->mnt_opts)
> + opts->smack.mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char
> *),
> + GFP_KERNEL);
> + if (!opts->smack.mnt_opts)
> ? goto out_err;
> ?
> - opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS,
> sizeof(int),
> - GFP_KERNEL);
> - if (!opts->mnt_opts_flags)
> + opts->smack.mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS,
> sizeof(int),
> + GFP_KERNEL);
> + if (!opts->smack.mnt_opts_flags) {
> + kfree(opts->smack.mnt_opts);
> ? goto out_err;
> + }
> ?
> ? if (fsdefault) {
> - opts->mnt_opts[num_mnt_opts] = fsdefault;
> - opts->mnt_opts_flags[num_mnt_opts++] =
> FSDEFAULT_MNT;
> + opts->smack.mnt_opts[num_mnt_opts] = fsdefault;
> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
> FSDEFAULT_MNT;
> ? }
> ? if (fsfloor) {
> - opts->mnt_opts[num_mnt_opts] = fsfloor;
> - opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT;
> + opts->smack.mnt_opts[num_mnt_opts] = fsfloor;
> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
> FSFLOOR_MNT;
> ? }
> ? if (fshat) {
> - opts->mnt_opts[num_mnt_opts] = fshat;
> - opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT;
> + opts->smack.mnt_opts[num_mnt_opts] = fshat;
> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
> FSHAT_MNT;
> ? }
> ? if (fsroot) {
> - opts->mnt_opts[num_mnt_opts] = fsroot;
> - opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT;
> + opts->smack.mnt_opts[num_mnt_opts] = fsroot;
> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
> FSROOT_MNT;
> ? }
> ? if (fstransmute) {
> - opts->mnt_opts[num_mnt_opts] = fstransmute;
> - opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT;
> + opts->smack.mnt_opts[num_mnt_opts] = fstransmute;
> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
> FSTRANS_MNT;
> ? }
> ?
> - opts->num_mnt_opts = num_mnt_opts;
> + opts->smack.num_mnt_opts = num_mnt_opts;
> ? return 0;
> ?
> ?out_opt_err:
> @@ -727,7 +729,7 @@ static int smack_set_mnt_opts(struct super_block
> *sb,
> ? struct inode_smack *isp;
> ? struct smack_known *skp;
> ? int i;
> - int num_opts = opts->num_mnt_opts;
> + int num_opts = opts->smack.num_mnt_opts;
> ? int transmute = 0;
> ?
> ? if (sp->smk_flags & SMK_SB_INITIALIZED)
> @@ -761,33 +763,33 @@ static int smack_set_mnt_opts(struct
> super_block *sb,
> ? sp->smk_flags |= SMK_SB_INITIALIZED;
> ?
> ? for (i = 0; i < num_opts; i++) {
> - switch (opts->mnt_opts_flags[i]) {
> + switch (opts->smack.mnt_opts_flags[i]) {
> ? case FSDEFAULT_MNT:
> - skp = smk_import_entry(opts->mnt_opts[i],
> 0);
> + skp = smk_import_entry(opts-
> >smack.mnt_opts[i], 0);
> ? if (IS_ERR(skp))
> ? return PTR_ERR(skp);
> ? sp->smk_default = skp;
> ? break;
> ? case FSFLOOR_MNT:
> - skp = smk_import_entry(opts->mnt_opts[i],
> 0);
> + skp = smk_import_entry(opts-
> >smack.mnt_opts[i], 0);
> ? if (IS_ERR(skp))
> ? return PTR_ERR(skp);
> ? sp->smk_floor = skp;
> ? break;
> ? case FSHAT_MNT:
> - skp = smk_import_entry(opts->mnt_opts[i],
> 0);
> + skp = smk_import_entry(opts-
> >smack.mnt_opts[i], 0);
> ? if (IS_ERR(skp))
> ? return PTR_ERR(skp);
> ? sp->smk_hat = skp;
> ? break;
> ? case FSROOT_MNT:
> - skp = smk_import_entry(opts->mnt_opts[i],
> 0);
> + skp = smk_import_entry(opts-
> >smack.mnt_opts[i], 0);
> ? if (IS_ERR(skp))
> ? return PTR_ERR(skp);
> ? sp->smk_root = skp;
> ? break;
> ? case FSTRANS_MNT:
> - skp = smk_import_entry(opts->mnt_opts[i],
> 0);
> + skp = smk_import_entry(opts-
> >smack.mnt_opts[i], 0);
> ? if (IS_ERR(skp))
> ? return PTR_ERR(skp);
> ? sp->smk_root = skp;
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 8/9] LSM: Multiple security mount options
2017-10-31 15:29 ` Stephen Smalley
@ 2017-10-31 16:27 ` Casey Schaufler
0 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-10-31 16:27 UTC (permalink / raw)
To: linux-security-module
On 10/31/2017 8:29 AM, Stephen Smalley wrote:
> On Fri, 2017-10-27 at 14:45 -0700, Casey Schaufler wrote:
>> Subject: [PATCH 8/9] LSM: Multiple security mount options
>>
>> There needs to be separate data for each of the
>> security modules that support mount options.
>> Expand the security_mnt_opts structure to include
>> an entry for each security module that uses them.
>>
>> It would be better to have a variable size blob,
>> but there isn't a convenient place to hang such.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> ---
>> ?fs/btrfs/super.c???????????| 10 +++---
>> ?include/linux/security.h???| 53 ++++++++++++++++++++-------
>> ?security/security.c????????| 15 ++++++--
>> ?security/selinux/hooks.c???| 90 +++++++++++++++++++++++-------------
>> ----------
>> ?security/smack/smack_lsm.c | 54 ++++++++++++++--------------
>> ?5 files changed, 131 insertions(+), 91 deletions(-)
>>
>> diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
>> index 35a128acfbd1..f8f828267d45 100644
>> --- a/fs/btrfs/super.c
>> +++ b/fs/btrfs/super.c
>> @@ -1512,15 +1512,15 @@ static int setup_security_options(struct
>> btrfs_fs_info *fs_info,
>> ? return ret;
>> ?
>> ?#ifdef CONFIG_SECURITY
>> - if (!fs_info->security_opts.num_mnt_opts) {
>> + if (fs_info->security_opts.selinux.num_mnt_opts != 0 ||
>> + ????fs_info->security_opts.smack.num_mnt_opts != 0) {
>> ? /* first time security setup, copy sec_opts to
>> fs_info */
>> ? memcpy(&fs_info->security_opts, sec_opts,
>> sizeof(*sec_opts));
>> ? } else {
>> ? /*
>> - ?* Since SELinux (the only one supporting
>> security_mnt_opts)
>> - ?* does NOT support changing context during
>> remount/mount of
>> - ?* the same sb, this must be the same or part of the
>> same
>> - ?* security options, just free it.
>> + ?* Since no modules support changing context during
>> + ?* remount/mount of the same sb, this must be the
>> same
>> + ?* or part of the same security options, just free
>> it.
>> ? ?*/
>> ? security_free_mnt_opts(sec_opts);
>> ? }
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 46ec92658ad3..3a70b23a7dcc 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -163,34 +163,63 @@ typedef int (*initxattrs) (struct inode *inode,
>> ?
>> ?#ifdef CONFIG_SECURITY
>> ?
>> -struct security_mnt_opts {
>> +struct lsm_mnt_opts {
>> ? char **mnt_opts;
>> ? int *mnt_opts_flags;
>> ? int num_mnt_opts;
>> ?};
>> ?
>> +
>> +struct security_mnt_opts {
>> +#ifdef CONFIG_SECURITY_STACKING
>> + struct lsm_mnt_opts?????selinux;
>> + struct lsm_mnt_opts?????smack;
>> +#else
>> + union {
>> + struct lsm_mnt_opts?????selinux;
>> + struct lsm_mnt_opts?????smack;
>> + };
>> +#endif
>> +};
>> +
>> ?int call_lsm_notifier(enum lsm_event event, void *data);
>> ?int register_lsm_notifier(struct notifier_block *nb);
>> ?int unregister_lsm_notifier(struct notifier_block *nb);
>> ?
>> ?static inline void security_init_mnt_opts(struct security_mnt_opts
>> *opts)
>> ?{
>> - opts->mnt_opts = NULL;
>> - opts->mnt_opts_flags = NULL;
>> - opts->num_mnt_opts = 0;
>> + opts->selinux.mnt_opts = NULL;
>> + opts->selinux.mnt_opts_flags = NULL;
>> + opts->selinux.num_mnt_opts = 0;
>> +#ifdef CONFIG_SECURITY_STACKING
>> + opts->smack.mnt_opts = NULL;
>> + opts->smack.mnt_opts_flags = NULL;
>> + opts->smack.num_mnt_opts = 0;
>> +#endif
>> ?}
>> ?
