* [PATCH v18 05/23] net: Prepare UDS for security module stacking
[not found] <20200709001234.9719-1-casey@schaufler-ca.com>
@ 2020-07-09 0:12 ` Casey Schaufler
2020-07-09 16:11 ` Stephen Smalley
2020-07-09 0:12 ` [PATCH v18 06/23] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
` (4 subsequent siblings)
5 siblings, 1 reply; 10+ messages in thread
From: Casey Schaufler @ 2020-07-09 0:12 UTC (permalink / raw)
To: casey.schaufler, jmorris, linux-security-module, selinux
Cc: casey, keescook, john.johansen, penguin-kernel, paul, sds, netdev
Change the data used in UDS SO_PEERSEC processing from a
secid to a more general struct lsmblob. Update the
security_socket_getpeersec_dgram() interface to use the
lsmblob. There is a small amount of scaffolding code
that will come out when the security_secid_to_secctx()
code is brought in line with the lsmblob.
The secid field of the unix_skb_parms structure has been
replaced with a pointer to an lsmblob structure, and the
lsmblob is allocated as needed. This is similar to how the
list of passed files is managed. While an lsmblob structure
will fit in the available space today, there is no guarantee
that the addition of other data to the unix_skb_parms or
support for additional security modules wouldn't exceed what
is available.
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
---
include/linux/security.h | 7 +++++--
include/net/af_unix.h | 2 +-
include/net/scm.h | 8 +++++---
net/ipv4/ip_sockglue.c | 8 +++++---
net/unix/af_unix.c | 12 +++++++++---
net/unix/scm.c | 6 ++++++
security/security.c | 18 +++++++++++++++---
7 files changed, 46 insertions(+), 15 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 6d403a522918..d81e8886d799 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1397,7 +1397,8 @@ int security_socket_shutdown(struct socket *sock, int how);
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len);
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+ struct lsmblob *blob);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
void security_sk_free(struct sock *sk);
void security_sk_clone(const struct sock *sk, struct sock *newsk);
@@ -1535,7 +1536,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
return -ENOPROTOOPT;
}
-static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+static inline int security_socket_getpeersec_dgram(struct socket *sock,
+ struct sk_buff *skb,
+ struct lsmblob *blob)
{
return -ENOPROTOOPT;
}
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index f42fdddecd41..e99c84677e14 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -36,7 +36,7 @@ struct unix_skb_parms {
kgid_t gid;
struct scm_fp_list *fp; /* Passed files */
#ifdef CONFIG_SECURITY_NETWORK
- u32 secid; /* Security ID */
+ struct lsmblob *lsmdata; /* Security LSM data */
#endif
u32 consumed;
} __randomize_layout;
diff --git a/include/net/scm.h b/include/net/scm.h
index 1ce365f4c256..e2e71c4bf9d0 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -33,7 +33,7 @@ struct scm_cookie {
struct scm_fp_list *fp; /* Passed files */
struct scm_creds creds; /* Skb credentials */
#ifdef CONFIG_SECURITY_NETWORK
- u32 secid; /* Passed security ID */
+ struct lsmblob lsmblob; /* Passed LSM data */
#endif
};
@@ -46,7 +46,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl);
#ifdef CONFIG_SECURITY_NETWORK
static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
{
- security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
+ security_socket_getpeersec_dgram(sock, NULL, &scm->lsmblob);
}
#else
static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
@@ -97,7 +97,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
int err;
if (test_bit(SOCK_PASSSEC, &sock->flags)) {
- err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
+ /* Scaffolding - it has to be element 0 for now */
+ err = security_secid_to_secctx(scm->lsmblob.secid[0],
+ &secdata, &seclen);
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 84ec3703c909..3ea1103b4c29 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -130,15 +130,17 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
{
+ struct lsmblob lb;
char *secdata;
- u32 seclen, secid;
+ u32 seclen;
int err;
- err = security_socket_getpeersec_dgram(NULL, skb, &secid);
+ err = security_socket_getpeersec_dgram(NULL, skb, &lb);
if (err)
return;
- err = security_secid_to_secctx(secid, &secdata, &seclen);
+ /* Scaffolding - it has to be element 0 */
+ err = security_secid_to_secctx(lb.secid[0], &secdata, &seclen);
if (err)
return;
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 3385a7a0b231..d246aefcf4da 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -138,17 +138,23 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
#ifdef CONFIG_SECURITY_NETWORK
static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
{
- UNIXCB(skb).secid = scm->secid;
+ UNIXCB(skb).lsmdata = kmemdup(&scm->lsmblob, sizeof(scm->lsmblob),
+ GFP_KERNEL);
}
static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
{
- scm->secid = UNIXCB(skb).secid;
+ if (likely(UNIXCB(skb).lsmdata))
+ scm->lsmblob = *(UNIXCB(skb).lsmdata);
+ else
+ lsmblob_init(&scm->lsmblob, 0);
}
static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
{
- return (scm->secid == UNIXCB(skb).secid);
+ if (likely(UNIXCB(skb).lsmdata))
+ return lsmblob_equal(&scm->lsmblob, UNIXCB(skb).lsmdata);
+ return false;
}
#else
static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
diff --git a/net/unix/scm.c b/net/unix/scm.c
index 8c40f2b32392..3094323935a4 100644
--- a/net/unix/scm.c
+++ b/net/unix/scm.c
@@ -142,6 +142,12 @@ void unix_destruct_scm(struct sk_buff *skb)
scm.pid = UNIXCB(skb).pid;
if (UNIXCB(skb).fp)
unix_detach_fds(&scm, skb);
+#ifdef CONFIG_SECURITY_NETWORK
+ if (UNIXCB(skb).lsmdata) {
+ kfree(UNIXCB(skb).lsmdata);
+ UNIXCB(skb).lsmdata = NULL;
+ }
+#endif
/* Alas, it calls VFS */
/* So fscking what? fput() had been SMP-safe since the last Summer */
diff --git a/security/security.c b/security/security.c
index f54c6dfd9b89..2122ed9df058 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2204,10 +2204,22 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
optval, optlen, len);
}
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+ struct lsmblob *blob)
{
- return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
- skb, secid);
+ struct security_hook_list *hp;
+ int rc = -ENOPROTOOPT;
+
+ hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
+ list) {
+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+ continue;
+ rc = hp->hook.socket_getpeersec_dgram(sock, skb,
+ &blob->secid[hp->lsmid->slot]);
+ if (rc != 0)
+ break;
+ }
+ return rc;
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
--
2.24.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v18 06/23] LSM: Use lsmblob in security_secctx_to_secid
[not found] <20200709001234.9719-1-casey@schaufler-ca.com>
2020-07-09 0:12 ` [PATCH v18 05/23] net: Prepare UDS for security module stacking Casey Schaufler
@ 2020-07-09 0:12 ` Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 14/23] LSM: Ensure the correct LSM context releaser Casey Schaufler
` (3 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Casey Schaufler @ 2020-07-09 0:12 UTC (permalink / raw)
To: casey.schaufler, jmorris, linux-security-module, selinux
Cc: casey, keescook, john.johansen, penguin-kernel, paul, sds, netdev
Change security_secctx_to_secid() to fill in a lsmblob instead
of a u32 secid. Multiple LSMs may be able to interpret the
string, and this allows for setting whichever secid is
appropriate. Change security_secmark_relabel_packet() to use a
lsmblob instead of a u32 secid. In some other cases there is
scaffolding where interfaces have yet to be converted.
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
---
include/linux/security.h | 30 +++++++++++++++++++++++----
include/net/scm.h | 7 +++++--
kernel/cred.c | 4 +---
net/ipv4/ip_sockglue.c | 6 ++++--
net/netfilter/nft_meta.c | 18 +++++++++-------
net/netfilter/xt_SECMARK.c | 9 ++++++--
net/netlabel/netlabel_unlabeled.c | 23 +++++++++++++--------
security/security.c | 34 ++++++++++++++++++++++++++-----
8 files changed, 98 insertions(+), 33 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index d81e8886d799..98176faaaba5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -189,6 +189,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
return !memcmp(bloba, blobb, sizeof(*bloba));
}
+/**
+ * lsmblob_value - find the first non-zero value in an lsmblob structure.
+ * @blob: Pointer to the data
+ *
+ * This needs to be used with extreme caution, as the cases where
+ * it is appropriate are rare.
+ *
+ * Return the first secid value set in the lsmblob.
+ * There should only be one.
