From: Casey Schaufler <casey@schaufler-ca.com>
To: Kees Cook <keescook@chromium.org>
Cc: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
paul@paul-moore.com, sds@tycho.nsa.gov, casey@schaufler-ca.com
Subject: Re: [PATCH v4 17/23] LSM: Use lsmcontext in security_secid_to_secctx
Date: Thu, 27 Jun 2019 10:36:57 -0700 [thread overview]
Message-ID: <e7b07964-1f00-b168-de8c-c63f7d2a1418@schaufler-ca.com> (raw)
In-Reply-To: <201906271007.4248A3AE@keescook>
On 6/27/2019 10:17 AM, Kees Cook wrote:
> On Thu, Jun 27, 2019 at 09:29:25AM -0700, Casey Schaufler wrote:
>> On 6/26/2019 8:53 PM, Kees Cook wrote:
>>> On Wed, Jun 26, 2019 at 12:22:28PM -0700, Casey Schaufler wrote:
>>>> Replace the (secctx,seclen) pointer pair with a single
>>>> lsmcontext pointer to allow return of the LSM identifier
>>>> along with the context and context length. This allows
>>>> security_release_secctx() to know how to release the
>>>> context. Callers have been modified to use or save the
>>>> returned data from the new structure.
>>>>
>>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>>> ---
>>>> drivers/android/binder.c | 24 ++++++---------
>>>> include/linux/security.h | 4 +--
>>>> include/net/scm.h | 9 ++----
>>>> kernel/audit.c | 29 +++++++-----------
>>>> kernel/auditsc.c | 31 +++++++------------
>>>> net/ipv4/ip_sockglue.c | 7 ++---
>>>> net/netfilter/nf_conntrack_netlink.c | 14 +++++----
>>>> net/netfilter/nf_conntrack_standalone.c | 7 ++---
>>>> net/netfilter/nfnetlink_queue.c | 5 +++-
>>>> net/netlabel/netlabel_unlabeled.c | 40 ++++++++-----------------
>>>> net/netlabel/netlabel_user.c | 7 ++---
>>>> security/security.c | 9 ++++--
>>>> 12 files changed, 72 insertions(+), 114 deletions(-)
>>>>
>>>> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
>>>> index 89e574be34cc..5d417a7b9bb3 100644
>>>> --- a/drivers/android/binder.c
>>>> +++ b/drivers/android/binder.c
>>>> @@ -2874,9 +2874,7 @@ static void binder_transaction(struct binder_proc *proc,
>>>> binder_size_t last_fixup_min_off = 0;
>>>> struct binder_context *context = proc->context;
>>>> int t_debug_id = atomic_inc_return(&binder_last_id);
>>>> - char *secctx = NULL;
>>>> - u32 secctx_sz = 0;
>>>> - struct lsmcontext scaff; /* scaffolding */
>>>> + struct lsmcontext lsmctx;
>>> As James found, this needs to be zero initialized:
>>>
>>> struct lsmcontext lsmctx = { };
>> Thanks! I'll incorporate this in v5. It's great to
>> have y'all checking it out.
> I looked through other removed NULL assignments, and I think I see some
> other issues...
>
> binder_alloc_copy_to_buffer(&target_proc->alloc,
> t->buffer, buf_offset,
> - secctx, secctx_sz);
> - security_release_secctx(secctx, secctx_sz);
> - secctx = NULL;
> + lsmctx.context, lsmctx.len);
> + security_release_secctx(&lsmctx);
>
> The new security_release_secctx() performs the zeroing if there is a
> slot match... should it be unconditional? (And should the no-op version
> also zero?)
I don't see a reason not to zero in all cases. I'll change that.
>
> @@ -2420,8 +2420,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct
> svc_fh *fhp,
> __be32 status;
> int err;
> struct nfs4_acl *acl = NULL;
> - void *context = NULL;
> - int contextlen;
> + struct lsmcontext context;
>
> This needs the same = { } to retain the same meaning.