>> ?static inline void security_free_mnt_opts(struct security_mnt_opts
>> *opts)
>> ?{
>> ? int i;
>> - if (opts->mnt_opts)
>> - for (i = 0; i < opts->num_mnt_opts; i++)
>> - kfree(opts->mnt_opts[i]);
>> - kfree(opts->mnt_opts);
>> - opts->mnt_opts = NULL;
>> - kfree(opts->mnt_opts_flags);
>> - opts->mnt_opts_flags = NULL;
>> - opts->num_mnt_opts = 0;
>> + if (opts->selinux.mnt_opts)
>> + for (i = 0; i < opts->selinux.num_mnt_opts; i++)
>> + kfree(opts->selinux.mnt_opts[i]);
>> + kfree(opts->selinux.mnt_opts);
>> + opts->selinux.mnt_opts = NULL;
>> + kfree(opts->selinux.mnt_opts_flags);
>> + opts->selinux.mnt_opts_flags = NULL;
>> + opts->selinux.num_mnt_opts = 0;
>> +
>> +#ifdef CONFIG_SECURITY_STACKING
>> + if (opts->smack.mnt_opts)
>> + for (i = 0; i < opts->smack.num_mnt_opts; i++)
>> + kfree(opts->smack.mnt_opts[i]);
>> + kfree(opts->smack.mnt_opts);
>> + opts->smack.mnt_opts = NULL;
>> + kfree(opts->smack.mnt_opts_flags);
>> + opts->smack.mnt_opts_flags = NULL;
>> + opts->smack.num_mnt_opts = 0;
>> +#endif
>> ?}
>> ?
>> ?/* prototypes */
>> diff --git a/security/security.c b/security/security.c
>> index 0269971b3b05..7a004006e761 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -771,9 +771,18 @@ int security_sb_set_mnt_opts(struct super_block
>> *sb,
>> ? unsigned long kern_flags,
>> ? unsigned long *set_kern_flags)
>> ?{
>> - return call_int_hook(sb_set_mnt_opts,
>> - opts->num_mnt_opts ? -EOPNOTSUPP :
>> 0, sb,
>> - opts, kern_flags, set_kern_flags);
>> + int nobody = 0;
>> +
>> +#ifdef SECURITY_EXTREME_STACKING
>> + if (opts->selinux.num_mnt_opts != 0 || opts-
>>> smack.num_mnt_opts != 0)
>> + nobody = -EOPNOTSUPP;
>> +#else
>> + if (opts->selinux.num_mnt_opts != 0)
>> + nobody = -EOPNOTSUPP;
>> +#endif
>> +
>> + return call_int_hook(sb_set_mnt_opts, nobody, sb, opts,
>> kern_flags,
>> + set_kern_flags);
>> ?}
>> ?EXPORT_SYMBOL(security_sb_set_mnt_opts);
>> ?
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index e6d6ab671493..395fbfa7bfac 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -545,21 +545,23 @@ static int selinux_get_mnt_opts(const struct
>> super_block *sb,
>> ? /* count the number of mount options for this sb */
>> ? for (i = 0; i < NUM_SEL_MNT_OPTS; i++) {
>> ? if (tmp & 0x01)
>> - opts->num_mnt_opts++;
>> + opts->selinux.num_mnt_opts++;
>> ? tmp >>= 1;
>> ? }
>> ? /* Check if the Label support flag is set */
>> ? if (sbsec->flags & SBLABEL_MNT)
>> - opts->num_mnt_opts++;
>> + opts->selinux.num_mnt_opts++;
>> ?
>> - opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *),
>> GFP_ATOMIC);
>> - if (!opts->mnt_opts) {
>> + opts->selinux.mnt_opts = kcalloc(opts->selinux.num_mnt_opts,
>> + sizeof(char *),
>> GFP_ATOMIC);
>> + if (!opts->selinux.mnt_opts) {
>> ? rc = -ENOMEM;
>> ? goto out_free;
>> ? }
>> ?
>> - opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts,
>> sizeof(int), GFP_ATOMIC);
>> - if (!opts->mnt_opts_flags) {
>> + opts->selinux.mnt_opts_flags = kcalloc(opts-
>>> selinux.num_mnt_opts,
>> + sizeof(int),
>> GFP_ATOMIC);
>> + if (!opts->selinux.mnt_opts_flags) {
>> ? rc = -ENOMEM;
>> ? goto out_free;
>> ? }
>> @@ -569,22 +571,22 @@ static int selinux_get_mnt_opts(const struct
>> super_block *sb,
>> ? rc = security_sid_to_context(sbsec->sid, &context,
>> &len);
>> ? if (rc)
>> ? goto out_free;
>> - opts->mnt_opts[i] = context;
>> - opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
>> + opts->selinux.mnt_opts[i] = context;
>> + opts->selinux.mnt_opts_flags[i++] = FSCONTEXT_MNT;
>> ? }
>> ? if (sbsec->flags & CONTEXT_MNT) {
>> ? rc = security_sid_to_context(sbsec->mntpoint_sid,
>> &context, &len);
>> ? if (rc)
>> ? goto out_free;
>> - opts->mnt_opts[i] = context;
>> - opts->mnt_opts_flags[i++] = CONTEXT_MNT;
>> + opts->selinux.mnt_opts[i] = context;
>> + opts->selinux.mnt_opts_flags[i++] = CONTEXT_MNT;
>> ? }
>> ? if (sbsec->flags & DEFCONTEXT_MNT) {
>> ? rc = security_sid_to_context(sbsec->def_sid,
>> &context, &len);
>> ? if (rc)
>> ? goto out_free;
>> - opts->mnt_opts[i] = context;
>> - opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
>> + opts->selinux.mnt_opts[i] = context;
>> + opts->selinux.mnt_opts_flags[i++] = DEFCONTEXT_MNT;
>> ? }
>> ? if (sbsec->flags & ROOTCONTEXT_MNT) {
>> ? struct dentry *root = sbsec->sb->s_root;
>> @@ -594,15 +596,15 @@ static int selinux_get_mnt_opts(const struct
>> super_block *sb,
>> ? rc = security_sid_to_context(isec->sid, &context,
>> &len);
>> ? if (rc)
>> ? goto out_free;
>> - opts->mnt_opts[i] = context;
>> - opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
>> + opts->selinux.mnt_opts[i] = context;
>> + opts->selinux.mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
>> ? }
>> ? if (sbsec->flags & SBLABEL_MNT) {
>> - opts->mnt_opts[i] = NULL;
>> - opts->mnt_opts_flags[i++] = SBLABEL_MNT;
>> + opts->selinux.mnt_opts[i] = NULL;
>> + opts->selinux.mnt_opts_flags[i++] = SBLABEL_MNT;
>> ? }
>> ?
>> - BUG_ON(i != opts->num_mnt_opts);
>> + BUG_ON(i != opts->selinux.num_mnt_opts);
>> ?
>> ? return 0;
>> ?
>> @@ -648,9 +650,9 @@ static int selinux_set_mnt_opts(struct
>> super_block *sb,
>> ? struct inode_security_struct *root_isec;
>> ? u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
>> ? u32 defcontext_sid = 0;
>> - char **mount_options = opts->mnt_opts;
>> - int *flags = opts->mnt_opts_flags;
>> - int num_opts = opts->num_mnt_opts;
>> + char **mount_options = opts->selinux.mnt_opts;
>> + int *flags = opts->selinux.mnt_opts_flags;
>> + int num_opts = opts->selinux.num_mnt_opts;
>> ?
>> ? mutex_lock(&sbsec->lock);
>> ?
>> @@ -1010,7 +1012,7 @@ static int selinux_parse_opts_str(char
>> *options,
>> ? char *fscontext = NULL, *rootcontext = NULL;
>> ? int rc, num_mnt_opts = 0;
>> ?
>> - opts->num_mnt_opts = 0;
>> + opts->selinux.num_mnt_opts = 0;
>> ?
>> ? /* Standard string-based options. */
>> ? while ((p = strsep(&options, "|")) != NULL) {
>> @@ -1077,41 +1079,39 @@ static int selinux_parse_opts_str(char
>> *options,
>> ? case Opt_labelsupport:
>> ? break;
>> ? default:
>> - rc = -EINVAL;
>> ? printk(KERN_WARNING "SELinux:??unknown mount
>> option\n");
>> - goto out_err;
>> -
>> + break;
> You've changed what was a fatal error on mount() to just a warning.
> I can see why - otherwise enabling Smack+SELinux together causes
> systemd to pass both sets of options to mount() and then SELinux fails
> on the unrecognized Smack mount option. But doesn't this also mean
> that we will fail to catch errors where a truly unknown mount option is
> used? Can't really rely on people to monitor their logs and act on such
> warnings. It seems like we need to split the options to the security
> modules so that each one only sees the ones it owns, or otherwise have
> a validity check at the end that all of the options were consumed by at
> least one module.
My tests show correct behavior for all cases.
succeeds: smackfsroot='*'
succeeds: smackfsroot='*',seclabel
fails: ferbel=99
fails: smackfsroot='*',seclabel,ferbel=99
I am willing to accept that there may be combinations that
do not work correctly, but I don't see one.