+ */
+static inline u32 lsmblob_value(const struct lsmblob *blob)
+{
+ int i;
+
+ for (i = 0; i < LSMBLOB_ENTRIES; i++)
+ if (blob->secid[i])
+ return blob->secid[i];
+
+ return 0;
+}
+
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
@@ -502,7 +523,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+int security_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsmblob *blob);
void security_release_secctx(char *secdata, u32 seclen);
void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
@@ -1321,7 +1343,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
static inline int security_secctx_to_secid(const char *secdata,
u32 seclen,
- u32 *secid)
+ struct lsmblob *blob)
{
return -EOPNOTSUPP;
}
@@ -1411,7 +1433,7 @@ void security_inet_csk_clone(struct sock *newsk,
const struct request_sock *req);
void security_inet_conn_established(struct sock *sk,
struct sk_buff *skb);
-int security_secmark_relabel_packet(u32 secid);
+int security_secmark_relabel_packet(struct lsmblob *blob);
void security_secmark_refcount_inc(void);
void security_secmark_refcount_dec(void);
int security_tun_dev_alloc_security(void **security);
@@ -1584,7 +1606,7 @@ static inline void security_inet_conn_established(struct sock *sk,
{
}
-static inline int security_secmark_relabel_packet(u32 secid)
+static inline int security_secmark_relabel_packet(struct lsmblob *blob)
{
return 0;
}
diff --git a/include/net/scm.h b/include/net/scm.h
index e2e71c4bf9d0..c09f2dfeec88 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -97,8 +97,11 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
int err;
if (test_bit(SOCK_PASSSEC, &sock->flags)) {
- /* Scaffolding - it has to be element 0 for now */
- err = security_secid_to_secctx(scm->lsmblob.secid[0],
+ /* There can currently be only one value in the lsmblob,
+ * so getting it from lsmblob_value is appropriate until
+ * security_secid_to_secctx() is converted to taking a
+ * lsmblob directly. */
+ err = security_secid_to_secctx(lsmblob_value(&scm->lsmblob),
&secdata, &seclen);
if (!err) {
diff --git a/kernel/cred.c b/kernel/cred.c
index 22e0e7cbefde..848306c7d823 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -757,14 +757,12 @@ EXPORT_SYMBOL(set_security_override);
int set_security_override_from_ctx(struct cred *new, const char *secctx)
{
struct lsmblob blob;
- u32 secid;
int ret;
- ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
+ ret = security_secctx_to_secid(secctx, strlen(secctx), &blob);
if (ret < 0)
return ret;
- lsmblob_init(&blob, secid);
return set_security_override(new, &blob);
}
EXPORT_SYMBOL(set_security_override_from_ctx);
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 3ea1103b4c29..6bdac5f87a1e 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -139,8 +139,10 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
if (err)
return;
- /* Scaffolding - it has to be element 0 */
- err = security_secid_to_secctx(lb.secid[0], &secdata, &seclen);
+ /* There can only be one secid in the lsmblob at this point,
+ * so getting it using lsmblob_value() is sufficient until
+ * security_secid_to_secctx() is changed to use a lsmblob */
+ err = security_secid_to_secctx(lsmblob_value(&lb), &secdata, &seclen);
if (err)
return;
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 951b6e87ed5d..5875222aeac5 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -801,7 +801,7 @@ struct nft_expr_type nft_meta_type __read_mostly = {
#ifdef CONFIG_NETWORK_SECMARK
struct nft_secmark {
- u32 secid;
+ struct lsmblob lsmdata;
char *ctx;
};
@@ -811,21 +811,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
static int nft_secmark_compute_secid(struct nft_secmark *priv)
{
- u32 tmp_secid = 0;
+ struct lsmblob blob;
int err;
- err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
+ err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob);
if (err)
return err;
- if (!tmp_secid)
+ if (!lsmblob_is_set(&blob))
return -ENOENT;
- err = security_secmark_relabel_packet(tmp_secid);
+ err = security_secmark_relabel_packet(&blob);
if (err)
return err;
- priv->secid = tmp_secid;
+ priv->lsmdata = blob;
return 0;
}
@@ -835,7 +835,11 @@ static void nft_secmark_obj_eval(struct nft_object *obj, struct nft_regs *regs,
const struct nft_secmark *priv = nft_obj_data(obj);
struct sk_buff *skb = pkt->skb;
- skb->secmark = priv->secid;
+ /* It is not possible for more than one secid to be set in
+ * the lsmblob structure because it is set using
+ * security_secctx_to_secid(). Any secid that is set must therefore
+ * be the one that should go in the secmark. */
+ skb->secmark = lsmblob_value(&priv->lsmdata);
}
static int nft_secmark_obj_init(const struct nft_ctx *ctx,
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 75625d13e976..5a268707eeda 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -43,13 +43,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
static int checkentry_lsm(struct xt_secmark_target_info *info)
{
+ struct lsmblob blob;
int err;
info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
info->secid = 0;
err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
- &info->secid);
+ &blob);
if (err) {
if (err == -EINVAL)
pr_info_ratelimited("invalid security context \'%s\'\n",
@@ -57,13 +58,17 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
return err;
}
+ /* xt_secmark_target_info can't be changed to use lsmblobs because
+ * it is exposed as an API. Use lsmblob_value() to get the one
+ * value that got set by security_secctx_to_secid(). */
+ info->secid = lsmblob_value(&blob);
if (!info->secid) {
pr_info_ratelimited("unable to map security context \'%s\'\n",
info->secctx);
return -ENOENT;
}
- err = security_secmark_relabel_packet(info->secid);
+ err = security_secmark_relabel_packet(&blob);
if (err) {
pr_info_ratelimited("unable to obtain relabeling permission\n");
return err;
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 77bb1bb22c3b..8948557eaebb 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -882,7 +882,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
void *addr;
void *mask;
u32 addr_len;
- u32 secid;
+ struct lsmblob blob;
struct netlbl_audit audit_info;
/* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -906,13 +906,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
ret_val = security_secctx_to_secid(
nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
- &secid);
+ &blob);
if (ret_val != 0)
return ret_val;
+ /* netlbl_unlhsh_add will be changed to pass a struct lsmblob *
+ * instead of a u32 later in this patch set. security_secctx_to_secid()
+ * will only be setting one entry in the lsmblob struct, so it is
+ * safe to use lsmblob_value() to get that one value. */
+
return netlbl_unlhsh_add(&init_net,
- dev_name, addr, mask, addr_len, secid,
- &audit_info);
+ dev_name, addr, mask, addr_len,
+ lsmblob_value(&blob), &audit_info);
}
/**
@@ -933,7 +938,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
void *addr;
void *mask;
u32 addr_len;
- u32 secid;
+ struct lsmblob blob;
struct netlbl_audit audit_info;
/* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -955,13 +960,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
ret_val = security_secctx_to_secid(
nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
- &secid);
+ &blob);
if (ret_val != 0)
return ret_val;
+ /* security_secctx_to_secid() will only put one secid into the lsmblob
+ * so it's safe to use lsmblob_value() to get the secid. */
return netlbl_unlhsh_add(&init_net,
- NULL, addr, mask, addr_len, secid,
- &audit_info);
+ NULL, addr, mask, addr_len,
+ lsmblob_value(&blob), &audit_info);
}
/**
diff --git a/security/security.c b/security/security.c
index 2122ed9df058..d6c2905bf496 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2050,10 +2050,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
}
EXPORT_SYMBOL(security_secid_to_secctx);
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+int security_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsmblob *blob)
{
- *secid = 0;
- return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+ struct security_hook_list *hp;
+ int rc;
+
+ lsmblob_init(blob, 0);
+ hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+ continue;
+ rc = hp->hook.secctx_to_secid(secdata, seclen,
+ &blob->secid[hp->lsmid->slot]);
+ if (rc != 0)
+ return rc;
+ }
+ return 0;
}
EXPORT_SYMBOL(security_secctx_to_secid);
@@ -2286,9 +2298,21 @@ void security_inet_conn_established(struct sock *sk,
}
EXPORT_SYMBOL(security_inet_conn_established);
-int security_secmark_relabel_packet(u32 secid)
+int security_secmark_relabel_packet(struct lsmblob *blob)
{
- return call_int_hook(secmark_relabel_packet, 0, secid);
+ struct security_hook_list *hp;
+ int rc = 0;
+
+ hlist_for_each_entry(hp, &security_hook_heads.secmark_relabel_packet,
+ list) {
+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+ continue;
+ rc = hp->hook.secmark_relabel_packet(
+ blob->secid[hp->lsmid->slot]);
+ if (rc != 0)
+ break;
+ }
+ return rc;
}
EXPORT_SYMBOL(security_secmark_relabel_packet);
--
2.24.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v18 14/23] LSM: Ensure the correct LSM context releaser
[not found] <20200709001234.9719-1-casey@schaufler-ca.com>
2020-07-09 0:12 ` [PATCH v18 05/23] net: Prepare UDS for security module stacking Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 06/23] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
@ 2020-07-09 0:12 ` Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 15/23] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Casey Schaufler @ 2020-07-09 0:12 UTC (permalink / raw)
To: casey.schaufler, jmorris, linux-security-module, selinux
Cc: casey, keescook, john.johansen, penguin-kernel, paul, sds,
linux-integrity, netdev
Add a new lsmcontext data structure to hold all the information
about a "security context", including the string, its size and
which LSM allocated the string. The allocation information is
necessary because LSMs have different policies regarding the
lifecycle of these strings. SELinux allocates and destroys
them on each use, whereas Smack provides a pointer to an entry
in a list that never goes away.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: netdev@vger.kernel.org
---
drivers/android/binder.c | 10 ++++---
fs/ceph/xattr.c | 6 ++++-
fs/nfs/nfs4proc.c | 8 ++++--
fs/nfsd/nfs4xdr.c | 7 +++--
include/linux/security.h | 35 +++++++++++++++++++++++--
include/net/scm.h | 5 +++-
kernel/audit.c | 14 +++++++---
kernel/auditsc.c | 12 ++++++---
net/ipv4/ip_sockglue.c | 4 ++-
net/netfilter/nf_conntrack_netlink.c | 4 ++-
net/netfilter/nf_conntrack_standalone.c | 4 ++-
net/netfilter/nfnetlink_queue.c | 13 ++++++---
net/netlabel/netlabel_unlabeled.c | 19 +++++++++++---
net/netlabel/netlabel_user.c | 4 ++-
security/security.c | 11 ++++----
15 files changed, 121 insertions(+), 35 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 46e2a26089cc..b7ab206f8bb3 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2863,6 +2863,7 @@ static void binder_transaction(struct binder_proc *proc,
int t_debug_id = atomic_inc_return(&binder_last_id);
char *secctx = NULL;
u32 secctx_sz = 0;
+ struct lsmcontext scaff; /* scaffolding */
e = binder_transaction_log_add(&binder_transaction_log);
e->debug_id = t_debug_id;
@@ -3159,7 +3160,8 @@ static void binder_transaction(struct binder_proc *proc,
t->security_ctx = 0;
WARN_ON(1);
}
- security_release_secctx(secctx, secctx_sz);
+ lsmcontext_init(&scaff, secctx, secctx_sz, 0);
+ security_release_secctx(&scaff);
secctx = NULL;
}
t->buffer->debug_id = t->debug_id;
@@ -3492,8 +3494,10 @@ static void binder_transaction(struct binder_proc *proc,
binder_alloc_free_buf(&target_proc->alloc, t->buffer);
err_binder_alloc_buf_failed:
err_bad_extra_size:
- if (secctx)
- security_release_secctx(secctx, secctx_sz);
+ if (secctx) {
+ lsmcontext_init(&scaff, secctx, secctx_sz, 0);
+ security_release_secctx(&scaff);
+ }
err_get_secctx_failed:
kfree(tcomplete);
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index 71ee34d160c3..ad36d5fd7a84 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1272,12 +1272,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx)
{
+#ifdef CONFIG_CEPH_FS_SECURITY_LABEL
+ struct lsmcontext scaff; /* scaffolding */
+#endif
#ifdef CONFIG_CEPH_FS_POSIX_ACL
posix_acl_release(as_ctx->acl);
posix_acl_release(as_ctx->default_acl);
#endif
#ifdef CONFIG_CEPH_FS_SECURITY_LABEL
- security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen);
+ lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0);
+ security_release_secctx(&scaff);
#endif
if (as_ctx->pagelist)
ceph_pagelist_release(as_ctx->pagelist);
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index e32717fd1169..5a42ed23cb85 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -130,8 +130,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
static inline void
nfs4_label_release_security(struct nfs4_label *label)
{
- if (label)
- security_release_secctx(label->label, label->len);
+ struct lsmcontext scaff; /* scaffolding */
+
+ if (label) {
+ lsmcontext_init(&scaff, label->label, label->len, 0);
+ security_release_secctx(&scaff);
+ }
}
static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
{
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 996ac01ee977..61d6b8a0e8f0 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2496,6 +2496,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
int err;
struct nfs4_acl *acl = NULL;
#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+ struct lsmcontext scaff; /* scaffolding */
void *context = NULL;
int contextlen;
#endif
@@ -2998,8 +2999,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
out:
#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
- if (context)
- security_release_secctx(context, contextlen);
+ if (context) {
+ lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/
+ security_release_secctx(&scaff);
+ }
#endif /* CONFIG_NFSD_V4_SECURITY_LABEL */
kfree(acl);
if (tempfh) {
diff --git a/include/linux/security.h b/include/linux/security.h
index 84ad4404f7c1..f67e4084b893 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -131,6 +131,37 @@ enum lockdown_reason {
extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
+/*
+ * A "security context" is the text representation of
+ * the information used by LSMs.
+ * This structure contains the string, its length, and which LSM
+ * it is useful for.
+ */
+struct lsmcontext {
+ char *context; /* Provided by the module */
+ u32 len;
+ int slot; /* Identifies the module */
+};
+
+/**
+ * lsmcontext_init - initialize an lsmcontext structure.
+ * @cp: Pointer to the context to initialize
+ * @context: Initial context, or NULL
+ * @size: Size of context, or 0
+ * @slot: Which LSM provided the context
+ *
+ * Fill in the lsmcontext from the provided information.