I'm going to have security_secid_to_secctx() initialize
the lsmcontext. There's no case where it should be used
to update an existing context, and it makes more sense to
do it in one place than to make all the callers worry
about it.
> And here:
>
> @@ -1191,8 +1191,8 @@ static int audit_receive_msg(struct sk_buff *skb,
> struct nlmsghdr *nlh)
> struct audit_buffer *ab;
> u16 msg_type = nlh->nlmsg_type;
> struct audit_sig_info *sig_data;
> - char *ctx = NULL;
> u32 len;
> + struct lsmcontext context;
>
> And here:
>
> @@ -2069,24 +2070,23 @@ void audit_log_key(struct audit_buffer *ab, char
> *key)
>
> int audit_log_task_context(struct audit_buffer *ab)
> {
> - char *ctx = NULL;
> - unsigned len;
> int error;
> - u32 sid;
> + struct lsmblob le;
> + struct lsmcontext context;
>
> and here:
>
> static int audit_log_pid_context(struct audit_context *context, pid_t
> pid,
> - kuid_t auid, kuid_t uid, unsigned int
> sessionid,
> - u32 sid, char *comm)
> + kuid_t auid, kuid_t uid,
> + unsigned int sessionid,
> + struct lsmblob *l, char *comm)
> {
> struct audit_buffer *ab;
> - char *ctx = NULL;
> - u32 len;
> + struct lsmcontext lsmctx;
>
> Maybe here?
>
> - if (osid) {
> - char *ctx = NULL;
> - u32 len;
> - if (security_secid_to_secctx(osid, &ctx, &len))
> {
> - audit_log_format(ab, " osid=%u", osid);
> + if (lsmblob_is_set(olsm)) {
> + struct lsmcontext lsmcxt;
> + if (security_secid_to_secctx(olsm, &lsmcxt))
> *call_panic = 1;
>
> and:
>
> - if (n->osid != 0) {
> - char *ctx = NULL;
> - u32 len;
> + if (lsmblob_is_set(&n->olsm)) {
> + struct lsmcontext lsmctx;
>
>
> and:
>
> @@ -395,7 +401,7 @@ nfqnl_build_packet_message(struct net *net, struct
> nfqnl_instance *queue,
> enum ip_conntrack_info uninitialized_var(ctinfo);
> struct nfnl_ct_hook *nfnl_ct;
> bool csum_verify;
> - char *secdata = NULL;
> + struct lsmcontext context;
>
> and:
>
> @@ -387,8 +387,7 @@ int netlbl_unlhsh_add(struct net *net,
> struct net_device *dev;
> struct netlbl_unlhsh_iface *iface;
> struct audit_buffer *audit_buf = NULL;
> - char *secctx = NULL;
> - u32 secctx_len;
> + struct lsmcontext context;
>
>
> Sorry I forgot to check those the first time through!
>
next prev parent reply other threads:[~2019-06-27 17:37 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-26 19:22 [PATCH v4 00/23] LSM: Module stacking for AppArmor Casey Schaufler
2019-06-26 19:22 ` [PATCH v4 01/23] LSM: Infrastructure management of the superblock Casey Schaufler
2019-06-26 19:22 ` [PATCH v4 02/23] LSM: Infrastructure management of the sock security Casey Schaufler
2019-06-26 19:22 ` [PATCH v4 03/23] LSM: Infrastructure management of the key blob Casey Schaufler
2019-06-26 19:22 ` [PATCH v4 04/23] LSM: Create and manage the lsmblob data structure Casey Schaufler
2019-06-26 23:39 ` John Johansen
2019-06-27 17:43 ` Casey Schaufler
2019-06-26 19:22 ` [PATCH v4 05/23] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2019-06-26 23:07 ` Kees Cook
2019-06-26 23:45 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 06/23] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2019-06-26 23:07 ` Kees Cook
2019-06-26 23:47 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 07/23] net: Prepare UDS for secuirty module stacking Casey Schaufler
2019-06-26 23:07 ` Kees Cook
2019-06-26 23:48 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 08/23] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
2019-06-26 23:07 ` Kees Cook
2019-06-26 23:50 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 09/23] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2019-06-26 23:07 ` Kees Cook
