From: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
To: "David S. Miller" <davem@davemloft.net>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Calvin Owens <calvinowens@fb.com>,
Casey Schaufler <casey@schaufler-ca.com>,
David Howells <dhowells@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Eric Paris <eparis@parisplace.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
Jann Horn <jann@thejh.net>, Jiri Slaby <jslaby@suse.com>,
Joe Perches <joe@perches.com>,
John Johansen <john.johansen@canonical.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Lukasz Pawelczyk <l.pawelczyk@samsung.com>,
Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
NeilBrown <neilb@suse.de>, Paul Moore <paul@paul-moore.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Stephen Smalley <sds@tycho.nsa.gov>, Tejun Heo <tj@kernel.org>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
containers@lists.linuxfoundation.org, linux-doc@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov
Cc: Lukasz Pawelczyk <havner@gmail.com>
Subject: [PATCH v4 01/11] user_ns: 3 new LSM hooks for user namespace operations
Date: Wed, 14 Oct 2015 14:41:55 +0200 [thread overview]
Message-ID: <1444826525-9758-2-git-send-email-l.pawelczyk@samsung.com> (raw)
In-Reply-To: <1444826525-9758-1-git-send-email-l.pawelczyk@samsung.com>
This commit implements 3 new LSM hooks that provide the means for LSMs
to embed their own security context within user namespace, effectively
creating some sort of a user_ns related security namespace.
The first one to take advantage of this mechanism is Smack.
The hooks has been documented in the in the security.h below.
Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
---
include/linux/lsm_hooks.h | 28 ++++++++++++++++++++++++++++
include/linux/security.h | 23 +++++++++++++++++++++++
include/linux/user_namespace.h | 4 ++++
kernel/user.c | 3 +++
kernel/user_namespace.c | 18 ++++++++++++++++++
security/security.c | 28 ++++++++++++++++++++++++++++
6 files changed, 104 insertions(+)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index ec3a6ba..18c9160 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1261,6 +1261,23 @@
* audit_rule_init.
* @rule contains the allocated rule
*
+ * @userns_create:
+ * Allocates and fills the security part of a new user namespace.
+ * @ns points to a newly created user namespace.
+ * Returns 0 or an error code.
+ *
+ * @userns_free:
+ * Deallocates the security part of a user namespace.
+ * @ns points to a user namespace about to be destroyed.
+ *
+ * @userns_setns:
+ * Run during a setns syscall to add a process to an already existing
+ * user namespace. Returning failure here will block the operation
+ * requested from userspace (setns() with CLONE_NEWUSER).
+ * @nsproxy contains nsproxy to which the user namespace will be assigned.
+ * @ns contains user namespace that is to be incorporated to the nsproxy.
+ * Returns 0 or an error code.
+ *
* @inode_notifysecctx:
* Notify the security module of what the security context of an inode
* should be. Initializes the incore security context managed by the
@@ -1613,6 +1630,12 @@ union security_list_options {
struct audit_context *actx);
void (*audit_rule_free)(void *lsmrule);
#endif /* CONFIG_AUDIT */
+
+#ifdef CONFIG_USER_NS