I am also expecting David Howells' rewhack of the mount code
to land soon. That will require a complete rethink of this
implementation. If that doesn't land it may be worth considering
moving the logic which is almost identical in SELinux and Smack
to the infrastructure and passing module specific option lists.
>
>> ? }
>> ? }
>> ?
>> ? rc = -ENOMEM;
>> - opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *),
>> GFP_KERNEL);
>> - if (!opts->mnt_opts)
>> + opts->selinux.mnt_opts = kcalloc(NUM_SEL_MNT_OPTS,
>> sizeof(char *), GFP_KERNEL);
>> + if (!opts->selinux.mnt_opts)
>> ? goto out_err;
>> ?
>> - opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS,
>> sizeof(int),
>> + opts->selinux.mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS,
>> sizeof(int),
>> ? ???????GFP_KERNEL);
>> - if (!opts->mnt_opts_flags)
>> + if (!opts->selinux.mnt_opts_flags)
>> ? goto out_err;
>> ?
>> ? if (fscontext) {
>> - opts->mnt_opts[num_mnt_opts] = fscontext;
>> - opts->mnt_opts_flags[num_mnt_opts++] =
>> FSCONTEXT_MNT;
>> + opts->selinux.mnt_opts[num_mnt_opts] = fscontext;
>> + opts->selinux.mnt_opts_flags[num_mnt_opts++] =
>> FSCONTEXT_MNT;
>> ? }
>> ? if (context) {
>> - opts->mnt_opts[num_mnt_opts] = context;
>> - opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
>> + opts->selinux.mnt_opts[num_mnt_opts] = context;
>> + opts->selinux.mnt_opts_flags[num_mnt_opts++] =
>> CONTEXT_MNT;
>> ? }
>> ? if (rootcontext) {
>> - opts->mnt_opts[num_mnt_opts] = rootcontext;
>> - opts->mnt_opts_flags[num_mnt_opts++] =
>> ROOTCONTEXT_MNT;
>> + opts->selinux.mnt_opts[num_mnt_opts] = rootcontext;
>> + opts->selinux.mnt_opts_flags[num_mnt_opts++] =
>> ROOTCONTEXT_MNT;
>> ? }
>> ? if (defcontext) {
>> - opts->mnt_opts[num_mnt_opts] = defcontext;
>> - opts->mnt_opts_flags[num_mnt_opts++] =
>> DEFCONTEXT_MNT;
>> + opts->selinux.mnt_opts[num_mnt_opts] = defcontext;
>> + opts->selinux.mnt_opts_flags[num_mnt_opts++] =
>> DEFCONTEXT_MNT;
>> ? }
>> ?
>> - opts->num_mnt_opts = num_mnt_opts;
>> + opts->selinux.num_mnt_opts = num_mnt_opts;
>> ? return 0;
>> ?
>> ?out_err:
>> @@ -1156,15 +1156,15 @@ static void selinux_write_opts(struct
>> seq_file *m,
>> ? int i;
>> ? char *prefix;
>> ?
>> - for (i = 0; i < opts->num_mnt_opts; i++) {
>> + for (i = 0; i < opts->selinux.num_mnt_opts; i++) {
>> ? char *has_comma;
>> ?
>> - if (opts->mnt_opts[i])
>> - has_comma = strchr(opts->mnt_opts[i], ',');
>> + if (opts->selinux.mnt_opts[i])
>> + has_comma = strchr(opts-
>>> selinux.mnt_opts[i], ',');
>> ? else
>> ? has_comma = NULL;
>> ?
>> - switch (opts->mnt_opts_flags[i]) {
>> + switch (opts->selinux.mnt_opts_flags[i]) {
>> ? case CONTEXT_MNT:
>> ? prefix = CONTEXT_STR;
>> ? break;
>> @@ -1190,7 +1190,7 @@ static void selinux_write_opts(struct seq_file
>> *m,
>> ? seq_puts(m, prefix);
>> ? if (has_comma)
>> ? seq_putc(m, '\"');
>> - seq_escape(m, opts->mnt_opts[i], "\"\n\\");
>> + seq_escape(m, opts->selinux.mnt_opts[i], "\"\n\\");
>> ? if (has_comma)
>> ? seq_putc(m, '\"');
>> ? }
>> @@ -2705,10 +2705,10 @@ static int selinux_sb_remount(struct
>> super_block *sb, void *data)
>> ? if (rc)
>> ? goto out_free_secdata;
>> ?
>> - mount_options = opts.mnt_opts;
>> - flags = opts.mnt_opts_flags;
>> + mount_options = opts.selinux.mnt_opts;
>> + flags = opts.selinux.mnt_opts_flags;
>> ?
>> - for (i = 0; i < opts.num_mnt_opts; i++) {
>> + for (i = 0; i < opts.selinux.num_mnt_opts; i++) {
>> ? u32 sid;
>> ?
>> ? if (flags[i] == SBLABEL_MNT)
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index 9031f2dc8bfb..9fb9148cf4b5 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -602,7 +602,7 @@ static int smack_parse_opts_str(char *options,
>> ? int num_mnt_opts = 0;
>> ? int token;
>> ?
>> - opts->num_mnt_opts = 0;
>> + opts->smack.num_mnt_opts = 0;
>> ?
>> ? if (!options)
>> ? return 0;
>> @@ -652,43 +652,45 @@ static int smack_parse_opts_str(char *options,
>> ? goto out_err;
>> ? break;
>> ? default:
>> - rc = -EINVAL;
>> ? pr_warn("Smack:??unknown mount option\n");
>> - goto out_err;
>> + break;
>> ? }
>> ? }
>> ?
>> - opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *),
>> GFP_KERNEL);
>> - if (!opts->mnt_opts)
>> + opts->smack.mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char
>> *),
>> + GFP_KERNEL);
>> + if (!opts->smack.mnt_opts)
>> ? goto out_err;
>> ?
>> - opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS,
>> sizeof(int),
>> - GFP_KERNEL);
>> - if (!opts->mnt_opts_flags)
>> + opts->smack.mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS,
>> sizeof(int),
>> + GFP_KERNEL);
>> + if (!opts->smack.mnt_opts_flags) {
>> + kfree(opts->smack.mnt_opts);
>> ? goto out_err;
>> + }
>> ?
>> ? if (fsdefault) {
>> - opts->mnt_opts[num_mnt_opts] = fsdefault;
>> - opts->mnt_opts_flags[num_mnt_opts++] =
>> FSDEFAULT_MNT;
>> + opts->smack.mnt_opts[num_mnt_opts] = fsdefault;
>> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
>> FSDEFAULT_MNT;
>> ? }
>> ? if (fsfloor) {
>> - opts->mnt_opts[num_mnt_opts] = fsfloor;
>> - opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT;
>> + opts->smack.mnt_opts[num_mnt_opts] = fsfloor;
>> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
>> FSFLOOR_MNT;
>> ? }
>> ? if (fshat) {
>> - opts->mnt_opts[num_mnt_opts] = fshat;
>> - opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT;
>> + opts->smack.mnt_opts[num_mnt_opts] = fshat;
>> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
>> FSHAT_MNT;
>> ? }
>> ? if (fsroot) {
>> - opts->mnt_opts[num_mnt_opts] = fsroot;
>> - opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT;
>> + opts->smack.mnt_opts[num_mnt_opts] = fsroot;
>> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
>> FSROOT_MNT;
>> ? }
>> ? if (fstransmute) {
>> - opts->mnt_opts[num_mnt_opts] = fstransmute;
>> - opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT;
>> + opts->smack.mnt_opts[num_mnt_opts] = fstransmute;
>> + opts->smack.mnt_opts_flags[num_mnt_opts++] =
>> FSTRANS_MNT;
>> ? }
>> ?
>> - opts->num_mnt_opts = num_mnt_opts;
>> + opts->smack.num_mnt_opts = num_mnt_opts;
>> ? return 0;
>> ?
>> ?out_opt_err:
>> @@ -727,7 +729,7 @@ static int smack_set_mnt_opts(struct super_block
>> *sb,
>> ? struct inode_smack *isp;
>> ? struct smack_known *skp;
>> ? int i;
>> - int num_opts = opts->num_mnt_opts;
>> + int num_opts = opts->smack.num_mnt_opts;
>> ? int transmute = 0;
>> ?
>> ? if (sp->smk_flags & SMK_SB_INITIALIZED)
>> @@ -761,33 +763,33 @@ static int smack_set_mnt_opts(struct
>> super_block *sb,
>> ? sp->smk_flags |= SMK_SB_INITIALIZED;
>> ?