2019-06-26 23:51 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 10/23] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2019-06-26 23:08 ` Kees Cook
2019-06-26 23:53 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 11/23] LSM: Use lsmblob in security_task_getsecid Casey Schaufler
2019-06-26 23:08 ` Kees Cook
2019-06-26 23:55 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 12/23] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2019-06-26 23:08 ` Kees Cook
2019-06-26 23:56 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 13/23] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2019-06-26 23:09 ` Kees Cook
2019-06-26 23:57 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 14/23] IMA: Change internal interfaces to use lsmblobs Casey Schaufler
2019-06-26 23:09 ` Kees Cook
2019-06-26 23:58 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 15/23] LSM: Specify which LSM to display Casey Schaufler
2019-06-26 23:12 ` Kees Cook
2019-06-27 21:33 ` John Johansen
2019-06-28 14:45 ` Stephen Smalley
2019-06-28 16:15 ` Casey Schaufler
2019-06-28 18:08 ` John Johansen
[not found] ` <CAB9W1A1nwE7WBZqTe-GV8xNb83_B2ybV7cco++nfMjtDz9NJrg@mail.gmail.com>
2019-06-29 1:01 ` Fwd: " Stephen Smalley
2019-06-29 19:45 ` Casey Schaufler
2019-07-02 0:49 ` James Morris
2019-07-02 1:20 ` Casey Schaufler
2019-06-26 19:22 ` [PATCH v4 16/23] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2019-06-26 23:14 ` Kees Cook
2019-06-27 21:34 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 17/23] " Casey Schaufler
2019-06-26 23:15 ` Kees Cook
2019-06-27 3:53 ` Kees Cook
2019-06-27 16:29 ` Casey Schaufler
2019-06-27 17:17 ` Kees Cook
2019-06-27 17:36 ` Casey Schaufler [this message]
2019-06-27 21:34 ` John Johansen
2019-06-27 21:36 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 18/23] LSM: Use lsmcontext in security_dentry_init_security Casey Schaufler
2019-06-26 23:15 ` Kees Cook
2019-06-27 21:34 ` John Johansen
2019-06-28 10:07 ` Ondrej Mosnacek
2019-06-26 19:22 ` [PATCH v4 19/23] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2019-06-26 23:16 ` Kees Cook
2019-06-27 21:36 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 20/23] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2019-06-26 23:16 ` Kees Cook
2019-06-27 21:37 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 21/23] Audit: Store LSM audit information in an lsmblob Casey Schaufler
2019-06-26 23:16 ` Kees Cook
2019-06-27 21:37 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 22/23] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2019-06-26 23:18 ` Kees Cook
2019-06-27 21:38 ` John Johansen
2019-06-26 19:22 ` [PATCH v4 23/23] AppArmor: Remove the exclusive flag Casey Schaufler
2019-06-26 23:18 ` Kees Cook
2019-06-27 2:22 ` James Morris
2019-06-27 3:28 ` Kees Cook
2019-06-27 3:44 ` John Johansen
2019-06-27 3:49 ` James Morris
2019-06-27 21:38 ` John Johansen
2019-06-26 21:04 ` [PATCH v4 00/23] LSM: Module stacking for AppArmor Kees Cook
2019-06-26 21:11 ` John Johansen
2019-06-26 23:04 ` Kees Cook
2019-06-26 21:25 ` Casey Schaufler
2019-06-27 2:41 ` James Morris
2019-06-27 2:46 ` James Morris
2019-06-27 3:45 ` James Morris
2019-06-27 4:10 ` James Morris
2019-06-27 17:07 ` Kees Cook
2019-06-27 18:10 ` James Morris
2019-06-27 3:51 ` Kees Cook
2019-06-27 21:52 ` John Johansen
2019-06-27 22:33 ` Casey Schaufler
2019-06-27 23:16 ` James Morris
2019-06-27 23:44 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e7b07964-1f00-b168-de8c-c63f7d2a1418@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).