+ int (*userns_create)(struct user_namespace *ns);
+ void (*userns_free)(struct user_namespace *ns);
+ int (*userns_setns)(struct nsproxy *nsproxy, struct user_namespace *ns);
+#endif /* CONFIG_USER_NS */
};
struct security_hook_heads {
@@ -1824,6 +1847,11 @@ struct security_hook_heads {
struct list_head audit_rule_match;
struct list_head audit_rule_free;
#endif /* CONFIG_AUDIT */
+#ifdef CONFIG_USER_NS
+ struct list_head userns_create;
+ struct list_head userns_free;
+ struct list_head userns_setns;
+#endif /* CONFIG_USER_NS */
};
/*
diff --git a/include/linux/security.h b/include/linux/security.h
index 2f4c1f7..91ffba2 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1584,6 +1584,29 @@ static inline void security_audit_rule_free(void *lsmrule)
#endif /* CONFIG_SECURITY */
#endif /* CONFIG_AUDIT */
+#ifdef CONFIG_USER_NS
+int security_userns_create(struct user_namespace *ns);
+void security_userns_free(struct user_namespace *ns);
+int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns);
+
+#else
+
+static inline int security_userns_create(struct user_namespace *ns)
+{
+ return 0;
+}
+
+static inline void security_userns_free(struct user_namespace *ns)
+{ }
+
+static inline int security_userns_setns(struct nsproxy *nsproxy,
+ struct user_namespace *ns)
+{
+ return 0;
+}
+
+#endif /* CONFIG_USER_NS */
+
#ifdef CONFIG_SECURITYFS
extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 8297e5b..a9400cc 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -39,6 +39,10 @@ struct user_namespace {
struct key *persistent_keyring_register;
struct rw_semaphore persistent_keyring_register_sem;
#endif
+
+#ifdef CONFIG_SECURITY
+ void *security;
+#endif
};
extern struct user_namespace init_user_ns;
diff --git a/kernel/user.c b/kernel/user.c
index b069ccb..ce5419e 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -59,6 +59,9 @@ struct user_namespace init_user_ns = {
.persistent_keyring_register_sem =
__RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),
#endif
+#ifdef CONFIG_SECURITY
+ .security = NULL,
+#endif
};
EXPORT_SYMBOL_GPL(init_user_ns);
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 88fefa6..daef188 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -22,6 +22,7 @@
#include <linux/ctype.h>
#include <linux/projid.h>
#include <linux/fs_struct.h>
+#include <linux/security.h>
static struct kmem_cache *user_ns_cachep __read_mostly;
static DEFINE_MUTEX(userns_state_mutex);
@@ -109,6 +110,15 @@ int create_user_ns(struct cred *new)
set_cred_user_ns(new, ns);
+#ifdef CONFIG_SECURITY
+ ret = security_userns_create(ns);
+ if (ret) {
+ ns_free_inum(&ns->ns);
+ kmem_cache_free(user_ns_cachep, ns);
+ return ret;
+ }
+#endif
+
#ifdef CONFIG_PERSISTENT_KEYRINGS
init_rwsem(&ns->persistent_keyring_register_sem);
#endif
@@ -144,6 +154,9 @@ void free_user_ns(struct user_namespace *ns)
#ifdef CONFIG_PERSISTENT_KEYRINGS
key_put(ns->persistent_keyring_register);
#endif
+#ifdef CONFIG_SECURITY
+ security_userns_free(ns);
+#endif
ns_free_inum(&ns->ns);
kmem_cache_free(user_ns_cachep, ns);
ns = parent;
@@ -970,6 +983,7 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
{
struct user_namespace *user_ns = to_user_ns(ns);
struct cred *cred;
+ int err;
/* Don't allow gaining capabilities by reentering
* the same user namespace.