+ * This is a scaffolding function that will be removed when
+ * lsmcontext integration is complete.
+ */
+static inline void lsmcontext_init(struct lsmcontext *cp, char *context,
+ u32 size, int slot)
+{
+ cp->slot = slot;
+ cp->context = context;
+ cp->len = size;
+}
+
/*
* Data exported by the security modules
*
@@ -525,7 +556,7 @@ int security_ismaclabel(const char *name);
int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen);
int security_secctx_to_secid(const char *secdata, u32 seclen,
struct lsmblob *blob);
-void security_release_secctx(char *secdata, u32 seclen);
+void security_release_secctx(struct lsmcontext *cp);
void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
@@ -1352,7 +1383,7 @@ static inline int security_secctx_to_secid(const char *secdata,
return -EOPNOTSUPP;
}
-static inline void security_release_secctx(char *secdata, u32 seclen)
+static inline void security_release_secctx(struct lsmcontext *cp)
{
}
diff --git a/include/net/scm.h b/include/net/scm.h
index 31ae605fcc0a..30ba801c91bd 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
#ifdef CONFIG_SECURITY_NETWORK
static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
{
+ struct lsmcontext context;
char *secdata;
u32 seclen;
int err;
@@ -102,7 +103,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
- security_release_secctx(secdata, seclen);
+ /*scaffolding*/
+ lsmcontext_init(&context, secdata, seclen, 0);
+ security_release_secctx(&context);
}
}
}
diff --git a/kernel/audit.c b/kernel/audit.c
index ff381344f950..3378c773b1c1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1188,6 +1188,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
struct audit_sig_info *sig_data;
char *ctx = NULL;
u32 len;
+ struct lsmcontext scaff; /* scaffolding */
err = audit_netlink_ok(skb, msg_type);
if (err)
@@ -1438,15 +1439,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
if (!sig_data) {
- if (lsmblob_is_set(&audit_sig_lsm))
- security_release_secctx(ctx, len);
+ if (lsmblob_is_set(&audit_sig_lsm)) {
+ lsmcontext_init(&scaff, ctx, len, 0);
+ security_release_secctx(&scaff);
+ }
return -ENOMEM;
}
sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
sig_data->pid = audit_sig_pid;
if (lsmblob_is_set(&audit_sig_lsm)) {
memcpy(sig_data->ctx, ctx, len);
- security_release_secctx(ctx, len);
+ lsmcontext_init(&scaff, ctx, len, 0);
+ security_release_secctx(&scaff);
}
audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
sig_data, sizeof(*sig_data) + len);
@@ -2116,6 +2120,7 @@ int audit_log_task_context(struct audit_buffer *ab)
unsigned len;
int error;
struct lsmblob blob;
+ struct lsmcontext scaff; /* scaffolding */
security_task_getsecid(current, &blob);
if (!lsmblob_is_set(&blob))
@@ -2129,7 +2134,8 @@ int audit_log_task_context(struct audit_buffer *ab)
}
audit_log_format(ab, " subj=%s", ctx);
- security_release_secctx(ctx, len);
+ lsmcontext_init(&scaff, ctx, len, 0);
+ security_release_secctx(&scaff);
return 0;
error_path:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 82d60474098d..ac6836c1f2d3 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -980,6 +980,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
struct lsmblob *blob, char *comm)
{
struct audit_buffer *ab;
+ struct lsmcontext lsmcxt;
char *ctx = NULL;
u32 len;
int rc = 0;
@@ -997,7 +998,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
rc = 1;
} else {
audit_log_format(ab, " obj=%s", ctx);
- security_release_secctx(ctx, len);
+ lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/
+ security_release_secctx(&lsmcxt);
}
}
audit_log_format(ab, " ocomm=");
@@ -1210,6 +1212,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
static void show_special(struct audit_context *context, int *call_panic)
{
+ struct lsmcontext lsmcxt;
struct audit_buffer *ab;
int i;
@@ -1243,7 +1246,8 @@ static void show_special(struct audit_context *context, int *call_panic)
*call_panic = 1;
} else {
audit_log_format(ab, " obj=%s", ctx);
- security_release_secctx(ctx, len);
+ lsmcontext_init(&lsmcxt, ctx, len, 0);
+ security_release_secctx(&lsmcxt);
}
}
if (context->ipc.has_perm) {
@@ -1389,6 +1393,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
char *ctx = NULL;
u32 len;
struct lsmblob blob;
+ struct lsmcontext lsmcxt;
lsmblob_init(&blob, n->osid);
if (security_secid_to_secctx(&blob, &ctx, &len)) {
@@ -1397,7 +1402,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
*call_panic = 2;
} else {
audit_log_format(ab, " obj=%s", ctx);
- security_release_secctx(ctx, len);
+ lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */
+ security_release_secctx(&lsmcxt);
}
}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 1bb60d2cfac6..6391a570f9ad 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
{
+ struct lsmcontext context;
struct lsmblob lb;
char *secdata;
u32 seclen;
@@ -144,7 +145,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
return;
put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
- security_release_secctx(secdata, seclen);
+ lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */
+ security_release_secctx(&context);
}
static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 380b660d0d39..1c45ca8c3c21 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -334,6 +334,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
int len, ret;
char *secctx;
struct lsmblob blob;
+ struct lsmcontext context;
/* lsmblob_init() puts ct->secmark into all of the secids in blob.
* security_secid_to_secctx() will know which security module
@@ -354,7 +355,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
ret = 0;
nla_put_failure:
- security_release_secctx(secctx, len);
+ lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
+ security_release_secctx(&context);
return ret;
}
#else
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 244c6c2c223c..fd01d778c295 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -176,6 +176,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
u32 len;
char *secctx;
struct lsmblob blob;
+ struct lsmcontext context;
lsmblob_init(&blob, ct->secmark);
ret = security_secid_to_secctx(&blob, &secctx, &len);
@@ -184,7 +185,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
seq_printf(s, "secctx=%s ", secctx);
- security_release_secctx(secctx, len);
+ lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
+ security_release_secctx(&context);
}
#else
static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 44ce42e8c82a..c89bd87d0dae 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -398,6 +398,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
enum ip_conntrack_info uninitialized_var(ctinfo);
struct nfnl_ct_hook *nfnl_ct;
bool csum_verify;
+ struct lsmcontext scaff; /* scaffolding */
char *secdata = NULL;
u32 seclen = 0;
@@ -628,8 +629,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
}
nlh->nlmsg_len = skb->len;
- if (seclen)
- security_release_secctx(secdata, seclen);
+ if (seclen) {
+ lsmcontext_init(&scaff, secdata, seclen, 0);
+ security_release_secctx(&scaff);
+ }
return skb;
nla_put_failure:
@@ -637,8 +640,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
kfree_skb(skb);
net_err_ratelimited("nf_queue: error creating packet message\n");
nlmsg_failure:
- if (seclen)
- security_release_secctx(secdata, seclen);
+ if (seclen) {
+ lsmcontext_init(&scaff, secdata, seclen, 0);
+ security_release_secctx(&scaff);
+ }
return NULL;
}
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index f4a6204f4205..5785e6dcf54b 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -374,6 +374,7 @@ int netlbl_unlhsh_add(struct net *net,
struct net_device *dev;
struct netlbl_unlhsh_iface *iface;
struct audit_buffer *audit_buf = NULL;
+ struct lsmcontext context;
char *secctx = NULL;
u32 secctx_len;
struct lsmblob blob;
@@ -447,7 +448,9 @@ int netlbl_unlhsh_add(struct net *net,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
+ /* scaffolding */
+ lsmcontext_init(&context, secctx, secctx_len, 0);
+ security_release_secctx(&context);
}
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
@@ -478,6 +481,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
struct netlbl_unlhsh_addr4 *entry;
struct audit_buffer *audit_buf;
struct net_device *dev;
+ struct lsmcontext context;
char *secctx;
u32 secctx_len;
struct lsmblob blob;
@@ -509,7 +513,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
security_secid_to_secctx(&blob,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
+ /* scaffolding */
+ lsmcontext_init(&context, secctx, secctx_len, 0);
+ security_release_secctx(&context);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
audit_log_end(audit_buf);
@@ -546,6 +552,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
struct netlbl_unlhsh_addr6 *entry;
struct audit_buffer *audit_buf;
struct net_device *dev;
+ struct lsmcontext context;
char *secctx;
u32 secctx_len;
struct lsmblob blob;
@@ -576,7 +583,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
security_secid_to_secctx(&blob,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
+ lsmcontext_init(&context, secctx, secctx_len, 0);
+ security_release_secctx(&context);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
audit_log_end(audit_buf);
@@ -1095,6 +1103,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
int ret_val = -ENOMEM;
struct netlbl_unlhsh_walk_arg *cb_arg = arg;
struct net_device *dev;
+ struct lsmcontext context;
void *data;
u32 secid;
char *secctx;
@@ -1165,7 +1174,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
NLBL_UNLABEL_A_SECCTX,
secctx_len,
secctx);
- security_release_secctx(secctx, secctx_len);
+ /* scaffolding */
+ lsmcontext_init(&context, secctx, secctx_len, 0);
+ security_release_secctx(&context);
if (ret_val != 0)
goto list_cb_failure;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 893301ae0131..ef139d8ae7cd 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
struct netlbl_audit *audit_info)
{
struct audit_buffer *audit_buf;
+ struct lsmcontext context;
char *secctx;
u32 secctx_len;
struct lsmblob blob;
@@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
if (audit_info->secid != 0 &&
security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
+ lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/
+ security_release_secctx(&context);
}
return audit_buf;
diff --git a/security/security.c b/security/security.c
index 75313b32aef5..6e353835e95f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2212,16 +2212,17 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
}
EXPORT_SYMBOL(security_secctx_to_secid);
-void security_release_secctx(char *secdata, u32 seclen)
+void security_release_secctx(struct lsmcontext *cp)
{
struct security_hook_list *hp;
- int display = lsm_task_display(current);
hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list)
- if (display == LSMBLOB_INVALID || display == hp->lsmid->slot) {
- hp->hook.release_secctx(secdata, seclen);
- return;
+ if (cp->slot == hp->lsmid->slot) {
+ hp->hook.release_secctx(cp->context, cp->len);
+ break;
}
+
+ memset(cp, 0, sizeof(*cp));
}
EXPORT_SYMBOL(security_release_secctx);
--
2.24.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v18 15/23] LSM: Use lsmcontext in security_secid_to_secctx
[not found] <20200709001234.9719-1-casey@schaufler-ca.com>
` (2 preceding siblings ...)