>> ? for (i = 0; i < num_opts; i++) {
>> - switch (opts->mnt_opts_flags[i]) {
>> + switch (opts->smack.mnt_opts_flags[i]) {
>> ? case FSDEFAULT_MNT:
>> - skp = smk_import_entry(opts->mnt_opts[i],
>> 0);
>> + skp = smk_import_entry(opts-
>>> smack.mnt_opts[i], 0);
>> ? if (IS_ERR(skp))
>> ? return PTR_ERR(skp);
>> ? sp->smk_default = skp;
>> ? break;
>> ? case FSFLOOR_MNT:
>> - skp = smk_import_entry(opts->mnt_opts[i],
>> 0);
>> + skp = smk_import_entry(opts-
>>> smack.mnt_opts[i], 0);
>> ? if (IS_ERR(skp))
>> ? return PTR_ERR(skp);
>> ? sp->smk_floor = skp;
>> ? break;
>> ? case FSHAT_MNT:
>> - skp = smk_import_entry(opts->mnt_opts[i],
>> 0);
>> + skp = smk_import_entry(opts-
>>> smack.mnt_opts[i], 0);
>> ? if (IS_ERR(skp))
>> ? return PTR_ERR(skp);
>> ? sp->smk_hat = skp;
>> ? break;
>> ? case FSROOT_MNT:
>> - skp = smk_import_entry(opts->mnt_opts[i],
>> 0);
>> + skp = smk_import_entry(opts-
>>> smack.mnt_opts[i], 0);
>> ? if (IS_ERR(skp))
>> ? return PTR_ERR(skp);
>> ? sp->smk_root = skp;
>> ? break;
>> ? case FSTRANS_MNT:
>> - skp = smk_import_entry(opts->mnt_opts[i],
>> 0);
>> + skp = smk_import_entry(opts-
>>> smack.mnt_opts[i], 0);
>> ? if (IS_ERR(skp))
>> ? return PTR_ERR(skp);
>> ? sp->smk_root = skp;
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 9/9] LSM: Full security module stacking
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
` (7 preceding siblings ...)
2017-10-27 21:45 ` [PATCH 8/9] LSM: Multiple security mount options Casey Schaufler
@ 2017-10-27 21:45 ` Casey Schaufler
2017-11-06 16:11 ` [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 James Morris
2017-11-11 15:48 ` Paul Moore
10 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-10-27 21:45 UTC (permalink / raw)
To: linux-security-module
Subject: [PATCH 9/9] LSM: Full security module stacking
Allow any combination of existing security modules,
including those using secids and security marked networking.
The interfaces used by filesystems to maintain security
attributes:
security_inode_setsecctx
security_inode_getsecctx
security_inode_notifysecctx
have been trained to keep a full set of attributes
using the "lsm1='data1',lsm2='data2'" format.
A sockopt interface has been added to identify which
security module should be invoked when secids are
translated to secctx and back. If none is specified the
first module will be used. This eliminates the ambiguity
of what data will be seen in user-space at the cost of
requiring user-space code to be explicit about what it
wants to see.
Issues remain with the use of netlabel, as SELinux and
Smack use the interfaces differently.
Audit has not been fully tested, and may not always
be providing the correct security module information.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
arch/alpha/include/uapi/asm/socket.h | 2 +
arch/frv/include/uapi/asm/socket.h | 2 +
arch/ia64/include/uapi/asm/socket.h | 2 +
arch/m32r/include/uapi/asm/socket.h | 2 +
arch/mips/include/uapi/asm/socket.h | 2 +
arch/mn10300/include/uapi/asm/socket.h | 2 +
arch/parisc/include/uapi/asm/socket.h | 2 +
arch/s390/include/uapi/asm/socket.h | 2 +
arch/sparc/include/uapi/asm/socket.h | 2 +
arch/xtensa/include/uapi/asm/socket.h | 2 +
fs/xattr.c | 2 +-
include/linux/security.h | 35 ++-
include/net/scm.h | 3 +-
include/uapi/asm-generic/socket.h | 2 +
kernel/audit.c | 16 +-
kernel/auditsc.c | 4 +-
kernel/cred.c | 2 +-
net/core/sock.c | 4 +
net/ipv4/ip_sockglue.c | 8 +-
net/netfilter/nf_conntrack_netlink.c | 9 +-
net/netfilter/nf_conntrack_standalone.c | 2 +-
net/netfilter/nfnetlink_queue.c | 3 +-
net/netfilter/xt_SECMARK.c | 2 +-
net/netlabel/netlabel_unlabeled.c | 12 +-
net/netlabel/netlabel_user.c | 2 +-
security/Kconfig | 52 +----
security/security.c | 378 ++++++++++++++++++++++++++++----
security/selinux/hooks.c | 4 +
security/smack/smack_lsm.c | 18 +-
29 files changed, 456 insertions(+), 122 deletions(-)
diff --git a/arch/alpha/include/uapi/asm/socket.h b/arch/alpha/include/uapi/asm/socket.h
index c6133a045352..3089e9a35a2b 100644
--- a/arch/alpha/include/uapi/asm/socket.h
+++ b/arch/alpha/include/uapi/asm/socket.h
@@ -111,4 +111,6 @@
#define SO_ZEROCOPY 60
+#define SO_LSMSEC 61
+
#endif /* _UAPI_ASM_SOCKET_H */
diff --git a/arch/frv/include/uapi/asm/socket.h b/arch/frv/include/uapi/asm/socket.h
index 9abf02d6855a..77c671cd0b81 100644
--- a/arch/frv/include/uapi/asm/socket.h
+++ b/arch/frv/include/uapi/asm/socket.h
@@ -104,5 +104,7 @@
#define SO_ZEROCOPY 60
+#define SO_LSMSEC 61
+
#endif /* _ASM_SOCKET_H */
diff --git a/arch/ia64/include/uapi/asm/socket.h b/arch/ia64/include/uapi/asm/socket.h
index 002eb85a6941..6c0ebb0ff56e 100644
--- a/arch/ia64/include/uapi/asm/socket.h
+++ b/arch/ia64/include/uapi/asm/socket.h
@@ -113,4 +113,6 @@
#define SO_ZEROCOPY 60
+#define SO_LSMSEC 61
+
#endif /* _ASM_IA64_SOCKET_H */
diff --git a/arch/m32r/include/uapi/asm/socket.h b/arch/m32r/include/uapi/asm/socket.h
index e268e51a38d1..58e36a070ea2 100644
--- a/arch/m32r/include/uapi/asm/socket.h
+++ b/arch/m32r/include/uapi/asm/socket.h
@@ -104,4 +104,6 @@
#define SO_ZEROCOPY 60
+#define SO_LSMSEC 61
+
#endif /* _ASM_M32R_SOCKET_H */
diff --git a/arch/mips/include/uapi/asm/socket.h b/arch/mips/include/uapi/asm/socket.h
index 6c755bc07975..d2c700015a8b 100644
--- a/arch/mips/include/uapi/asm/socket.h
+++ b/arch/mips/include/uapi/asm/socket.h
@@ -122,4 +122,6 @@
#define SO_ZEROCOPY 60
+#define SO_LSMSEC 61
+
#endif /* _UAPI_ASM_SOCKET_H */
diff --git a/arch/mn10300/include/uapi/asm/socket.h b/arch/mn10300/include/uapi/asm/socket.h
index ac82a3f26dbf..4906db01d5db 100644
--- a/arch/mn10300/include/uapi/asm/socket.h
+++ b/arch/mn10300/include/uapi/asm/socket.h
@@ -104,4 +104,6 @@
#define SO_ZEROCOPY 60
+#define SO_LSMSEC 61
+
#endif /* _ASM_SOCKET_H */
diff --git a/arch/parisc/include/uapi/asm/socket.h b/arch/parisc/include/uapi/asm/socket.h
index 3b2bf7ae703b..54ba5e44ab89 100644
--- a/arch/parisc/include/uapi/asm/socket.h
+++ b/arch/parisc/include/uapi/asm/socket.h
@@ -103,4 +103,6 @@
#define SO_ZEROCOPY 0x4035
+#define SO_LSMSEC 0x4036
+
#endif /* _UAPI_ASM_SOCKET_H */
diff --git a/arch/s390/include/uapi/asm/socket.h b/arch/s390/include/uapi/asm/socket.h
index a56916c83565..48b4e0b835df 100644
--- a/arch/s390/include/uapi/asm/socket.h
+++ b/arch/s390/include/uapi/asm/socket.h
@@ -110,4 +110,6 @@
#define SO_ZEROCOPY 60
+#define SO_LSMSEC 61
+
#endif /* _ASM_SOCKET_H */
diff --git a/arch/sparc/include/uapi/asm/socket.h b/arch/sparc/include/uapi/asm/socket.h
index b2f5c50d0947..d97aa57a5987 100644
--- a/arch/sparc/include/uapi/asm/socket.h
+++ b/arch/sparc/include/uapi/asm/socket.h
@@ -100,6 +100,8 @@
#define SO_ZEROCOPY 0x003e
+#define SO_LSMSEC 0x003f
+
/* Security levels - as per NRL IPv6 - don't actually do anything */
#define SO_SECURITY_AUTHENTICATION 0x5001
#define SO_SECURITY_ENCRYPTION_TRANSPORT 0x5002
diff --git a/arch/xtensa/include/uapi/asm/socket.h b/arch/xtensa/include/uapi/asm/socket.h
index 220059999e74..6f3f257d6fdd 100644
--- a/arch/xtensa/include/uapi/asm/socket.h
+++ b/arch/xtensa/include/uapi/asm/socket.h
@@ -115,4 +115,6 @@
#define SO_ZEROCOPY 60
+#define SO_LSMSEC 61
+
#endif /* _XTENSA_SOCKET_H */
diff --git a/fs/xattr.c b/fs/xattr.c
index 4424f7fecf14..61cd28ba25f3 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -250,7 +250,7 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
}
memcpy(value, buffer, len);
out:
- security_release_secctx(buffer, len);
+ kfree(buffer);
out_noalloc:
return len;
}
diff --git a/include/linux/security.h b/include/linux/security.h
index 3a70b23a7dcc..8e06d9614736 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -410,8 +410,10 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
-int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+int security_secid_to_secctx(const char *lsm, u32 secid, char **secdata,
+ u32 *seclen);
+int security_secctx_to_secid(const char *lsm, const char *secdata, u32 seclen,
+ u32 *secid);
void security_release_secctx(char *secdata, u32 seclen);
void security_inode_invalidate_secctx(struct inode *inode);
@@ -1185,14 +1187,14 @@ static inline int security_ismaclabel(const char *name)
return 0;
}
-static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static inline int security_secid_to_secctx(const char *lsm, u32 secid,
+ char **secdata, u32 *seclen)
{
return -EOPNOTSUPP;
}
-static inline int security_secctx_to_secid(const char *secdata,