@@ -987,6 +1001,10 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
if (!ns_capable(user_ns, CAP_SYS_ADMIN))
return -EPERM;
+ err = security_userns_setns(nsproxy, user_ns);
+ if (err)
+ return err;
+
cred = prepare_creds();
if (!cred)
return -ENOMEM;
diff --git a/security/security.c b/security/security.c
index 46f405c..e571127 100644
--- a/security/security.c
+++ b/security/security.c
@@ -25,6 +25,7 @@
#include <linux/mount.h>
#include <linux/personality.h>
#include <linux/backing-dev.h>
+#include <linux/user_namespace.h>
#include <net/flow.h>
#define MAX_LSM_EVM_XATTR 2
@@ -1538,6 +1539,25 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
}
#endif /* CONFIG_AUDIT */
+#ifdef CONFIG_USER_NS
+
+int security_userns_create(struct user_namespace *ns)
+{
+ return call_int_hook(userns_create, 0, ns);
+}
+
+void security_userns_free(struct user_namespace *ns)
+{
+ call_void_hook(userns_free, ns);
+}
+
+int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns)
+{
+ return call_int_hook(userns_setns, 0, nsproxy, ns);
+}
+
+#endif /* CONFIG_USER_NS */
+
struct security_hook_heads security_hook_heads = {
.binder_set_context_mgr =
LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr),
@@ -1882,4 +1902,12 @@ struct security_hook_heads security_hook_heads = {
.audit_rule_free =
LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
#endif /* CONFIG_AUDIT */
+#ifdef CONFIG_USER_NS
+ .userns_create =
+ LIST_HEAD_INIT(security_hook_heads.userns_create),
+ .userns_free =
+ LIST_HEAD_INIT(security_hook_heads.userns_free),
+ .userns_setns =
+ LIST_HEAD_INIT(security_hook_heads.userns_setns),
+#endif /* CONFIG_USER_NS */
};
--
2.4.3
next prev parent reply other threads:[~2015-10-14 13:00 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-14 12:41 [PATCH v4 00/11] Smack namespace Lukasz Pawelczyk
2015-10-14 12:41 ` Lukasz Pawelczyk [this message]
2015-10-29 22:49 ` [PATCH v4 01/11] user_ns: 3 new LSM hooks for user namespace operations Casey Schaufler
2015-10-14 12:41 ` [PATCH v4 02/11] lsm: /proc/$PID/attr/label_map file and getprocattr_seq hook Lukasz Pawelczyk
2015-10-29 22:49 ` Casey Schaufler
2015-10-14 12:41 ` [PATCH v4 03/11] lsm: add file opener's cred to a setprocattr arguments Lukasz Pawelczyk
2015-10-29 22:49 ` Casey Schaufler
2015-11-10 4:16 ` Al Viro
2015-11-10 10:15 ` Lukasz Pawelczyk
2015-10-14 12:41 ` [PATCH v4 04/11] lsm: inode_pre_setxattr hook Lukasz Pawelczyk
2015-10-29 22:50 ` Casey Schaufler
2015-11-05 5:16 ` John Johansen
2015-10-14 12:41 ` [PATCH v4 05/11] smack: extend capability functions and fix 2 checks Lukasz Pawelczyk
2015-10-29 22:50 ` Casey Schaufler
2015-10-14 12:42 ` [PATCH v4 06/11] smack: don't use implicit star to display smackfs/syslog Lukasz Pawelczyk
2015-10-29 22:50 ` Casey Schaufler
2015-10-14 12:42 ` [PATCH v4 07/11] smack: abstraction layer for 2 common Smack operations Lukasz Pawelczyk
2015-10-29 22:51 ` Casey Schaufler
2015-10-14 12:42 ` [PATCH v4 08/11] smack: misc cleanups in preparation for a namespace patch Lukasz Pawelczyk
2015-10-29 22:51 ` Casey Schaufler
2015-10-14 12:42 ` [PATCH v4 09/11] smack: namespace groundwork Lukasz Pawelczyk
2015-10-29 22:51 ` Casey Schaufler
2015-10-14 12:42 ` [PATCH v4 10/11] smack: namespace implementation Lukasz Pawelczyk
2015-10-29 22:52 ` Casey Schaufler
2015-10-14 12:42 ` [PATCH v4 11/11] smack: documentation for the Smack namespace Lukasz Pawelczyk
2015-10-29 22:52 ` Casey Schaufler
2015-11-09 15:40 ` [PATCH v4 00/11] " Lukasz Pawelczyk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1444826525-9758-2-git-send-email-l.pawelczyk@samsung.com \
--to=l.pawelczyk@samsung.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=calvinowens@fb.com \
--cc=casey@schaufler-ca.com \
--cc=containers@lists.linuxfoundation.org \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=edumazet@google.com \
--cc=eparis@parisplace.org \
--cc=gregkh@linuxfoundation.org \
--cc=havner@gmail.com \
--cc=james.l.morris@oracle.com \
--cc=jann@thejh.net \
--cc=joe@perches.com \
--cc=john.johansen@canonical.com \
--cc=jslaby@suse.com \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mchehab@osg.samsung.com \
--cc=neilb@suse.de \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
--cc=tj@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).