2020-07-09 0:12 ` [PATCH v18 14/23] LSM: Ensure the correct LSM context releaser Casey Schaufler
@ 2020-07-09 0:12 ` Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 17/23] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 18/23] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
5 siblings, 0 replies; 10+ messages in thread
From: Casey Schaufler @ 2020-07-09 0:12 UTC (permalink / raw)
To: casey.schaufler, jmorris, linux-security-module, selinux
Cc: casey, keescook, john.johansen, penguin-kernel, paul, sds, netdev
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
---
drivers/android/binder.c | 26 +++++++---------
include/linux/security.h | 4 +--
include/net/scm.h | 10 ++-----
kernel/audit.c | 35 ++++++++--------------
kernel/auditsc.c | 31 +++++++------------
net/ipv4/ip_sockglue.c | 7 ++---
net/netfilter/nf_conntrack_netlink.c | 18 +++++------
net/netfilter/nf_conntrack_standalone.c | 7 ++---
net/netfilter/nfnetlink_queue.c | 5 +++-
net/netlabel/netlabel_unlabeled.c | 40 ++++++++-----------------
net/netlabel/netlabel_user.c | 7 ++---
security/security.c | 10 +++++--
12 files changed, 76 insertions(+), 124 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index b7ab206f8bb3..ceb5987c7d76 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2861,9 +2861,7 @@ static void binder_transaction(struct binder_proc *proc,
binder_size_t last_fixup_min_off = 0;
struct binder_context *context = proc->context;
int t_debug_id = atomic_inc_return(&binder_last_id);
- char *secctx = NULL;
- u32 secctx_sz = 0;
- struct lsmcontext scaff; /* scaffolding */
+ struct lsmcontext lsmctx = { };
e = binder_transaction_log_add(&binder_transaction_log);
e->debug_id = t_debug_id;
@@ -3111,14 +3109,14 @@ static void binder_transaction(struct binder_proc *proc,
size_t added_size;
security_task_getsecid(proc->tsk, &blob);
- ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz);
+ ret = security_secid_to_secctx(&blob, &lsmctx);
if (ret) {
return_error = BR_FAILED_REPLY;
return_error_param = ret;
return_error_line = __LINE__;
goto err_get_secctx_failed;
}
- added_size = ALIGN(secctx_sz, sizeof(u64));
+ added_size = ALIGN(lsmctx.len, sizeof(u64));
extra_buffers_size += added_size;
if (extra_buffers_size < added_size) {
/* integer overflow of extra_buffers_size */
@@ -3145,24 +3143,22 @@ static void binder_transaction(struct binder_proc *proc,
t->buffer = NULL;
goto err_binder_alloc_buf_failed;
}
- if (secctx) {
+ if (lsmctx.context) {
int err;
size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
ALIGN(tr->offsets_size, sizeof(void *)) +
ALIGN(extra_buffers_size, sizeof(void *)) -
- ALIGN(secctx_sz, sizeof(u64));
+ ALIGN(lsmctx.len, sizeof(u64));
t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
err = binder_alloc_copy_to_buffer(&target_proc->alloc,
t->buffer, buf_offset,
- secctx, secctx_sz);
+ lsmctx.context, lsmctx.len);
if (err) {
t->security_ctx = 0;
WARN_ON(1);
}
- lsmcontext_init(&scaff, secctx, secctx_sz, 0);
- security_release_secctx(&scaff);
- secctx = NULL;
+ security_release_secctx(&lsmctx);
}
t->buffer->debug_id = t->debug_id;
t->buffer->transaction = t;
@@ -3218,7 +3214,7 @@ static void binder_transaction(struct binder_proc *proc,
off_end_offset = off_start_offset + tr->offsets_size;
sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
- ALIGN(secctx_sz, sizeof(u64));
+ ALIGN(lsmctx.len, sizeof(u64));
off_min = 0;
for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
buffer_offset += sizeof(binder_size_t)) {
@@ -3494,10 +3490,8 @@ static void binder_transaction(struct binder_proc *proc,
binder_alloc_free_buf(&target_proc->alloc, t->buffer);
err_binder_alloc_buf_failed:
err_bad_extra_size:
- if (secctx) {
- lsmcontext_init(&scaff, secctx, secctx_sz, 0);
- security_release_secctx(&scaff);
- }
+ if (lsmctx.context)
+ security_release_secctx(&lsmctx);
err_get_secctx_failed:
kfree(tcomplete);
binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
diff --git a/include/linux/security.h b/include/linux/security.h
index f67e4084b893..43f8a2660d37 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -553,7 +553,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
-int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen);
+int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp);
int security_secctx_to_secid(const char *secdata, u32 seclen,
struct lsmblob *blob);
void security_release_secctx(struct lsmcontext *cp);
@@ -1371,7 +1371,7 @@ static inline int security_ismaclabel(const char *name)
}
static inline int security_secid_to_secctx(struct lsmblob *blob,
- char **secdata, u32 *seclen)
+ struct lsmcontext *cp)
{
return -EOPNOTSUPP;
}
diff --git a/include/net/scm.h b/include/net/scm.h
index 30ba801c91bd..4a6ad8caf423 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -93,18 +93,14 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
{
struct lsmcontext context;
- char *secdata;
- u32 seclen;
int err;
if (test_bit(SOCK_PASSSEC, &sock->flags)) {
- err = security_secid_to_secctx(&scm->lsmblob, &secdata,
- &seclen);
+ err = security_secid_to_secctx(&scm->lsmblob, &context);
if (!err) {
- put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
- /*scaffolding*/
- lsmcontext_init(&context, secdata, seclen, 0);
+ put_cmsg(msg, SOL_SOCKET, SCM_SECURITY,
+ context.len, context.context);
security_release_secctx(&context);
}
}
diff --git a/kernel/audit.c b/kernel/audit.c
index 3378c773b1c1..d300e41ca443 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1186,9 +1186,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
struct audit_buffer *ab;
u16 msg_type = nlh->nlmsg_type;
struct audit_sig_info *sig_data;
- char *ctx = NULL;
- u32 len;
- struct lsmcontext scaff; /* scaffolding */
+ struct lsmcontext context = { };
err = audit_netlink_ok(skb, msg_type);
if (err)
@@ -1430,30 +1428,26 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
break;
}
case AUDIT_SIGNAL_INFO:
- len = 0;
if (lsmblob_is_set(&audit_sig_lsm)) {
- err = security_secid_to_secctx(&audit_sig_lsm, &ctx,
- &len);
+ err = security_secid_to_secctx(&audit_sig_lsm,
+ &context);
if (err)
return err;
}
- sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
+ sig_data = kmalloc(sizeof(*sig_data) + context.len, GFP_KERNEL);
if (!sig_data) {
- if (lsmblob_is_set(&audit_sig_lsm)) {
- lsmcontext_init(&scaff, ctx, len, 0);
- security_release_secctx(&scaff);
- }
+ if (lsmblob_is_set(&audit_sig_lsm))
+ security_release_secctx(&context);
return -ENOMEM;
}
sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
sig_data->pid = audit_sig_pid;
if (lsmblob_is_set(&audit_sig_lsm)) {
- memcpy(sig_data->ctx, ctx, len);
- lsmcontext_init(&scaff, ctx, len, 0);
- security_release_secctx(&scaff);
+ memcpy(sig_data->ctx, context.context, context.len);
+ security_release_secctx(&context);
}
audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
- sig_data, sizeof(*sig_data) + len);
+ sig_data, sizeof(*sig_data) + context.len);
kfree(sig_data);
break;
case AUDIT_TTY_GET: {
@@ -2116,26 +2110,23 @@ void audit_log_key(struct audit_buffer *ab, char *key)
int audit_log_task_context(struct audit_buffer *ab)
{
- char *ctx = NULL;
- unsigned len;
int error;
struct lsmblob blob;
- struct lsmcontext scaff; /* scaffolding */
+ struct lsmcontext context;
security_task_getsecid(current, &blob);
if (!lsmblob_is_set(&blob))
return 0;
- error = security_secid_to_secctx(&blob, &ctx, &len);
+ error = security_secid_to_secctx(&blob, &context);
if (error) {
if (error != -EINVAL)
goto error_path;
return 0;
}
- audit_log_format(ab, " subj=%s", ctx);
- lsmcontext_init(&scaff, ctx, len, 0);
- security_release_secctx(&scaff);
+ audit_log_format(ab, " subj=%s", context.context);
+ security_release_secctx(&context);
return 0;
error_path:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ac6836c1f2d3..1f7bd6b34ec7 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -980,9 +980,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
struct lsmblob *blob, char *comm)
{
struct audit_buffer *ab;
- struct lsmcontext lsmcxt;
- char *ctx = NULL;
- u32 len;
+ struct lsmcontext lsmctx;
int rc = 0;
ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
@@ -993,13 +991,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
if (lsmblob_is_set(blob)) {
- if (security_secid_to_secctx(blob, &ctx, &len)) {
+ if (security_secid_to_secctx(blob, &lsmctx)) {
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
- audit_log_format(ab, " obj=%s", ctx);
- lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/
- security_release_secctx(&lsmcxt);
+ audit_log_format(ab, " obj=%s", lsmctx.context);
+ security_release_secctx(&lsmctx);
}
}
audit_log_format(ab, " ocomm=");
@@ -1212,7 +1209,6 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
static void show_special(struct audit_context *context, int *call_panic)
{
- struct lsmcontext lsmcxt;
struct audit_buffer *ab;
int i;
@@ -1236,17 +1232,15 @@ static void show_special(struct audit_context *context, int *call_panic)
from_kgid(&init_user_ns, context->ipc.gid),
context->ipc.mode);
if (osid) {
- char *ctx = NULL;
- u32 len;
+ struct lsmcontext lsmcxt;
struct lsmblob blob;
lsmblob_init(&blob, osid);
- if (security_secid_to_secctx(&blob, &ctx, &len)) {
+ if (security_secid_to_secctx(&blob, &lsmcxt)) {
audit_log_format(ab, " osid=%u", osid);
*call_panic = 1;
} else {
- audit_log_format(ab, " obj=%s", ctx);
- lsmcontext_init(&lsmcxt, ctx, len, 0);
+ audit_log_format(ab, " obj=%s", lsmcxt.context);
security_release_secctx(&lsmcxt);
}
}
@@ -1390,20 +1384,17 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
MAJOR(n->rdev),
MINOR(n->rdev));
if (n->osid != 0) {
- char *ctx = NULL;
- u32 len;
struct lsmblob blob;
- struct lsmcontext lsmcxt;
+ struct lsmcontext lsmctx;
lsmblob_init(&blob, n->osid);
- if (security_secid_to_secctx(&blob, &ctx, &len)) {
+ if (security_secid_to_secctx(&blob, &lsmctx)) {
audit_log_format(ab, " osid=%u", n->osid);
if (call_panic)
*call_panic = 2;
} else {
- audit_log_format(ab, " obj=%s", ctx);
- lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */
- security_release_secctx(&lsmcxt);
+ audit_log_format(ab, " obj=%s", lsmctx.context);
+ security_release_secctx(&lsmctx);
}
}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 6391a570f9ad..176ac9ce6069 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -132,20 +132,17 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
{
struct lsmcontext context;
struct lsmblob lb;
- char *secdata;
- u32 seclen;
int err;
err = security_socket_getpeersec_dgram(NULL, skb, &lb);
if (err)
return;
- err = security_secid_to_secctx(&lb, &secdata, &seclen);
+ err = security_secid_to_secctx(&lb, &context);
if (err)
return;
- put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
- lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */
+ put_cmsg(msg, SOL_IP, SCM_SECURITY, context.len, context.context);
security_release_secctx(&context);
}
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 1c45ca8c3c21..e38b5182e301 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -331,8 +331,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
{
struct nlattr *nest_secctx;
- int len, ret;
- char *secctx;
+ int ret;
struct lsmblob blob;
struct lsmcontext context;
@@ -340,7 +339,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
* security_secid_to_secctx() will know which security module
* to use to create the secctx. */
lsmblob_init(&blob, ct->secmark);
- ret = security_secid_to_secctx(&blob, &secctx, &len);
+ ret = security_secid_to_secctx(&blob, &context);
if (ret)
return 0;
@@ -349,13 +348,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
if (!nest_secctx)
goto nla_put_failure;
- if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
+ if (nla_put_string(skb, CTA_SECCTX_NAME, context.context))
goto nla_put_failure;
nla_nest_end(skb, nest_secctx);
ret = 0;
nla_put_failure:
- lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
security_release_secctx(&context);
return ret;
}
@@ -655,15 +653,15 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
#ifdef CONFIG_NF_CONNTRACK_SECMARK
int len, ret;
struct lsmblob blob;
+ struct lsmcontext context;
- /* lsmblob_init() puts ct->secmark into all of the secids in blob.