- u32 seclen,
- u32 *secid)
+static inline int security_secctx_to_secid(const char *lsm, const char *secdata,
+ u32 seclen, u32 *secid)
{
return -EOPNOTSUPP;
}
@@ -1241,6 +1243,8 @@ int security_socket_shutdown(struct socket *sock, int how);
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len);
+int security_socket_passed_lsm(struct socket *sock, char __user *optval,
+ unsigned int optlen);
int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
void security_sk_free(struct sock *sk);
@@ -1263,6 +1267,7 @@ int security_tun_dev_create(void);
int security_tun_dev_attach_queue(void *security);
int security_tun_dev_attach(struct sock *sk, void *security);
int security_tun_dev_open(void *security);
+char *security_socket_lsm(const struct sock *sk);
#else /* CONFIG_SECURITY_NETWORK */
static inline int security_unix_stream_connect(struct sock *sock,
@@ -1362,12 +1367,21 @@ static inline int security_sock_rcv_skb(struct sock *sk,
return 0;
}
-static inline int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
- int __user *optlen, unsigned len)
+static inline int security_socket_getpeersec_stream(struct socket *sock,
+ char __user *optval,
+ int __user *optlen,
+ unsigned len)
{
return -ENOPROTOOPT;
}
+static inline int security_socket_passed_lsm(struct socket *sock,
+ char __user *optval,
+ unsigned int optlen)
+{
+ return -EOPNOTSUPP;
+}
+
static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
{
return -ENOPROTOOPT;
@@ -1455,6 +1469,11 @@ static inline int security_tun_dev_open(void *security)
{
return 0;
}
+
+static inline char *security_socket_lsm(const struct sock *sk)
+{
+ return NULL;
+}
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_INFINIBAND
diff --git a/include/net/scm.h b/include/net/scm.h
index 142ea9e7a6d0..4783ba64773b 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -95,7 +95,8 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
int err;
if (test_bit(SOCK_PASSSEC, &sock->flags)) {
- err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
+ err = security_secid_to_secctx(security_socket_lsm(sock->sk),
+ scm->secid, &secdata, &seclen);
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
diff --git a/include/uapi/asm-generic/socket.h b/include/uapi/asm-generic/socket.h
index e47c9e436221..c5ed101d0be1 100644
--- a/include/uapi/asm-generic/socket.h
+++ b/include/uapi/asm-generic/socket.h
@@ -106,4 +106,6 @@
#define SO_ZEROCOPY 60
+#define SO_LSMSEC 61
+
#endif /* __ASM_GENERIC_SOCKET_H */
diff --git a/kernel/audit.c b/kernel/audit.c
index be1c28fd4d57..e4a016ce9580 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1374,7 +1374,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
case AUDIT_SIGNAL_INFO:
len = 0;
if (audit_sig_sid) {
- err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
+ err = security_secid_to_secctx(NULL, audit_sig_sid, &ctx, &len);
if (err)
return err;
}
@@ -2107,7 +2107,7 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
if (n->osid != 0) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(
+ if (security_secid_to_secctx(NULL,
n->osid, &ctx, &len)) {
audit_log_format(ab, " osid=%u", n->osid);
if (call_panic)
@@ -2153,7 +2153,7 @@ int audit_log_task_context(struct audit_buffer *ab)
if (!sid)
return 0;
- error = security_secid_to_secctx(sid, &ctx, &len);
+ error = security_secid_to_secctx(NULL, sid, &ctx, &len);
if (error) {
if (error != -EINVAL)
goto error_path;
@@ -2339,21 +2339,25 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
#ifdef CONFIG_SECURITY
/**
- * audit_log_secctx - Converts and logs SELinux context
+ * audit_log_secctx - Converts and logs security context
* @ab: audit_buffer
* @secid: security number
*
* This is a helper function that calls security_secid_to_secctx to convert
- * secid to secctx and then adds the (converted) SELinux context to the audit
+ * secid to secctx and then adds the (converted) security context to the audit
* log by calling audit_log_format, thus also preventing leak of internal secid
* to userspace. If secid cannot be converted audit_panic is called.
+ *
+ * Note: There is not sufficient information in the input to
+ * determine which security module the caller is interested in
+ * in the multiple security module case.
*/
void audit_log_secctx(struct audit_buffer *ab, u32 secid)
{
u32 len;
char *secctx;
- if (security_secid_to_secctx(secid, &secctx, &len)) {
+ if (security_secid_to_secctx(NULL, secid, &secctx, &len)) {
audit_panic("Cannot convert secid to context");
} else {
audit_log_format(ab, " obj=%s", secctx);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ecc23e25c9eb..6427e1956345 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -984,7 +984,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
if (sid) {
- if (security_secid_to_secctx(sid, &ctx, &len)) {
+ if (security_secid_to_secctx(NULL, sid, &ctx, &len)) {
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
@@ -1200,7 +1200,7 @@ static void show_special(struct audit_context *context, int *call_panic)
if (osid) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(osid, &ctx, &len)) {
+ if (security_secid_to_secctx(NULL, osid, &ctx, &len)) {
audit_log_format(ab, " osid=%u", osid);
*call_panic = 1;
} else {
diff --git a/kernel/cred.c b/kernel/cred.c
index fa2061ee4955..f6b067259b6d 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -671,7 +671,7 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx)
u32 secid;
int ret;
- ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
+ ret = security_secctx_to_secid(NULL, secctx, strlen(secctx), &secid);
if (ret < 0)
return ret;
diff --git a/net/core/sock.c b/net/core/sock.c
index 9b7b6bbb2a23..f585833fe52d 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -849,6 +849,10 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
clear_bit(SOCK_PASSCRED, &sock->flags);
break;
+ case SO_LSMSEC:
+ ret = security_socket_passed_lsm(sock, optval, optlen);
+ break;
+
case SO_TIMESTAMP:
case SO_TIMESTAMPNS:
if (valbool) {
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index a599aa83fdad..b8d6c519592f 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -125,7 +125,8 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum);
}
-static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
+static void ip_cmsg_recv_security(const struct sock *sk, struct msghdr *msg,
+ struct sk_buff *skb)
{
char *secdata;
u32 seclen, secid;
@@ -135,7 +136,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
if (err)
return;
- err = security_secid_to_secctx(secid, &secdata, &seclen);
+ err = security_secid_to_secctx(security_socket_lsm(sk),
+ secid, &secdata, &seclen);
if (err)
return;
@@ -213,7 +215,7 @@ void ip_cmsg_recv_offset(struct msghdr *msg, struct sock *sk,
}
if (flags & IP_CMSG_PASSSEC) {
- ip_cmsg_recv_security(msg, skb);
+ ip_cmsg_recv_security(sk, msg, skb);
flags &= ~IP_CMSG_PASSSEC;
if (!flags)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index de4053d84364..c758f4b1f9c3 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -316,7 +316,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
int len, ret;
char *secctx;
- ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+ if (skb && skb->sk)
+ ret = security_secid_to_secctx(security_socket_lsm(skb->sk),
+ ct->secmark, &secctx, &len);
+ else
+ ret = security_secid_to_secctx(NULL, ct->secmark, &secctx,
+ &len);
if (ret)
return 0;
@@ -564,7 +569,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
#ifdef CONFIG_NF_CONNTRACK_SECMARK
int len, ret;
- ret = security_secid_to_secctx(ct->secmark, NULL, &len);
+ ret = security_secid_to_secctx(NULL, ct->secmark, NULL, &len);
if (ret)
return 0;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 5a101caa3e12..b1760cb790ee 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -182,7 +182,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
u32 len;
char *secctx;
- ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+ ret = security_secid_to_secctx(NULL, ct->secmark, &secctx, &len);
if (ret)
return;
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index c9796629858f..8687a11dd0d7 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -292,7 +292,8 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
read_lock_bh(&skb->sk->sk_callback_lock);
if (skb->secmark)
- security_secid_to_secctx(skb->secmark, secdata, &seclen);
+ security_secid_to_secctx(security_socket_lsm(skb->sk),
