From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758120AbbJ2WtS (ORCPT ); Thu, 29 Oct 2015 18:49:18 -0400 Received: from smtp107.biz.mail.bf1.yahoo.com ([98.139.244.55]:31773 "EHLO smtp107.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757188AbbJ2WtP (ORCPT ); Thu, 29 Oct 2015 18:49:15 -0400 X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: YNup9TIVM1mTgooWVnx34toUgyEU4LTotefWR6UVVQJpeKM EFFIx3rGL717wZ9m2b9Qm1Chv26AcskJ2oH.Iamd8aAzLAYF1pOiyBwgkgbO CBCsHBsZKVLPBvDs4cMZGIvv0P7Up1ZZNP5eZMrw_Wkfvw1_RkoNWu8Dg4tz lTZZp5Jn_h93DZ1Bcilvv8eZZ.e3urLu0PgbL5OeillUJNK_VI_dD8XRVC0X B4DXSxzhScZxU25QMtV5Tu37FGcO5i8yrhd6kVCkVgHZkqLDvABwuC.LyknR 3LG0U2amk1RUo.HKYT9svvXoBQKF3WLypvauKYG0vUp6KX9JtErZQBmMV8LJ 3kH2yIzbvbNcgfRCc8akeL_2v_YzJUwI9y8lN6TIjTkIIVyMQ6BTeV4r7yS7 93h0Bzx1R9Ap3SaTBqdKfqModGO9WEluw5JBV1dy7vn8fFjkCiJEZYbxnhoT NoGvAmfl1obniSrO0JP50RjmTmrE2vTm6MD26eVPGANh9JQ0P_3X63Lrdv1L N X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: Re: [PATCH v4 01/11] user_ns: 3 new LSM hooks for user namespace operations To: Lukasz Pawelczyk , "David S. Miller" , "Eric W. Biederman" , "Serge E. Hallyn" , Al Viro , Alexey Dobriyan , Andrew Morton , Andy Lutomirski , Calvin Owens , David Howells , Eric Dumazet , Eric Paris , Greg Kroah-Hartman , James Morris , Jann Horn , Jiri Slaby , Joe Perches , John Johansen , Jonathan Corbet , Kees Cook , Mauro Carvalho Chehab , NeilBrown , Paul Moore , Serge Hallyn , Stephen Smalley , Tejun Heo , Tetsuo Handa , containers@lists.linuxfoundation.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov References: <1444826525-9758-1-git-send-email-l.pawelczyk@samsung.com> <1444826525-9758-2-git-send-email-l.pawelczyk@samsung.com> Cc: Lukasz Pawelczyk From: Casey Schaufler Message-ID: <5632A265.7020402@schaufler-ca.com> Date: Thu, 29 Oct 2015 15:49:09 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <1444826525-9758-2-git-send-email-l.pawelczyk@samsung.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/14/2015 5:41 AM, Lukasz Pawelczyk wrote: > This commit implements 3 new LSM hooks that provide the means for LSMs > to embed their own security context within user namespace, effectively > creating some sort of a user_ns related security namespace. > > The first one to take advantage of this mechanism is Smack. > > The hooks has been documented in the in the security.h below. > > Signed-off-by: Lukasz Pawelczyk > Reviewed-by: Casey Schaufler > Acked-by: Paul Moore Acked-by: Casey Schaufler > --- > include/linux/lsm_hooks.h | 28 ++++++++++++++++++++++++++++ > include/linux/security.h | 23 +++++++++++++++++++++++ > include/linux/user_namespace.h | 4 ++++ > kernel/user.c | 3 +++ > kernel/user_namespace.c | 18 ++++++++++++++++++ > security/security.c | 28 ++++++++++++++++++++++++++++ > 6 files changed, 104 insertions(+) > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index ec3a6ba..18c9160 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -1261,6 +1261,23 @@ > * audit_rule_init. > * @rule contains the allocated rule > * > + * @userns_create: > + * Allocates and fills the security part of a new user namespace. > + * @ns points to a newly created user namespace. > + * Returns 0 or an error code. > + * > + * @userns_free: > + * Deallocates the security part of a user namespace. > + * @ns points to a user namespace about to be destroyed. > + * > + * @userns_setns: > + * Run during a setns syscall to add a process to an already existing > + * user namespace. Returning failure here will block the operation > + * requested from userspace (setns() with CLONE_NEWUSER). > + * @nsproxy contains nsproxy to which the user namespace will be assigned. > + * @ns contains user namespace that is to be incorporated to the nsproxy. > + * Returns 0 or an error code. > + * > * @inode_notifysecctx: > * Notify the security module of what the security context of an inode > * should be. Initializes the incore security context managed by the > @@ -1613,6 +1630,12 @@ union security_list_options { > struct audit_context *actx); > void (*audit_rule_free)(void *lsmrule); > #endif /* CONFIG_AUDIT */ > + > +#ifdef CONFIG_USER_NS > + int (*userns_create)(struct user_namespace *ns); > + void (*userns_free)(struct user_namespace *ns); > + int (*userns_setns)(struct nsproxy *nsproxy, struct user_namespace *ns); > +#endif /* CONFIG_USER_NS */ > }; > > struct security_hook_heads { > @@ -1824,6 +1847,11 @@ struct security_hook_heads { > struct list_head audit_rule_match; > struct list_head audit_rule_free; > #endif /* CONFIG_AUDIT */ > +#ifdef CONFIG_USER_NS > + struct list_head userns_create; > + struct list_head userns_free; > + struct list_head userns_setns; > +#endif /* CONFIG_USER_NS */ > }; > > /* > diff --git a/include/linux/security.h b/include/linux/security.h > index 2f4c1f7..91ffba2 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -1584,6 +1584,29 @@ static inline void security_audit_rule_free(void *lsmrule) > #endif /* CONFIG_SECURITY */ > #endif /* CONFIG_AUDIT */ > > +#ifdef CONFIG_USER_NS > +int security_userns_create(struct user_namespace *ns); > +void security_userns_free(struct user_namespace *ns); > +int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns); > + > +#else > + > +static inline int security_userns_create(struct user_namespace *ns) > +{ > + return 0; > +} > + > +static inline void security_userns_free(struct user_namespace *ns) > +{ } > + > +static inline int security_userns_setns(struct nsproxy *nsproxy, > + struct user_namespace *ns) > +{ > + return 0; > +} > + > +#endif /* CONFIG_USER_NS */ > + > #ifdef CONFIG_SECURITYFS > > extern struct dentry *securityfs_create_file(const char *name, umode_t mode, > diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h > index 8297e5b..a9400cc 100644 > --- a/include/linux/user_namespace.h > +++ b/include/linux/user_namespace.h > @@ -39,6 +39,10 @@ struct user_namespace { > struct key *persistent_keyring_register; > struct rw_semaphore persistent_keyring_register_sem; > #endif > + > +#ifdef CONFIG_SECURITY > + void *security; > +#endif > }; > > extern struct user_namespace init_user_ns; > diff --git a/kernel/user.c b/kernel/user.c > index b069ccb..ce5419e 100644 > --- a/kernel/user.c > +++ b/kernel/user.c > @@ -59,6 +59,9 @@ struct user_namespace init_user_ns = { > .persistent_keyring_register_sem = > __RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem), > #endif > +#ifdef CONFIG_SECURITY > + .security = NULL, > +#endif > }; > EXPORT_SYMBOL_GPL(init_user_ns); > > diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c > index 88fefa6..daef188 100644 > --- a/kernel/user_namespace.c > +++ b/kernel/user_namespace.c > @@ -22,6 +22,7 @@ > #include > #include > #include > +#include > > static struct kmem_cache *user_ns_cachep __read_mostly; > static DEFINE_MUTEX(userns_state_mutex); > @@ -109,6 +110,15 @@ int create_user_ns(struct cred *new) > > set_cred_user_ns(new, ns); > > +#ifdef CONFIG_SECURITY > + ret = security_userns_create(ns); > + if (ret) { > + ns_free_inum(&ns->ns); > + kmem_cache_free(user_ns_cachep, ns); > + return ret; > + } > +#endif > + > #ifdef CONFIG_PERSISTENT_KEYRINGS > init_rwsem(&ns->persistent_keyring_register_sem); > #endif > @@ -144,6 +154,9 @@ void free_user_ns(struct user_namespace *ns) > #ifdef CONFIG_PERSISTENT_KEYRINGS > key_put(ns->persistent_keyring_register); > #endif > +#ifdef CONFIG_SECURITY > + security_userns_free(ns); > +#endif > ns_free_inum(&ns->ns); > kmem_cache_free(user_ns_cachep, ns); > ns = parent; > @@ -970,6 +983,7 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns) > { > struct user_namespace *user_ns = to_user_ns(ns); > struct cred *cred; > + int err; > > /* Don't allow gaining capabilities by reentering > * the same user namespace. > @@ -987,6 +1001,10 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns) > if (!ns_capable(user_ns, CAP_SYS_ADMIN)) > return -EPERM; > > + err = security_userns_setns(nsproxy, user_ns); > + if (err) > + return err; > + > cred = prepare_creds(); > if (!cred) > return -ENOMEM; > diff --git a/security/security.c b/security/security.c > index 46f405c..e571127 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -25,6 +25,7 @@ > #include > #include > #include > +#include > #include > > #define MAX_LSM_EVM_XATTR 2 > @@ -1538,6 +1539,25 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, > } > #endif /* CONFIG_AUDIT */ > > +#ifdef CONFIG_USER_NS > + > +int security_userns_create(struct user_namespace *ns) > +{ > + return call_int_hook(userns_create, 0, ns); > +} > + > +void security_userns_free(struct user_namespace *ns) > +{ > + call_void_hook(userns_free, ns); > +} > + > +int security_userns_setns(struct nsproxy *nsproxy, struct user_namespace *ns) > +{ > + return call_int_hook(userns_setns, 0, nsproxy, ns); > +} > + > +#endif /* CONFIG_USER_NS */ > + > struct security_hook_heads security_hook_heads = { > .binder_set_context_mgr = > LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr), > @@ -1882,4 +1902,12 @@ struct security_hook_heads security_hook_heads = { > .audit_rule_free = > LIST_HEAD_INIT(security_hook_heads.audit_rule_free), > #endif /* CONFIG_AUDIT */ > +#ifdef CONFIG_USER_NS > + .userns_create = > + LIST_HEAD_INIT(security_hook_heads.userns_create), > + .userns_free = > + LIST_HEAD_INIT(security_hook_heads.userns_free), > + .userns_setns = > + LIST_HEAD_INIT(security_hook_heads.userns_setns), > +#endif /* CONFIG_USER_NS */ > };