- * security_secid_to_secctx() will know which security module
- * to use to create the secctx. */
- lsmblob_init(&blob, ct->secmark);
- ret = security_secid_to_secctx(&blob, NULL, &len);
+ ret = security_secid_to_secctx(&blob, &context);
if (ret)
return 0;
+ len = context.len;
+ security_release_secctx(&context);
+
return nla_total_size(0) /* CTA_SECCTX */
+ nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
#else
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index fd01d778c295..0ecd1040f4f1 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -173,19 +173,16 @@ static void ct_seq_stop(struct seq_file *s, void *v)
static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
{
int ret;
- u32 len;
- char *secctx;
struct lsmblob blob;
struct lsmcontext context;
lsmblob_init(&blob, ct->secmark);
- ret = security_secid_to_secctx(&blob, &secctx, &len);
+ ret = security_secid_to_secctx(&blob, &context);
if (ret)
return;
- seq_printf(s, "secctx=%s ", secctx);
+ seq_printf(s, "secctx=%s ", context.context);
- lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
security_release_secctx(&context);
}
#else
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index c89bd87d0dae..fe19ae7216db 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -306,6 +306,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
u32 seclen = 0;
#if IS_ENABLED(CONFIG_NETWORK_SECMARK)
struct lsmblob blob;
+ struct lsmcontext context = { };
if (!skb || !sk_fullsock(skb->sk))
return 0;
@@ -317,10 +318,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
* blob. security_secid_to_secctx() will know which security
* module to use to create the secctx. */
lsmblob_init(&blob, skb->secmark);
- security_secid_to_secctx(&blob, secdata, &seclen);
+ security_secid_to_secctx(&blob, &context);
+ *secdata = context.context;
}
read_unlock_bh(&skb->sk->sk_callback_lock);
+ seclen = context.len;
#endif
return seclen;
}
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 5785e6dcf54b..cf4c56beb3ec 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -375,8 +375,6 @@ int netlbl_unlhsh_add(struct net *net,
struct netlbl_unlhsh_iface *iface;
struct audit_buffer *audit_buf = NULL;
struct lsmcontext context;
- char *secctx = NULL;
- u32 secctx_len;
struct lsmblob blob;
if (addr_len != sizeof(struct in_addr) &&
@@ -444,12 +442,9 @@ int netlbl_unlhsh_add(struct net *net,
* security_secid_to_secctx() will know which security module
* to use to create the secctx. */
lsmblob_init(&blob, secid);
- if (security_secid_to_secctx(&blob,
- &secctx,
- &secctx_len) == 0) {
- audit_log_format(audit_buf, " sec_obj=%s", secctx);
- /* scaffolding */
- lsmcontext_init(&context, secctx, secctx_len, 0);
+ if (security_secid_to_secctx(&blob, &context) == 0) {
+ audit_log_format(audit_buf, " sec_obj=%s",
+ context.context);
security_release_secctx(&context);
}
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
@@ -482,8 +477,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
struct audit_buffer *audit_buf;
struct net_device *dev;
struct lsmcontext context;
- char *secctx;
- u32 secctx_len;
struct lsmblob blob;
spin_lock(&netlbl_unlhsh_lock);
@@ -510,11 +503,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
if (entry != NULL)
lsmblob_init(&blob, entry->secid);
if (entry != NULL &&
- security_secid_to_secctx(&blob,
- &secctx, &secctx_len) == 0) {
- audit_log_format(audit_buf, " sec_obj=%s", secctx);
- /* scaffolding */
- lsmcontext_init(&context, secctx, secctx_len, 0);
+ security_secid_to_secctx(&blob, &context) == 0) {
+ audit_log_format(audit_buf, " sec_obj=%s",
+ context.context);
security_release_secctx(&context);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
@@ -553,8 +544,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
struct audit_buffer *audit_buf;
struct net_device *dev;
struct lsmcontext context;
- char *secctx;
- u32 secctx_len;
struct lsmblob blob;
spin_lock(&netlbl_unlhsh_lock);
@@ -580,10 +569,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
if (entry != NULL)
lsmblob_init(&blob, entry->secid);
if (entry != NULL &&
- security_secid_to_secctx(&blob,
- &secctx, &secctx_len) == 0) {
- audit_log_format(audit_buf, " sec_obj=%s", secctx);
- lsmcontext_init(&context, secctx, secctx_len, 0);
+ security_secid_to_secctx(&blob, &context) == 0) {
+ audit_log_format(audit_buf, " sec_obj=%s",
+ context.context);
security_release_secctx(&context);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
@@ -1106,8 +1094,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
struct lsmcontext context;
void *data;
u32 secid;
- char *secctx;
- u32 secctx_len;
struct lsmblob blob;
data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
@@ -1167,15 +1153,13 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
* security_secid_to_secctx() will know which security module
* to use to create the secctx. */
lsmblob_init(&blob, secid);
- ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len);
+ ret_val = security_secid_to_secctx(&blob, &context);
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
NLBL_UNLABEL_A_SECCTX,
- secctx_len,
- secctx);
- /* scaffolding */
- lsmcontext_init(&context, secctx, secctx_len, 0);
+ context.len,
+ context.context);
security_release_secctx(&context);
if (ret_val != 0)
goto list_cb_failure;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index ef139d8ae7cd..951ba0639d20 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -85,8 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type,
{
struct audit_buffer *audit_buf;
struct lsmcontext context;
- char *secctx;
- u32 secctx_len;
struct lsmblob blob;
if (audit_enabled == AUDIT_OFF)
@@ -102,9 +100,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
lsmblob_init(&blob, audit_info->secid);
if (audit_info->secid != 0 &&
- security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) {
- audit_log_format(audit_buf, " subj=%s", secctx);
- lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/
+ security_secid_to_secctx(&blob, &context) == 0) {
+ audit_log_format(audit_buf, " subj=%s", context.context);
security_release_secctx(&context);
}
diff --git a/security/security.c b/security/security.c
index 6e353835e95f..84afa9c09217 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2176,18 +2176,22 @@ int security_ismaclabel(const char *name)
}
EXPORT_SYMBOL(security_ismaclabel);
-int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen)
+int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
{
struct security_hook_list *hp;
int display = lsm_task_display(current);
+ memset(cp, 0, sizeof(*cp));
+
hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
continue;
- if (display == LSMBLOB_INVALID || display == hp->lsmid->slot)
+ if (display == LSMBLOB_INVALID || display == hp->lsmid->slot) {
+ cp->slot = hp->lsmid->slot;
return hp->hook.secid_to_secctx(
blob->secid[hp->lsmid->slot],
- secdata, seclen);
+ &cp->context, &cp->len);
+ }
}
return LSM_RET_DEFAULT(secid_to_secctx);
--
2.24.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v18 17/23] LSM: security_secid_to_secctx in netlink netfilter
[not found] <20200709001234.9719-1-casey@schaufler-ca.com>
` (3 preceding siblings ...)
2020-07-09 0:12 ` [PATCH v18 15/23] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
@ 2020-07-09 0:12 ` Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 18/23] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
5 siblings, 0 replies; 10+ messages in thread
From: Casey Schaufler @ 2020-07-09 0:12 UTC (permalink / raw)
To: casey.schaufler, jmorris, linux-security-module, selinux
Cc: casey, keescook, john.johansen, penguin-kernel, paul, sds, netdev
Change netlink netfilter interfaces to use lsmcontext
pointers, and remove scaffolding.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
cc: netdev@vger.kernel.org
---
net/netfilter/nfnetlink_queue.c | 31 ++++++++++++-------------------
1 file changed, 12 insertions(+), 19 deletions(-)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index fe19ae7216db..a4d4602ab9b7 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -301,12 +301,10 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
return -1;
}
-static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
+static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context)
{
- u32 seclen = 0;
#if IS_ENABLED(CONFIG_NETWORK_SECMARK)
struct lsmblob blob;
- struct lsmcontext context = { };
if (!skb || !sk_fullsock(skb->sk))
return 0;
@@ -318,14 +316,14 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
* blob. security_secid_to_secctx() will know which security
* module to use to create the secctx. */
lsmblob_init(&blob, skb->secmark);
- security_secid_to_secctx(&blob, &context);
- *secdata = context.context;
+ security_secid_to_secctx(&blob, context);
}
read_unlock_bh(&skb->sk->sk_callback_lock);
- seclen = context.len;
+ return context->len;
+#else
+ return 0;
#endif
- return seclen;
}
static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry)
@@ -401,8 +399,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
enum ip_conntrack_info uninitialized_var(ctinfo);
struct nfnl_ct_hook *nfnl_ct;
bool csum_verify;
- struct lsmcontext scaff; /* scaffolding */
- char *secdata = NULL;
+ struct lsmcontext context = { };
u32 seclen = 0;
size = nlmsg_total_size(sizeof(struct nfgenmsg))
@@ -469,7 +466,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
}
if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
- seclen = nfqnl_get_sk_secctx(entskb, &secdata);
+ seclen = nfqnl_get_sk_secctx(entskb, &context);
if (seclen)
size += nla_total_size(seclen);
}
@@ -604,7 +601,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
goto nla_put_failure;
- if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
+ if (seclen && nla_put(skb, NFQA_SECCTX, context.len, context.context))
goto nla_put_failure;
if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0)
@@ -632,10 +629,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
}
nlh->nlmsg_len = skb->len;
- if (seclen) {
- lsmcontext_init(&scaff, secdata, seclen, 0);
- security_release_secctx(&scaff);
- }
+ if (seclen)
+ security_release_secctx(&context);
return skb;
nla_put_failure:
@@ -643,10 +638,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
kfree_skb(skb);
net_err_ratelimited("nf_queue: error creating packet message\n");
nlmsg_failure:
- if (seclen) {
- lsmcontext_init(&scaff, secdata, seclen, 0);
- security_release_secctx(&scaff);
- }
+ if (seclen)
+ security_release_secctx(&context);
return NULL;
}
--
2.24.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v18 18/23] NET: Store LSM netlabel data in a lsmblob
[not found] <20200709001234.9719-1-casey@schaufler-ca.com>
` (4 preceding siblings ...)
