From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.1 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BED2C433E4 for ; Wed, 15 Jul 2020 18:34:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2C84A207BC for ; Wed, 15 Jul 2020 18:34:11 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="ENfLP4xn" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726873AbgGOSeJ (ORCPT ); Wed, 15 Jul 2020 14:34:09 -0400 Received: from linux.microsoft.com ([13.77.154.182]:38982 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726034AbgGOSeJ (ORCPT ); Wed, 15 Jul 2020 14:34:09 -0400 Received: from [192.168.0.104] (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id 0456D20B4908; Wed, 15 Jul 2020 11:34:07 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 0456D20B4908 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1594838048; bh=h/hY55Q0qtm8L3rDWYxgRPeKHyFR7vIM/95MK08uoXY=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=ENfLP4xnfL87tgV8bYKfz92gup/o0XmaYAr+T2UGIZhJW860xPQ5YxZUznSchJTxn GHmpXHtBTgrY48padhK2h6/aqsJrBj6X9abd+M9RE+9iyXjHt5b43Q/u3EbyiYhWvZ aOX3AM4xbrCHDMgVdUB3IWeUaHkvalD8r3+0cpGg= Subject: Re: [PATCH v1 4/5] LSM: Define SELinux function to measure security state To: Stephen Smalley Cc: Mimi Zohar , Casey Schaufler , James Morris , linux-integrity@vger.kernel.org, SElinux list , LSM List , linux-kernel References: <20200715154853.23374-1-nramas@linux.microsoft.com> <20200715154853.23374-5-nramas@linux.microsoft.com> From: Lakshmi Ramasubramanian Message-ID: Date: Wed, 15 Jul 2020 11:34:07 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/15/20 11:04 AM, Stephen Smalley wrote: >> +static inline bool selinux_checkreqprot(void) >> +{ >> + struct selinux_state *state = &selinux_state; >> + >> + return state->checkreqprot; >> +} > > Probably should use READ_ONCE(). Will do. > >> diff --git a/security/selinux/measure.c b/security/selinux/measure.c >> new file mode 100644 >> index 000000000000..b909e8e61542 >> --- /dev/null >> +++ b/security/selinux/measure.c >> @@ -0,0 +1,122 @@ >> +int selinux_security_state(void) > > Let's call this selinux_measure_state() or similar. Needs a verb. And > pass it a struct selinux_state * pointer argument to be measured, even > though initially it will always be passed &selinux_state. The > encapsulation of selinux state within selinux_state was to support > multiple selinux namespaces in the future, each with their own state. Will do. >> + static char *security_state_string = >> + "enabled=%d;enforcing=%d;checkreqprot=%d;" \ >> + "netpeer=%d;openperm=%d;extsockclass=%d;" \ >> + "alwaysnetwork=%d;cgroupseclabel=%d;" \ >> + "nnpnosuidtransition=%d;genfsseclabelsymlink=%d;"; > > Rather than hardcoding policy capability names here, I would recommend > using the selinux_policycap_names[] array for the names and the > selinux_state.policycap[] array for the values. Also recommend > passing in a struct selinux_state * here to allow for future case > where there are multiple selinux states, one per selinux namespace. Will do. > >> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c >> index ef0afd878bfc..0c289d13ef6a 100644 >> --- a/security/selinux/ss/services.c >> +++ b/security/selinux/ss/services.c >> @@ -3724,10 +3724,11 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state, >> * security_read_policy - read the policy. >> * @data: binary policy data >> * @len: length of data in bytes >> - * >> + * @alloc_kernel_memory: flag to indicate memory allocation >> */ >> -int security_read_policy(struct selinux_state *state, >> - void **data, size_t *len) >> +int security_read_selinux_policy(struct selinux_state *state, >> + void **data, size_t *len, >> + bool alloc_kernel_memory) > > Instead of passing in a boolean to control how the memory is > allocated, split this into a helper function that takes an > already-allocated buffer and two > different front-end wrappers, one for kernel-internal use and one for > userspace use. Will do. > >> @@ -3738,7 +3739,10 @@ int security_read_policy(struct selinux_state *state, >> >> *len = security_policydb_len(state); >> >> - *data = vmalloc_user(*len); >> + if (alloc_kernel_memory) >> + *data = kzalloc(*len, GFP_KERNEL); > > You need vmalloc() since policy image size may exceed kmalloc max (or > at least that used to be the case). Will do. thanks, -lakshmi