+ skb->secmark, secdata, &seclen);
read_unlock_bh(&skb->sk->sk_callback_lock);
#endif
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 9faf5e050b79..d2e1bf037111 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -56,7 +56,7 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
info->secid = 0;
- err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
+ err = security_secctx_to_secid(NULL, info->secctx, strlen(info->secctx),
&info->secid);
if (err) {
if (err == -EINVAL)
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 22dc1b9d6362..93a526d028c1 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -451,7 +451,7 @@ int netlbl_unlhsh_add(struct net *net,
unlhsh_add_return:
rcu_read_unlock();
if (audit_buf != NULL) {
- if (security_secid_to_secctx(secid,
+ if (security_secid_to_secctx(NULL, secid,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
@@ -508,7 +508,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(entry->secid,
+ security_secid_to_secctx(NULL, entry->secid,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
@@ -569,7 +569,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(entry->secid,
+ security_secid_to_secctx(NULL, entry->secid,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
@@ -915,7 +915,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
if (ret_val != 0)
return ret_val;
dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
- ret_val = security_secctx_to_secid(
+ ret_val = security_secctx_to_secid(NULL,
nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
&secid);
@@ -964,7 +964,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
if (ret_val != 0)
return ret_val;
- ret_val = security_secctx_to_secid(
+ ret_val = security_secctx_to_secid(NULL,
nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
&secid);
@@ -1141,7 +1141,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
secid = addr6->secid;
}
- ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
+ ret_val = security_secid_to_secctx(NULL, secid, &secctx, &secctx_len);
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 58495f44c62a..45c9b3a192fd 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -113,7 +113,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
audit_info->sessionid);
if (audit_info->secid != 0 &&
- security_secid_to_secctx(audit_info->secid,
+ security_secid_to_secctx(NULL, audit_info->secid,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
diff --git a/security/Kconfig b/security/Kconfig
index a14d50b45b6c..d09eb11ae608 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -292,60 +292,30 @@ endmenu
menu "Security Module Stack"
visible if SECURITY_STACKING
-choice
- prompt "Stacked 'extreme' security module"
- default SECURITY_SELINUX_STACKED if SECURITY_SELINUX
- default SECURITY_SMACK_STACKED if SECURITY_SMACK
- default SECURITY_APPARMOR_STACKED if SECURITY_APPARMOR
-
- help
- Enable an extreme security module. These modules cannot
- be used at the same time.
-
- config SECURITY_SELINUX_STACKED
- bool "SELinux" if SECURITY_SELINUX=y
+config SECURITY_SELINUX_STACKED
+ bool "SELinux" if SECURITY_SELINUX=y
help
This option instructs the system to use the SELinux checks.
- At this time the Smack security module is incompatible with this
- module.
- At this time the AppArmor security module is incompatible with this
- module.
- config SECURITY_SMACK_STACKED
- bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+config SECURITY_SMACK_STACKED
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
help
This option instructs the system to use the Smack checks.
- At this time the SELinux security module is incompatible with this
- module.
- At this time the AppArmor security module is incompatible with this
- module.
- config SECURITY_APPARMOR_STACKED
- bool "AppArmor" if SECURITY_APPARMOR=y
+config SECURITY_APPARMOR_STACKED
+ bool "AppArmor" if SECURITY_APPARMOR=y
help
This option instructs the system to use the AppArmor checks.
- At this time the SELinux security module is incompatible with this
- module.
- At this time the Smack security module is incompatible with this
- module.
-
- config SECURITY_NOTHING_STACKED
- bool "Use no 'extreme' security module"
- help
- Use none of the SELinux, Smack or AppArmor security module.
-
-endchoice
config SECURITY_TOMOYO_STACKED
- bool "TOMOYO support is enabled by default"
- depends on SECURITY_TOMOYO && SECURITY_STACKING
- default n
+ bool "TOMOYO" if SECURITY_TOMOYO=y
help
This option instructs the system to use the TOMOYO checks.
- If not selected the module will not be invoked.
- Stacked security modules may interact in unexpected ways.
- If you are unsure how to answer this question, answer N.
+config SECURITY_NOTHING_STACKED
+ bool "Use no 'extreme' security module"
+ help
+ Use none of the SELinux, Smack or AppArmor security modules.
endmenu
diff --git a/security/security.c b/security/security.c
index 7a004006e761..fbf64b5a9848 100644
--- a/security/security.c
+++ b/security/security.c
@@ -31,7 +31,12 @@
#include <net/flow.h>
#include <net/sock.h>
-#define MAX_LSM_EVM_XATTR 2
+/*
+ * This should depend on the number of security modules
+ * that use extended attributes. At this writing it is
+ * at least EVM, SELinux and Smack.
+ */
+#define MAX_LSM_EVM_XATTR 8
/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX 10
@@ -171,7 +176,7 @@ static int lsm_append(char *new, char **result)
/**
* security_module_enable - Load given security module on boot ?
- * @module: the name of the module
+ * @lsm: the name of the module
* @stacked: indicates that the module wants to be stacked
*
* Each LSM must pass this method before registering its own operations
@@ -333,7 +338,14 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
lsm_set_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
lsm_set_size(&needed->lbs_key, &blob_sizes.lbs_key);
lsm_set_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
+ /*
+ * The socket blob gets the name of the security module
+ * passed in SO_PEERSEC as well as the module data.
+ */
+ if (needed->lbs_sock && blob_sizes.lbs_sock == 0)
+ blob_sizes.lbs_sock = SECURITY_NAME_MAX + 2;
lsm_set_size(&needed->lbs_sock, &blob_sizes.lbs_sock);
+
lsm_set_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task);
/*
@@ -507,10 +519,6 @@ int lsm_msg_msg_alloc(struct msg_msg *mp)
*/
int lsm_sock_alloc(struct sock *sock, gfp_t priority)
{
-#ifdef CONFIG_SECURITY_LSM_DEBUG
- if (sock->sk_security)
- pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
-#endif
if (blob_sizes.lbs_sock == 0)
return 0;
@@ -520,6 +528,16 @@ int lsm_sock_alloc(struct sock *sock, gfp_t priority)
return 0;
}
+#ifdef CONFIG_SECURITY_NETWORK
+char *security_socket_lsm(const struct sock *sk)
+{
+ if (sk)
+ return sk->sk_security;
+ return NULL;
+}
+EXPORT_SYMBOL(security_socket_lsm);
+#endif
+
/**
* lsm_superblock_alloc - allocate a composite superblock blob
* @sb: the superblock that needs a blob
@@ -773,7 +791,7 @@ int security_sb_set_mnt_opts(struct super_block *sb,
{
int nobody = 0;
-#ifdef SECURITY_EXTREME_STACKING
+#ifdef CONFIG_SECURITY_STACKING
if (opts->selinux.num_mnt_opts != 0 || opts->smack.num_mnt_opts != 0)
nobody = -EOPNOTSUPP;
#else
@@ -859,9 +877,10 @@ int security_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr,
const initxattrs initxattrs, void *fs_data)
{
- struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1];
- struct xattr *lsm_xattr, *evm_xattr, *xattr;
- int ret;
+ struct security_hook_list *hp;
+ struct xattr xattrs[MAX_LSM_EVM_XATTR + 1];
+ int rc = -EOPNOTSUPP;
+ int attrn = 0;
if (unlikely(IS_PRIVATE(inode)))
return 0;
@@ -869,24 +888,41 @@ int security_inode_init_security(struct inode *inode, struct inode *dir,
if (!initxattrs)
return call_int_hook(inode_init_security, -EOPNOTSUPP, inode,
dir, qstr, NULL, NULL, NULL);
- memset(new_xattrs, 0, sizeof(new_xattrs));
- lsm_xattr = new_xattrs;
- ret = call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, qstr,
- &lsm_xattr->name,
- &lsm_xattr->value,
- &lsm_xattr->value_len);
- if (ret)
+
+ memset(xattrs, 0, sizeof(xattrs));
+
+ list_for_each_entry(hp, &security_hook_heads.inode_init_security,
+ list) {
+ rc = hp->hook.inode_init_security(inode, dir, qstr,
+ &xattrs[attrn].name,
+ &xattrs[attrn].value,
+ &xattrs[attrn].value_len);
+ /*
+ * If the module doesn't support this, reuse the entry.
+ * If it's a real error, bail out of the loop.