2020-07-09 0:12 ` [PATCH v18 17/23] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
@ 2020-07-09 0:12 ` Casey Schaufler
5 siblings, 0 replies; 10+ messages in thread
From: Casey Schaufler @ 2020-07-09 0:12 UTC (permalink / raw)
To: casey.schaufler, jmorris, linux-security-module, selinux
Cc: casey, keescook, john.johansen, penguin-kernel, paul, sds, netdev
Netlabel uses LSM interfaces requiring an lsmblob and
the internal storage is used to pass information between
these interfaces, so change the internal data from a secid
to a lsmblob. Update the netlabel interfaces and their
callers to accommodate the change. This requires that the
modules using netlabel use the lsm_id.slot to access the
correct secid when using netlabel.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
---
include/net/netlabel.h | 8 +--
net/ipv4/cipso_ipv4.c | 27 ++++++----
net/netlabel/netlabel_kapi.c | 6 +--
net/netlabel/netlabel_unlabeled.c | 79 +++++++++--------------------
net/netlabel/netlabel_unlabeled.h | 2 +-
security/selinux/hooks.c | 2 +-
security/selinux/include/security.h | 1 +
security/selinux/netlabel.c | 2 +-
security/selinux/ss/services.c | 4 +-
security/smack/smack.h | 1 +
security/smack/smack_lsm.c | 5 +-
security/smack/smackfs.c | 10 ++--
12 files changed, 65 insertions(+), 82 deletions(-)
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 43ae50337685..73fc25b4042b 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -166,7 +166,7 @@ struct netlbl_lsm_catmap {
* @attr.mls: MLS sensitivity label
* @attr.mls.cat: MLS category bitmap
* @attr.mls.lvl: MLS sensitivity level
- * @attr.secid: LSM specific secid token
+ * @attr.lsmblob: LSM specific data
*
* Description:
* This structure is used to pass security attributes between NetLabel and the
@@ -201,7 +201,7 @@ struct netlbl_lsm_secattr {
struct netlbl_lsm_catmap *cat;
u32 lvl;
} mls;
- u32 secid;
+ struct lsmblob lsmblob;
} attr;
};
@@ -415,7 +415,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net,
const void *addr,
const void *mask,
u16 family,
- u32 secid,
+ struct lsmblob *lsmblob,
struct netlbl_audit *audit_info);
int netlbl_cfg_unlbl_static_del(struct net *net,
const char *dev_name,
@@ -523,7 +523,7 @@ static inline int netlbl_cfg_unlbl_static_add(struct net *net,
const void *addr,
const void *mask,
u16 family,
- u32 secid,
+ struct lsmblob *lsmblob,
struct netlbl_audit *audit_info)
{
return -ENOSYS;
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index a23094b050f8..469baf6704f5 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -106,15 +106,17 @@ int cipso_v4_rbm_strictvalid = 1;
/* Base length of the local tag (non-standard tag).
* Tag definition (may change between kernel versions)
*
- * 0 8 16 24 32
- * +----------+----------+----------+----------+
- * | 10000000 | 00000110 | 32-bit secid value |
- * +----------+----------+----------+----------+
- * | in (host byte order)|
- * +----------+----------+
- *
+ * 0 8 16 16 + sizeof(struct lsmblob)
+ * +----------+----------+---------------------+
+ * | 10000000 | 00000110 | LSM blob data |
+ * +----------+----------+---------------------+
+ *
+ * All secid and flag fields are in host byte order.
+ * The lsmblob structure size varies depending on which
+ * Linux security modules are built in the kernel.
+ * The data is opaque.
*/
-#define CIPSO_V4_TAG_LOC_BLEN 6
+#define CIPSO_V4_TAG_LOC_BLEN (2 + sizeof(struct lsmblob))
/*
* Helper Functions
@@ -1469,7 +1471,12 @@ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def,
buffer[0] = CIPSO_V4_TAG_LOCAL;
buffer[1] = CIPSO_V4_TAG_LOC_BLEN;
- *(u32 *)&buffer[2] = secattr->attr.secid;
+ /* Ensure that there is sufficient space in the CIPSO header
+ * for the LSM data. This should never become an issue.
+ * The check is made from an abundance of caution. */
+ BUILD_BUG_ON(CIPSO_V4_TAG_LOC_BLEN > CIPSO_V4_OPT_LEN_MAX);
+ memcpy(&buffer[2], &secattr->attr.lsmblob,
+ sizeof(secattr->attr.lsmblob));
return CIPSO_V4_TAG_LOC_BLEN;
}
@@ -1489,7 +1496,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
const unsigned char *tag,
struct netlbl_lsm_secattr *secattr)
{
- secattr->attr.secid = *(u32 *)&tag[2];
+ memcpy(&secattr->attr.lsmblob, &tag[2], sizeof(secattr->attr.lsmblob));
secattr->flags |= NETLBL_SECATTR_SECID;
return 0;
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 5e1239cef000..bbfaff539416 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -196,7 +196,7 @@ int netlbl_cfg_unlbl_map_add(const char *domain,
* @addr: IP address in network byte order (struct in[6]_addr)
* @mask: address mask in network byte order (struct in[6]_addr)
* @family: address family
- * @secid: LSM secid value for the entry
+ * @lsmblob: LSM data value for the entry
* @audit_info: NetLabel audit information
*
* Description:
@@ -210,7 +210,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net,
const void *addr,
const void *mask,
u16 family,
- u32 secid,
+ struct lsmblob *lsmblob,
struct netlbl_audit *audit_info)
{
u32 addr_len;
@@ -230,7 +230,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net,
return netlbl_unlhsh_add(net,
dev_name, addr, mask, addr_len,
- secid, audit_info);
+ lsmblob, audit_info);
}
/**
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index cf4c56beb3ec..c14a485ff045 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -66,7 +66,7 @@ struct netlbl_unlhsh_tbl {
#define netlbl_unlhsh_addr4_entry(iter) \
container_of(iter, struct netlbl_unlhsh_addr4, list)
struct netlbl_unlhsh_addr4 {
- u32 secid;
+ struct lsmblob lsmblob;
struct netlbl_af4list list;
struct rcu_head rcu;
@@ -74,7 +74,7 @@ struct netlbl_unlhsh_addr4 {
#define netlbl_unlhsh_addr6_entry(iter) \
container_of(iter, struct netlbl_unlhsh_addr6, list)
struct netlbl_unlhsh_addr6 {
- u32 secid;
+ struct lsmblob lsmblob;
struct netlbl_af6list list;
struct rcu_head rcu;
@@ -220,7 +220,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
* @iface: the associated interface entry
* @addr: IPv4 address in network byte order
* @mask: IPv4 address mask in network byte order
- * @secid: LSM secid value for entry
+ * @lsmblob: LSM data value for entry
*
* Description:
* Add a new address entry into the unlabeled connection hash table using the
@@ -231,7 +231,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
const struct in_addr *addr,
const struct in_addr *mask,
- u32 secid)
+ struct lsmblob *lsmblob)
{
int ret_val;
struct netlbl_unlhsh_addr4 *entry;
@@ -243,7 +243,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
entry->list.addr = addr->s_addr & mask->s_addr;
entry->list.mask = mask->s_addr;
entry->list.valid = 1;
- entry->secid = secid;
+ entry->lsmblob = *lsmblob;
spin_lock(&netlbl_unlhsh_lock);
ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list);
@@ -260,7 +260,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
* @iface: the associated interface entry
* @addr: IPv6 address in network byte order
* @mask: IPv6 address mask in network byte order
- * @secid: LSM secid value for entry
+ * @lsmblob: LSM data value for entry
*
* Description:
* Add a new address entry into the unlabeled connection hash table using the
@@ -271,7 +271,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
const struct in6_addr *addr,
const struct in6_addr *mask,
- u32 secid)
+ struct lsmblob *lsmblob)
{
int ret_val;
struct netlbl_unlhsh_addr6 *entry;
@@ -287,7 +287,7 @@ static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
entry->list.mask = *mask;
entry->list.valid = 1;
- entry->secid = secid;
+ entry->lsmblob = *lsmblob;
spin_lock(&netlbl_unlhsh_lock);
ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list);
@@ -366,7 +366,7 @@ int netlbl_unlhsh_add(struct net *net,
const void *addr,
const void *mask,
u32 addr_len,
- u32 secid,
+ struct lsmblob *lsmblob,
struct netlbl_audit *audit_info)
{
int ret_val;
@@ -375,7 +375,6 @@ int netlbl_unlhsh_add(struct net *net,
struct netlbl_unlhsh_iface *iface;
struct audit_buffer *audit_buf = NULL;
struct lsmcontext context;
- struct lsmblob blob;
if (addr_len != sizeof(struct in_addr) &&
addr_len != sizeof(struct in6_addr))
@@ -408,7 +407,7 @@ int netlbl_unlhsh_add(struct net *net,
const struct in_addr *addr4 = addr;
const struct in_addr *mask4 = mask;
- ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
+ ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, lsmblob);
if (audit_buf != NULL)
netlbl_af4list_audit_addr(audit_buf, 1,
dev_name,
@@ -421,7 +420,7 @@ int netlbl_unlhsh_add(struct net *net,
const struct in6_addr *addr6 = addr;
const struct in6_addr *mask6 = mask;
- ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
+ ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, lsmblob);
if (audit_buf != NULL)
netlbl_af6list_audit_addr(audit_buf, 1,
dev_name,
@@ -438,11 +437,7 @@ int netlbl_unlhsh_add(struct net *net,
unlhsh_add_return:
rcu_read_unlock();
if (audit_buf != NULL) {
- /* lsmblob_init() puts secid into all of the secids in blob.
- * security_secid_to_secctx() will know which security module
- * to use to create the secctx. */
- lsmblob_init(&blob, secid);
- if (security_secid_to_secctx(&blob, &context) == 0) {
+ if (security_secid_to_secctx(lsmblob, &context) == 0) {
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
@@ -477,7 +472,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
struct audit_buffer *audit_buf;
struct net_device *dev;
struct lsmcontext context;
- struct lsmblob blob;
spin_lock(&netlbl_unlhsh_lock);
list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
@@ -497,13 +491,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
addr->s_addr, mask->s_addr);
if (dev != NULL)
dev_put(dev);
- /* lsmblob_init() puts entry->secid into all of the secids
- * in blob. security_secid_to_secctx() will know which
- * security module to use to create the secctx. */
- if (entry != NULL)
- lsmblob_init(&blob, entry->secid);
if (entry != NULL &&
- security_secid_to_secctx(&blob, &context) == 0) {
+ security_secid_to_secctx(&entry->lsmblob, &context) == 0) {
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
@@ -544,7 +533,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
struct audit_buffer *audit_buf;
struct net_device *dev;
struct lsmcontext context;
- struct lsmblob blob;
spin_lock(&netlbl_unlhsh_lock);
list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
@@ -563,13 +551,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
addr, mask);
if (dev != NULL)
dev_put(dev);
- /* lsmblob_init() puts entry->secid into all of the secids
- * in blob. security_secid_to_secctx() will know which
- * security module to use to create the secctx. */
- if (entry != NULL)
- lsmblob_init(&blob, entry->secid);
if (entry != NULL &&
- security_secid_to_secctx(&blob, &context) == 0) {
+ security_secid_to_secctx(&entry->lsmblob, &context) == 0) {
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
@@ -923,14 +906,8 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
if (ret_val != 0)
return ret_val;
- /* netlbl_unlhsh_add will be changed to pass a struct lsmblob *
- * instead of a u32 later in this patch set. security_secctx_to_secid()
- * will only be setting one entry in the lsmblob struct, so it is
- * safe to use lsmblob_value() to get that one value. */
-
- return netlbl_unlhsh_add(&init_net,
- dev_name, addr, mask, addr_len,
- lsmblob_value(&blob), &audit_info);
+ return netlbl_unlhsh_add(&init_net, dev_name, addr, mask, addr_len,
+ &blob, &audit_info);
}
/**
@@ -977,11 +954,8 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
if (ret_val != 0)
return ret_val;
- /* security_secctx_to_secid() will only put one secid into the lsmblob
- * so it's safe to use lsmblob_value() to get the secid. */
- return netlbl_unlhsh_add(&init_net,
- NULL, addr, mask, addr_len,
- lsmblob_value(&blob), &audit_info);
+ return netlbl_unlhsh_add(&init_net, NULL, addr, mask, addr_len, &blob,
+ &audit_info);
}
/**
@@ -1093,8 +1067,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
struct net_device *dev;
struct lsmcontext context;
void *data;
- u32 secid;
- struct lsmblob blob;
+ struct lsmblob *lsmb;
data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
cb_arg->seq, &netlbl_unlabel_gnl_family,
@@ -1132,7 +1105,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;
- secid = addr4->secid;
+ lsmb = (struct lsmblob *)&addr4->lsmblob;
} else {
ret_val = nla_put_in6_addr(cb_arg->skb,
NLBL_UNLABEL_A_IPV6ADDR,
@@ -1146,14 +1119,10 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;
- secid = addr6->secid;
+ lsmb = (struct lsmblob *)&addr6->lsmblob;
}
- /* lsmblob_init() secid into all of the secids in blob.
- * security_secid_to_secctx() will know which security module
- * to use to create the secctx. */
- lsmblob_init(&blob, secid);
- ret_val = security_secid_to_secctx(&blob, &context);
+ ret_val = security_secid_to_secctx(lsmb, &context);
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
@@ -1505,7 +1474,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb,
&iface->addr4_list);
if (addr4 == NULL)
goto unlabel_getattr_nolabel;
- secattr->attr.secid = netlbl_unlhsh_addr4_entry(addr4)->secid;
+ secattr->attr.lsmblob = netlbl_unlhsh_addr4_entry(addr4)->lsmblob;
break;
}
#if IS_ENABLED(CONFIG_IPV6)
@@ -1518,7 +1487,7 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb,
&iface->addr6_list);
if (addr6 == NULL)
goto unlabel_getattr_nolabel;
- secattr->attr.secid = netlbl_unlhsh_addr6_entry(addr6)->secid;
+ secattr->attr.lsmblob = netlbl_unlhsh_addr6_entry(addr6)->lsmblob;
break;
}
#endif /* IPv6 */
diff --git a/net/netlabel/netlabel_unlabeled.h b/net/netlabel/netlabel_unlabeled.h
index 058e3a285d56..168920780994 100644
--- a/net/netlabel/netlabel_unlabeled.h
+++ b/net/netlabel/netlabel_unlabeled.h
@@ -211,7 +211,7 @@ int netlbl_unlhsh_add(struct net *net,
const void *addr,
const void *mask,
u32 addr_len,
- u32 secid,
+ struct lsmblob *lsmblob,
struct netlbl_audit *audit_info);
int netlbl_unlhsh_remove(struct net *net,
const char *dev_name,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bedcf737ff26..c13c207c5da1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6940,7 +6940,7 @@ static int selinux_perf_event_write(struct perf_event *event)
}
#endif
-static struct lsm_id selinux_lsmid __lsm_ro_after_init = {
+struct lsm_id selinux_lsmid __lsm_ro_after_init = {
.lsm = "selinux",
.slot = LSMBLOB_NEEDED
};
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index b0e02cfe3ce1..cee2987647dd 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -71,6 +71,7 @@
struct netlbl_lsm_secattr;
extern int selinux_enabled_boot;
+extern struct lsm_id selinux_lsmid;
/* Policy capabilities */
enum {
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 6a94b31b5472..d8d7603ab14e 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -108,7 +108,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
return NULL;
if ((secattr->flags & NETLBL_SECATTR_SECID) &&
- (secattr->attr.secid == sid))
+ (secattr->attr.lsmblob.secid[selinux_lsmid.slot] == sid))
return secattr;
return NULL;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ef0afd878bfc..c59ecf7b61b7 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3637,7 +3637,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state,
if (secattr->flags & NETLBL_SECATTR_CACHE)
*sid = *(u32 *)secattr->cache->data;
else if (secattr->flags & NETLBL_SECATTR_SECID)
- *sid = secattr->attr.secid;
+ *sid = secattr->attr.lsmblob.secid[selinux_lsmid.slot];
else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
rc = -EIDRM;
ctx = sidtab_search(sidtab, SECINITSID_NETMSG);
@@ -3710,7 +3710,7 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state,
if (secattr->domain == NULL)
goto out;
- secattr->attr.secid = sid;
+ secattr->attr.lsmblob.secid[selinux_lsmid.slot] = sid;
secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
mls_export_netlbl_lvl(policydb, ctx, secattr);
rc = mls_export_netlbl_cat(policydb, ctx, secattr);
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 7481fa71de19..c284b104e1cc 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -310,6 +310,7 @@ void smk_destroy_label_list(struct list_head *list);
* Shared data.
*/
extern int smack_enabled;
+extern struct lsm_id smack_lsmid;
extern int smack_cipso_direct;
extern int smack_cipso_mapped;
extern struct smack_known *smack_net_ambient;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 8b708cca921a..6f0cdb40addc 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3751,7 +3751,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
/*
* Looks like a fallback, which gives us a secid.
*/
- return smack_from_secid(sap->attr.secid);
+ return smack_from_secid(
+ sap->attr.lsmblob.secid[smack_lsmid.slot]);
/*
* Without guidance regarding the smack value
* for the packet fall back on the network
@@ -4656,7 +4657,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
.lbs_sock = sizeof(struct socket_smack),
};
-static struct lsm_id smack_lsmid __lsm_ro_after_init = {
+struct lsm_id smack_lsmid __lsm_ro_after_init = {
.lsm = "smack",
.slot = LSMBLOB_NEEDED
};
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index c21b656b3263..177e69b43a52 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -1132,6 +1132,7 @@ static void smk_net4addr_insert(struct smk_net4addr *new)
static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
+ struct lsmblob lsmblob;
struct smk_net4addr *snp;
struct sockaddr_in newname;
char *smack;
@@ -1263,10 +1264,13 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
* this host so that incoming packets get labeled.
* but only if we didn't get the special CIPSO option
*/
- if (rc == 0 && skp != NULL)
+ if (rc == 0 && skp != NULL) {
+ lsmblob_init(&lsmblob, 0);
+ lsmblob.secid[smack_lsmid.slot] = snp->smk_label->smk_secid;
rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
- &snp->smk_host, &snp->smk_mask, PF_INET,
- snp->smk_label->smk_secid, &audit_info);
+ &snp->smk_host, &snp->smk_mask, PF_INET, &lsmblob,
+ &audit_info);
+ }
if (rc == 0)
rc = count;
--
2.24.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v18 05/23] net: Prepare UDS for security module stacking
2020-07-09 0:12 ` [PATCH v18 05/23] net: Prepare UDS for security module stacking Casey Schaufler
@ 2020-07-09 16:11 ` Stephen Smalley
2020-07-09 16:28 ` John Johansen
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2020-07-09 16:11 UTC (permalink / raw)
To: Casey Schaufler
Cc: Casey Schaufler, James Morris, LSM List, SElinux list, Kees Cook,
John Johansen, Tetsuo Handa, Paul Moore, Stephen Smalley, netdev
On Wed, Jul 8, 2020 at 8:23 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> Change the data used in UDS SO_PEERSEC processing from a
> secid to a more general struct lsmblob. Update the
> security_socket_getpeersec_dgram() interface to use the
> lsmblob. There is a small amount of scaffolding code
> that will come out when the security_secid_to_secctx()
> code is brought in line with the lsmblob.
>
> The secid field of the unix_skb_parms structure has been
> replaced with a pointer to an lsmblob structure, and the
> lsmblob is allocated as needed. This is similar to how the
> list of passed files is managed. While an lsmblob structure
> will fit in the available space today, there is no guarantee
> that the addition of other data to the unix_skb_parms or
> support for additional security modules wouldn't exceed what
> is available.
>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Cc: netdev@vger.kernel.org
> ---
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index 3385a7a0b231..d246aefcf4da 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -138,17 +138,23 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
> #ifdef CONFIG_SECURITY_NETWORK
> static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
> {
> - UNIXCB(skb).secid = scm->secid;
> + UNIXCB(skb).lsmdata = kmemdup(&scm->lsmblob, sizeof(scm->lsmblob),
> + GFP_KERNEL);
> }
>
> static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
> {
> - scm->secid = UNIXCB(skb).secid;
> + if (likely(UNIXCB(skb).lsmdata))
> + scm->lsmblob = *(UNIXCB(skb).lsmdata);
> + else
> + lsmblob_init(&scm->lsmblob, 0);
> }
>
> static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
> {
> - return (scm->secid == UNIXCB(skb).secid);
> + if (likely(UNIXCB(skb).lsmdata))
> + return lsmblob_equal(&scm->lsmblob, UNIXCB(skb).lsmdata);
> + return false;
> }
I don't think that this provides sensible behavior to userspace. On a
transient memory allocation failure, instead of returning an error to
the sender and letting them handle it, this will just proceed with
sending the message without its associated security information, and
potentially split messages on arbitrary boundaries because it cannot
tell whether the sender had the same security information. I think
you instead need to change unix_get_secdata() to return an error on
allocation failure and propagate that up to the sender. Not a fan of
this change in general both due to extra overhead on this code path
and potential for breakage on allocation failures. I know it was
motivated by paul's observation that we won't be able to fit many more
secids into the cb but not sure we have to go there prematurely,
especially absent its usage by upstream AA (no unix_stream_connect
hook implementation upstream). Also not sure how the whole bpf local
storage approach to supporting security modules (or at least bpf lsm)
might reduce need for expanding these structures?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v18 05/23] net: Prepare UDS for security module stacking
2020-07-09 16:11 ` Stephen Smalley
@ 2020-07-09 16:28 ` John Johansen
2020-07-09 19:24 ` Casey Schaufler
2020-07-09 19:54 ` Stephen Smalley
0 siblings, 2 replies; 10+ messages in thread
From: John Johansen @ 2020-07-09 16:28 UTC (permalink / raw)
To: Stephen Smalley, Casey Schaufler
Cc: Casey Schaufler, James Morris, LSM List, SElinux list, Kees Cook,
Tetsuo Handa, Paul Moore, Stephen Smalley, netdev
On 7/9/20 9:11 AM, Stephen Smalley wrote:
> On Wed, Jul 8, 2020 at 8:23 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>>
>> Change the data used in UDS SO_PEERSEC processing from a
>> secid to a more general struct lsmblob. Update the
>> security_socket_getpeersec_dgram() interface to use the
>> lsmblob. There is a small amount of scaffolding code
>> that will come out when the security_secid_to_secctx()
>> code is brought in line with the lsmblob.
>>
>> The secid field of the unix_skb_parms structure has been
>> replaced with a pointer to an lsmblob structure, and the
>> lsmblob is allocated as needed. This is similar to how the
>> list of passed files is managed. While an lsmblob structure
>> will fit in the available space today, there is no guarantee
>> that the addition of other data to the unix_skb_parms or
>> support for additional security modules wouldn't exceed what
>> is available.