+ */
+ if (rc == -EOPNOTSUPP)
+ rc = 0;
+ else if (rc)
+ break;
+ else
+ attrn++;
+ }
+ if (rc)
goto out;
- evm_xattr = lsm_xattr + 1;
- ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
- if (ret)
+ /*
+ * Should EVM loop on these?
+ * Do the first one until it's sorted out.
+ */
+ rc = evm_inode_init_security(inode, &xattrs[0], &xattrs[attrn]);
+ if (rc)
goto out;
- ret = initxattrs(inode, new_xattrs, fs_data);
+ rc = initxattrs(inode, xattrs, fs_data);
out:
- for (xattr = new_xattrs; xattr->value != NULL; xattr++)
- kfree(xattr->value);
- return (ret == -EOPNOTSUPP) ? 0 : ret;
+ for (; attrn >= 0; attrn--)
+ kfree(xattrs[attrn].value);
+ return (rc == -EOPNOTSUPP) ? 0 : rc;
}
EXPORT_SYMBOL(security_inode_init_security);
@@ -1114,18 +1150,22 @@ int security_inode_getattr(const struct path *path)
int security_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
- int ret;
+ struct security_hook_list *hp;
+ int ret = -ENOSYS;
+ int trc;
if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
return 0;
- /*
- * SELinux and Smack integrate the cap call,
- * so assume that all LSMs supplying this call do so.
- */
- ret = call_int_hook(inode_setxattr, 1, dentry, name, value, size,
- flags);
- if (ret == 1)
+ list_for_each_entry(hp, &security_hook_heads.inode_setxattr, list) {
+ trc = hp->hook.inode_setxattr(dentry, name, value, size, flags);
+ if (trc != -ENOSYS) {
+ ret = trc;
+ break;
+ }
+ }
+
+ if (ret == -ENOSYS)
ret = cap_inode_setxattr(dentry, name, value, size, flags);
if (ret)
return ret;
@@ -1790,7 +1830,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
struct security_hook_list *hp;
list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
- if (lsm != NULL && strcmp(lsm, hp->lsm))
+ if (lsm && lsm[0] && strcmp(lsm, hp->lsm))
continue;
return hp->hook.getprocattr(p, name, value);
}
@@ -1803,7 +1843,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
struct security_hook_list *hp;
list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
- if (lsm != NULL && strcmp(lsm, hp->lsm))
+ if (lsm && lsm[0] && strcmp(lsm, hp->lsm))
continue;
return hp->hook.setprocattr(name, value, size);
}
@@ -1821,25 +1861,25 @@ int security_ismaclabel(const char *name)
}
EXPORT_SYMBOL(security_ismaclabel);
-int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+int security_secid_to_secctx(const char *lsm, u32 secid, char **secdata,
+ u32 *seclen)
{
#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
- int rc = -EOPNOTSUPP;
+ int rc;
lsm_token_to_secids(secid, &secids);
- /*
- * Return the first result regardless.
- */
list_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
+ if (lsm && lsm[0] && strcmp(lsm, hp->lsm))
+ continue;
rc = hp->hook.secid_to_secctx(secids.secid[hp->lsm_index],
secdata, seclen);
if (rc != -EOPNOTSUPP)
- break;
+ return rc;
}
- return rc;
+ return -EOPNOTSUPP;
#else
return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
seclen);
@@ -1847,7 +1887,8 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
}
EXPORT_SYMBOL(security_secid_to_secctx);
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+int security_secctx_to_secid(const char *lsm, const char *secdata, u32 seclen,
+ u32 *secid)
{
#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
@@ -1857,6 +1898,8 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
lsm_secids_init(&secids);
list_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
+ if (lsm && lsm[0] && strcmp(lsm, hp->lsm))
+ continue;
rc = hp->hook.secctx_to_secid(secdata, seclen,
&secids.secid[hp->lsm_index]);
if (rc)
@@ -1874,7 +1917,11 @@ EXPORT_SYMBOL(security_secctx_to_secid);
void security_release_secctx(char *secdata, u32 seclen)
{
+#ifdef CONFIG_SECURITY_STACKING
+ kfree(secdata);
+#else
call_void_hook(release_secctx, secdata, seclen);
+#endif
}
EXPORT_SYMBOL(security_release_secctx);
@@ -1884,21 +1931,223 @@ void security_inode_invalidate_secctx(struct inode *inode)
}
EXPORT_SYMBOL(security_inode_invalidate_secctx);
+#ifdef CONFIG_SECURITY_STACKING
+struct lsm_value {
+ char *lsm;
+ char *data;
+};
+
+/**
+ * lsm_parse_context - break a compound "context" into module data
+ * @cxt: the initial data, which will be modified
+ * @vlist: an array to receive the results
+ *
+ * Returns the number of entries, or -EINVAL if the cxt is unworkable.
+ */
+static int lsm_parse_context(char *cxt, struct lsm_value *vlist)
+{
+ char *lsm;
+ char *data;
+ char *cp;
+ int i;
+
+ lsm = cxt;
+ for (i = 0; i < LSM_MAX_MAJOR; i++) {
+ data = strstr(lsm, "='");
+ if (!data)
+ break;
+ *data = '\0';
+ data += 2;
+ cp = strchr(data, '\'');
+ if (!cp)
+ return -EINVAL;
+ *cp++ = '\0';
+ vlist[i].lsm = lsm;
+ vlist[i].data = data;
+ if (*cp == '\0') {
+ i++;
+ break;
+ }
+ if (*cp == ',')
+ cp++;
+ else
+ return -EINVAL;
+ lsm = cp;
+ }
+ return i;
+}
+#endif /* CONFIG_SECURITY_STACKING */
+
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_value *lsm_value;
+ char *temp;
+ int count;
+ int rc = 0;
+
+ if (!ctx || !ctxlen)
+ return -EACCES;
+
+ lsm_value = kzalloc(sizeof(*lsm_value) * LSM_MAX_MAJOR, GFP_KERNEL);
+ if (!lsm_value)
+ return -ENOMEM;
+
+ temp = kmemdup(ctx, ctxlen + 1, GFP_KERNEL);
+ if (!temp) {
+ rc = -ENOMEM;
+ goto free_out;
+ }
+ temp[ctxlen] = '\0';
+
+ count = lsm_parse_context(temp, lsm_value);
+ if (count <= 0) {
+ rc = -EINVAL;
+ goto free_out;
+ }
+
+ for (count--; count >= 0; count--) {
+ list_for_each_entry(hp,
+ &security_hook_heads.inode_notifysecctx,
+ list) {
+ if (!strcmp(hp->lsm, lsm_value[count].lsm)) {
+ rc = hp->hook.inode_notifysecctx(inode,
+ lsm_value[count].data,
+ strlen(lsm_value[count].data));
+ break;
+ }
+ }
+ if (rc)
+ break;
+ }
+
+free_out:
+ kfree(lsm_value);
+ kfree(temp);
+ return rc;
+#else
return call_int_hook(inode_notifysecctx, 0, inode, ctx, ctxlen);
+#endif
}
EXPORT_SYMBOL(security_inode_notifysecctx);
+/**
+ * security_inode_setsecctx - set the LSM security attribute(s) on an inode
+ * @dentry: the directory entry containing the inode
+ * @ctx: the security attributes, in text form
+ * @ctxlen: the length of the attributes
+ *
+ * This should only be called by filesystems for the purpose
+ * of setting attributes in an LSM agnositic way. The @ctx
+ * value should never be externally supplied.
+ *
+ * Returns 0 on success and LSM defined errors.
+ */
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ struct lsm_value *lsm_value;
+ char *temp;
+ int count;
+ int rc = 0;
+
+ lsm_value = kzalloc(sizeof(*lsm_value) * LSM_MAX_MAJOR, GFP_KERNEL);
+ if (!lsm_value)
+ return -ENOMEM;
+
+ temp = kmemdup(ctx, ctxlen + 1, GFP_KERNEL);
+ if (!temp) {
+ rc = -ENOMEM;
+ goto free_out;
+ }
+ temp[ctxlen] = '\0';
+
+ count = lsm_parse_context(temp, lsm_value);
+ if (count <= 0) {
+ rc = -EINVAL;
+ goto free_out;
+ }
+
+ for (count--; count >= 0; count--) {
+ list_for_each_entry(hp, &security_hook_heads.inode_setsecctx,
+ list) {
+ if (!strcmp(hp->lsm, lsm_value[count].lsm)) {
+ rc = hp->hook.inode_setsecctx(dentry,
+ lsm_value[count].data,
+ strlen(lsm_value[count].data));
+ break;
+ }
+ }
+ if (rc)
+ break;
+ }
+
+free_out:
+ kfree(lsm_value);
+ kfree(temp);
+ return rc;
+#else
return call_int_hook(inode_setsecctx, 0, dentry, ctx, ctxlen);
+#endif
}
EXPORT_SYMBOL(security_inode_setsecctx);
+/**
+ * security_inode_getsecctx - get the LSM security attribute(s) of an inode
+ * @inode: the inode
+ * @ctx: the fetched security attributes, in text form
+ * @ctxlen: the length of the fetched attributes
+ *
+ * This should only be called by filesystems for the purpose
+ * of getting attributes in an LSM agnositic way. The @ctx
+ * value should never be externally exposed.