>>
>> Reviewed-by: Kees Cook <keescook@chromium.org>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> Cc: netdev@vger.kernel.org
>> ---
>
>> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
>> index 3385a7a0b231..d246aefcf4da 100644
>> --- a/net/unix/af_unix.c
>> +++ b/net/unix/af_unix.c
>> @@ -138,17 +138,23 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
>> #ifdef CONFIG_SECURITY_NETWORK
>> static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
>> {
>> - UNIXCB(skb).secid = scm->secid;
>> + UNIXCB(skb).lsmdata = kmemdup(&scm->lsmblob, sizeof(scm->lsmblob),
>> + GFP_KERNEL);
>> }
>>
>> static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
>> {
>> - scm->secid = UNIXCB(skb).secid;
>> + if (likely(UNIXCB(skb).lsmdata))
>> + scm->lsmblob = *(UNIXCB(skb).lsmdata);
>> + else
>> + lsmblob_init(&scm->lsmblob, 0);
>> }
>>
>> static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
>> {
>> - return (scm->secid == UNIXCB(skb).secid);
>> + if (likely(UNIXCB(skb).lsmdata))
>> + return lsmblob_equal(&scm->lsmblob, UNIXCB(skb).lsmdata);
>> + return false;
>> }
>
> I don't think that this provides sensible behavior to userspace. On a
> transient memory allocation failure, instead of returning an error to
> the sender and letting them handle it, this will just proceed with
> sending the message without its associated security information, and
> potentially split messages on arbitrary boundaries because it cannot
> tell whether the sender had the same security information. I think
> you instead need to change unix_get_secdata() to return an error on
> allocation failure and propagate that up to the sender. Not a fan of
> this change in general both due to extra overhead on this code path
> and potential for breakage on allocation failures. I know it was
> motivated by paul's observation that we won't be able to fit many more
> secids into the cb but not sure we have to go there prematurely,
> especially absent its usage by upstream AA (no unix_stream_connect
> hook implementation upstream). Also not sure how the whole bpf local
I'm not sure how premature it is, I am running late for 5.9 but would
like to land apparmor unix mediation in 5.10
> storage approach to supporting security modules (or at least bpf lsm)
> might reduce need for expanding these structures?
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v18 05/23] net: Prepare UDS for security module stacking
2020-07-09 16:28 ` John Johansen
@ 2020-07-09 19:24 ` Casey Schaufler
2020-07-09 19:54 ` Stephen Smalley
1 sibling, 0 replies; 10+ messages in thread
From: Casey Schaufler @ 2020-07-09 19:24 UTC (permalink / raw)
To: John Johansen, Stephen Smalley
Cc: Casey Schaufler, James Morris, LSM List, SElinux list, Kees Cook,
Tetsuo Handa, Paul Moore, Stephen Smalley, netdev,
Casey Schaufler
On 7/9/2020 9:28 AM, John Johansen wrote:
> On 7/9/20 9:11 AM, Stephen Smalley wrote:
>> On Wed, Jul 8, 2020 at 8:23 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>>> Change the data used in UDS SO_PEERSEC processing from a
>>> secid to a more general struct lsmblob. Update the
>>> security_socket_getpeersec_dgram() interface to use the
>>> lsmblob. There is a small amount of scaffolding code
>>> that will come out when the security_secid_to_secctx()
>>> code is brought in line with the lsmblob.
>>>
>>> The secid field of the unix_skb_parms structure has been
>>> replaced with a pointer to an lsmblob structure, and the
>>> lsmblob is allocated as needed. This is similar to how the
>>> list of passed files is managed. While an lsmblob structure
>>> will fit in the available space today, there is no guarantee
>>> that the addition of other data to the unix_skb_parms or
>>> support for additional security modules wouldn't exceed what
>>> is available.
>>>
>>> Reviewed-by: Kees Cook <keescook@chromium.org>
>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>>> Cc: netdev@vger.kernel.org
>>> ---
>>> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
>>> index 3385a7a0b231..d246aefcf4da 100644
>>> --- a/net/unix/af_unix.c
>>> +++ b/net/unix/af_unix.c
>>> @@ -138,17 +138,23 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
>>> #ifdef CONFIG_SECURITY_NETWORK
>>> static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
>>> {
>>> - UNIXCB(skb).secid = scm->secid;
>>> + UNIXCB(skb).lsmdata = kmemdup(&scm->lsmblob, sizeof(scm->lsmblob),
>>> + GFP_KERNEL);
>>> }
>>>
>>> static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
>>> {
>>> - scm->secid = UNIXCB(skb).secid;
>>> + if (likely(UNIXCB(skb).lsmdata))
>>> + scm->lsmblob = *(UNIXCB(skb).lsmdata);
>>> + else
>>> + lsmblob_init(&scm->lsmblob, 0);
>>> }
>>>
>>> static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
>>> {
>>> - return (scm->secid == UNIXCB(skb).secid);
>>> + if (likely(UNIXCB(skb).lsmdata))
>>> + return lsmblob_equal(&scm->lsmblob, UNIXCB(skb).lsmdata);
>>> + return false;
>>> }
>> I don't think that this provides sensible behavior to userspace. On a
>> transient memory allocation failure, instead of returning an error to
>> the sender and letting them handle it, this will just proceed with
>> sending the message without its associated security information, and
>> potentially split messages on arbitrary boundaries because it cannot
>> tell whether the sender had the same security information. I think
>> you instead need to change unix_get_secdata() to return an error on
>> allocation failure and propagate that up to the sender.
Can't say that I think that would go over especially well.
You're right about that being a better, or at least more correct,
change.
>> Not a fan of
>> this change in general both due to extra overhead on this code path
>> and potential for breakage on allocation failures. I know it was
>> motivated by paul's observation that we won't be able to fit many more
>> secids into the cb but not sure we have to go there prematurely,
Paul wasn't completely against the original approach. His objection
was that using a struct lsmblob, which was already close to the maximum
size it can be and that can grow over time, might be a hard sell.
>> especially absent its usage by upstream AA (no unix_stream_connect
>> hook implementation upstream). Also not sure how the whole bpf local
> I'm not sure how premature it is, I am running late for 5.9 but would
> like to land apparmor unix mediation in 5.10
Which means that scaffolding around the UNIXCB.secid wouldn't
suffice for very long.
>
>> storage approach to supporting security modules (or at least bpf lsm)
>> might reduce need for expanding these structures?
I think the allocation failure case would still be an issue,
and it could be much more complicated to deal with using the
local storage model. The fundamental problem comes back to fitting
more that 32 bits of information into 32 bits without having to
perform an operation that might fail.
At this point I'm inclined to revert to the original implementation
and see if it doesn't turn out to be acceptable after all. I remain
open to better ideas.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v18 05/23] net: Prepare UDS for security module stacking
2020-07-09 16:28 ` John Johansen
2020-07-09 19:24 ` Casey Schaufler
@ 2020-07-09 19:54 ` Stephen Smalley
1 sibling, 0 replies; 10+ messages in thread
From: Stephen Smalley @ 2020-07-09 19:54 UTC (permalink / raw)
To: John Johansen
Cc: Casey Schaufler, Casey Schaufler, James Morris, LSM List,
SElinux list, Kees Cook, Tetsuo Handa, Paul Moore,
Stephen Smalley, netdev
On Thu, Jul 9, 2020 at 12:28 PM John Johansen
<john.johansen@canonical.com> wrote:
>
> On 7/9/20 9:11 AM, Stephen Smalley wrote:
> > On Wed, Jul 8, 2020 at 8:23 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >>
> >> Change the data used in UDS SO_PEERSEC processing from a
> >> secid to a more general struct lsmblob. Update the
> >> security_socket_getpeersec_dgram() interface to use the
> >> lsmblob. There is a small amount of scaffolding code
> >> that will come out when the security_secid_to_secctx()
> >> code is brought in line with the lsmblob.
> >>
> >> The secid field of the unix_skb_parms structure has been
> >> replaced with a pointer to an lsmblob structure, and the
> >> lsmblob is allocated as needed. This is similar to how the
> >> list of passed files is managed. While an lsmblob structure
> >> will fit in the available space today, there is no guarantee
> >> that the addition of other data to the unix_skb_parms or
> >> support for additional security modules wouldn't exceed what
> >> is available.
> >>
> >> Reviewed-by: Kees Cook <keescook@chromium.org>
> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> >> Cc: netdev@vger.kernel.org
> >> ---
> >
> >> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> >> index 3385a7a0b231..d246aefcf4da 100644
> >> --- a/net/unix/af_unix.c
> >> +++ b/net/unix/af_unix.c
> >> @@ -138,17 +138,23 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
> >> #ifdef CONFIG_SECURITY_NETWORK
> >> static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
> >> {
> >> - UNIXCB(skb).secid = scm->secid;
> >> + UNIXCB(skb).lsmdata = kmemdup(&scm->lsmblob, sizeof(scm->lsmblob),
> >> + GFP_KERNEL);
> >> }
> >>
> >> static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
> >> {
> >> - scm->secid = UNIXCB(skb).secid;
> >> + if (likely(UNIXCB(skb).lsmdata))
> >> + scm->lsmblob = *(UNIXCB(skb).lsmdata);
> >> + else
> >> + lsmblob_init(&scm->lsmblob, 0);
> >> }
> >>
> >> static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
> >> {
> >> - return (scm->secid == UNIXCB(skb).secid);
> >> + if (likely(UNIXCB(skb).lsmdata))
> >> + return lsmblob_equal(&scm->lsmblob, UNIXCB(skb).lsmdata);
> >> + return false;
> >> }
> >
> > I don't think that this provides sensible behavior to userspace. On a
> > transient memory allocation failure, instead of returning an error to
> > the sender and letting them handle it, this will just proceed with
> > sending the message without its associated security information, and
> > potentially split messages on arbitrary boundaries because it cannot
> > tell whether the sender had the same security information. I think
> > you instead need to change unix_get_secdata() to return an error on
> > allocation failure and propagate that up to the sender. Not a fan of
> > this change in general both due to extra overhead on this code path
> > and potential for breakage on allocation failures. I know it was
> > motivated by paul's observation that we won't be able to fit many more
> > secids into the cb but not sure we have to go there prematurely,
> > especially absent its usage by upstream AA (no unix_stream_connect
> > hook implementation upstream). Also not sure how the whole bpf local
>
> I'm not sure how premature it is, I am running late for 5.9 but would
> like to land apparmor unix mediation in 5.10
Sorry I think I mischaracterized the condition under which this
support needs to be stacked. It seems to only be needed if using
SO_PASSSEC and SCM_SECURITY (i.e. datagram labeling), not just for
unix mediation or SO_PEERSEC IIUC. So not sure if that applies even
for downstream.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2020-07-09 19:55 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200709001234.9719-1-casey@schaufler-ca.com>
2020-07-09 0:12 ` [PATCH v18 05/23] net: Prepare UDS for security module stacking Casey Schaufler
2020-07-09 16:11 ` Stephen Smalley
2020-07-09 16:28 ` John Johansen
2020-07-09 19:24 ` Casey Schaufler
2020-07-09 19:54 ` Stephen Smalley
2020-07-09 0:12 ` [PATCH v18 06/23] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 14/23] LSM: Ensure the correct LSM context releaser Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 15/23] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 17/23] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2020-07-09 0:12 ` [PATCH v18 18/23] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).