+ *
+ * Returns 0 on success and LSM defined errors.
+ */
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ char *value = NULL;
+ void *vp;
+ char *cp;
+ u32 tlen;
+ int trc;
+ int rc = -EOPNOTSUPP;
+
+ list_for_each_entry(hp, &security_hook_heads.inode_getsecctx, list) {
+ trc = hp->hook.inode_getsecctx(inode, &vp, &tlen);
+ if (trc < 0) {
+ kfree(value);
+ return trc;
+ }
+ rc = trc;
+ if (value == NULL) {
+ value = kasprintf(GFP_KERNEL, "%s='%s'", hp->lsm,
+ (char *)vp);
+ kfree(vp);
+ if (value == NULL)
+ return -ENOMEM;
+ } else {
+ cp = kasprintf(GFP_KERNEL, "%s,%s='%s'", value,
+ hp->lsm, (char *)vp);
+ kfree(vp);
+ kfree(value);
+ if (cp == NULL)
+ return -ENOMEM;
+ value = cp;
+ }
+ }
+ if (!rc) {
+ *ctxlen = strlen(value);
+ *ctx = value;
+ }
+ return rc;
+#else
return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen);
+#endif
}
EXPORT_SYMBOL(security_inode_getsecctx);
@@ -1993,8 +2242,39 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len)
{
+#ifdef CONFIG_SECURITY_STACKING
+ struct security_hook_list *hp;
+ char *lsm = security_socket_lsm(sock->sk);
+ int rc;
+
+ list_for_each_entry(hp, &security_hook_heads.socket_getpeersec_stream,
+ list) {
+ if (lsm && lsm[0] && strcmp(lsm, hp->lsm))
+ continue;
+ rc = hp->hook.socket_getpeersec_stream(sock, optval, optlen,
+ len);
+ if (rc != -ENOPROTOOPT)
+ return rc;
+ }
+ return -ENOPROTOOPT;
+#else
return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
optval, optlen, len);
+#endif
+}
+
+int security_socket_passed_lsm(struct socket *sock, char __user *optval,
+ unsigned int optlen)
+{
+ char *lsm = security_socket_lsm(sock->sk);
+ long reallen;
+
+ if (optlen > SECURITY_NAME_MAX)
+ return -EINVAL;
+
+ reallen = strncpy_from_user(lsm, optval, optlen);
+ lsm[reallen] = '\0';
+ return 0;
}
int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
@@ -2003,16 +2283,24 @@ int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
#ifdef CONFIG_SECURITY_STACKING
struct security_hook_list *hp;
struct lsm_secids secids;
+ char *lsm = NULL;
int rc = -ENOPROTOOPT;
+ int trc;
+
+ if (skb && skb->sk)
+ lsm = security_socket_lsm(skb->sk);
+ else if (sock && sock->sk)
+ lsm = security_socket_lsm(sock->sk);
lsm_secids_init(&secids);
list_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
list) {
- rc = hp->hook.socket_getpeersec_dgram(sock, skb,
+ trc = hp->hook.socket_getpeersec_dgram(sock, skb,
&secids.secid[hp->lsm_index]);
- if (rc)
- break;
+ if ((!lsm || !lsm[0] || !strcmp(lsm, hp->lsm)) &&
+ trc != -ENOPROTOOPT)
+ rc = trc;
}
if (!rc)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 395fbfa7bfac..544fa3041592 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5928,10 +5928,12 @@ static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
return security_context_to_sid(secdata, seclen, secid, GFP_KERNEL);
}
+#ifndef CONFIG_SECURITY_STACKING
static void selinux_release_secctx(char *secdata, u32 seclen)
{
kfree(secdata);
}
+#endif
static void selinux_inode_invalidate_secctx(struct inode *inode)
{
@@ -6230,7 +6232,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ismaclabel, selinux_ismaclabel),
LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid),
+#ifndef CONFIG_SECURITY_STACKING
LSM_HOOK_INIT(release_secctx, selinux_release_secctx),
+#endif
LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 9fb9148cf4b5..d53ff04c49e1 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1421,7 +1421,10 @@ static int smack_inode_getsecurity(struct inode *inode,
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
isp = smk_of_inode(inode);
ilen = strlen(isp->smk_known);
- *buffer = isp->smk_known;
+ if (alloc)
+ *buffer = kstrdup(isp->smk_known, GFP_KERNEL);
+ else
+ *buffer = isp->smk_known;
return ilen;
}
@@ -1447,7 +1450,10 @@ static int smack_inode_getsecurity(struct inode *inode,
ilen = strlen(isp->smk_known);
if (rc == 0) {
- *buffer = isp->smk_known;
+ if (alloc)
+ *buffer = kstrdup(isp->smk_known, GFP_KERNEL);
+ else
+ *buffer = isp->smk_known;
rc = ilen;
}
@@ -4361,8 +4367,16 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
struct smack_known *skp = smack_from_secid(secid);
+#ifdef CONFIG_SECURITY_STACKING
+ if (secdata) {
+ *secdata = kstrdup(skp->smk_known, GFP_KERNEL);
+ if (*secdata == NULL)
+ return -ENOMEM;
+ }
+#else
if (secdata)
*secdata = skp->smk_known;
+#endif
*seclen = strlen(skp->smk_known);
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 27+ messages in thread* [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
` (8 preceding siblings ...)
2017-10-27 21:45 ` [PATCH 9/9] LSM: Full security module stacking Casey Schaufler
@ 2017-11-06 16:11 ` James Morris
2017-11-06 16:17 ` Casey Schaufler
2017-11-06 17:15 ` John Johansen
2017-11-11 15:48 ` Paul Moore
10 siblings, 2 replies; 27+ messages in thread
From: James Morris @ 2017-11-06 16:11 UTC (permalink / raw)
To: linux-security-module
On Fri, 27 Oct 2017, Casey Schaufler wrote:
> Subject: [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2
Would any distros expect to enable this?
--
James Morris
<james.l.morris@oracle.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2
2017-10-27 21:34 [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 Casey Schaufler
` (9 preceding siblings ...)
2017-11-06 16:11 ` [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2 James Morris
@ 2017-11-11 15:48 ` Paul Moore
2017-11-11 20:18 ` Casey Schaufler
10 siblings, 1 reply; 27+ messages in thread
From: Paul Moore @ 2017-11-11 15:48 UTC (permalink / raw)
To: linux-security-module
On Fri, Oct 27, 2017 at 5:34 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> Subject: [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2
>
> This patch set implements stacking for "major" security modules.
...
> I have tested these patches in various configurations of Ubuntu and
> Fedora. Smack and SELinux together pass test suites with some exceptions.
> There are conflicts with the way the modules treat network configurations.
> These conflicts are under investigation, and changes to Smack (and
> possibly SELinux) to reconcile the worst of the issues are in development.
This remains my big concern, especially the network support. We've
talked about this a lot in person, but until I see the code which
deals with this I can't ack/nack this patchset.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2
2017-11-11 15:48 ` Paul Moore
@ 2017-11-11 20:18 ` Casey Schaufler
0 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2017-11-11 20:18 UTC (permalink / raw)
To: linux-security-module
On 11/11/2017 7:48 AM, Paul Moore wrote:
> On Fri, Oct 27, 2017 at 5:34 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> Subject: [PATCH 0/9] LSM: Stacking for major security modules - Based on 4.14-rc2
>>
>> This patch set implements stacking for "major" security modules.
> ..
>
>> I have tested these patches in various configurations of Ubuntu and
>> Fedora. Smack and SELinux together pass test suites with some exceptions.
>> There are conflicts with the way the modules treat network configurations.
>> These conflicts are under investigation, and changes to Smack (and
>> possibly SELinux) to reconcile the worst of the issues are in development.
> This remains my big concern, especially the network support. We've
> talked about this a lot in person, but until I see the code which
> deals with this I can't ack/nack this patchset.
That's well understood, and appreciated.
The LSM infrastructure is based on the system (e.g. vfs) code
making calls to hooks when it is time to make a check. The netlabel
system is based on the LSM making a call when it has information
to present. The former makes coordination of multiple security
modules relatively straight forward. The later requires holding on
to data until such time as the end networking code needs it. Even
if all the security modules made netlabel calls from exactly the
same hooks (they don't) there's still no place to pull everything
together. The solutions used to address the security_blah interfaces
don't work with the networking implementation.
I'm on what I think is about my 5th approach to the netlabel problem.
I have discovered all sorts of nasty little issues, some of which are
artifacts of the IP stack, and some of which are the result of more
general memory and object management.
I would be delighted if someone where inclined to point out an
elegant way to approach the problem. Lacking that, I'll just keep
plugging away with my 12 pound hammer and rusty crowbar.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 27+ messages in thread