From: Salvatore Mesoraca <s.mesoraca16@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Salvatore Mesoraca <s.mesoraca16@gmail.com>,
Brad Spengler <spender@grsecurity.net>,
PaX Team <pageexec@freemail.hu>,
Casey Schaufler <casey@schaufler-ca.com>,
Kees Cook <keescook@chromium.org>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH 10/11] Allowing for stacking procattr support in S.A.R.A.
Date: Mon, 12 Jun 2017 18:56:59 +0200 [thread overview]
Message-ID: <1497286620-15027-11-git-send-email-s.mesoraca16@gmail.com> (raw)
In-Reply-To: <1497286620-15027-1-git-send-email-s.mesoraca16@gmail.com>
This allow S.A.R.A. to use the procattr interface without interfering
with other LSMs.
This part should be reimplemented as soon as upstream procattr stacking
support is available.
Signed-off-by: Salvatore Mesoraca <s.mesoraca16@gmail.com>
---
fs/proc/base.c | 38 ++++++++++++++++++++++++++++++++++++++
security/security.c | 20 ++++++++++++++++++--
2 files changed, 56 insertions(+), 2 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index f1e1927..6d0fd1c 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2515,6 +2515,40 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
.llseek = generic_file_llseek,
};
+#ifdef CONFIG_SECURITY_SARA
+static const struct pid_entry sara_attr_dir_stuff[] = {
+ REG("wxprot", 0666, proc_pid_attr_operations),
+};
+
+static int proc_sara_attr_dir_readdir(struct file *file,
+ struct dir_context *ctx)
+{
+ return proc_pident_readdir(file, ctx,
+ sara_attr_dir_stuff,
+ ARRAY_SIZE(sara_attr_dir_stuff));
+}
+
+static const struct file_operations proc_sara_attr_dir_ops = {
+ .read = generic_read_dir,
+ .iterate_shared = proc_sara_attr_dir_readdir,
+ .llseek = generic_file_llseek,
+};
+
+static struct dentry *proc_sara_attr_dir_lookup(struct inode *dir,
+ struct dentry *dentry, unsigned int flags)
+{
+ return proc_pident_lookup(dir, dentry,
+ sara_attr_dir_stuff,
+ ARRAY_SIZE(sara_attr_dir_stuff));
+};
+
+static const struct inode_operations proc_sara_attr_dir_inode_ops = {
+ .lookup = proc_sara_attr_dir_lookup,
+ .getattr = pid_getattr,
+ .setattr = proc_setattr,
+};
+#endif /* CONFIG_SECURITY_SARA */
+
static const struct pid_entry attr_dir_stuff[] = {
REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
REG("prev", S_IRUGO, proc_pid_attr_operations),
@@ -2522,6 +2556,10 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#ifdef CONFIG_SECURITY_SARA
+ DIR("sara", 0555, proc_sara_attr_dir_inode_ops,
+ proc_sara_attr_dir_ops),
+#endif
};
static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)
diff --git a/security/security.c b/security/security.c
index cf15686..6ca93c6 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1244,12 +1244,28 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode)
int security_getprocattr(struct task_struct *p, char *name, char **value)
{
- return call_int_hook(getprocattr, -EINVAL, p, name, value);
+ struct security_hook_list *hp;
+ int rc;
+
+ list_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
+ rc = hp->hook.getprocattr(p, name, value);
+ if (rc != -EINVAL)
+ return rc;
+ }
+ return -EINVAL;
}
int security_setprocattr(const char *name, void *value, size_t size)
{
- return call_int_hook(setprocattr, -EINVAL, name, value, size);
+ struct security_hook_list *hp;
+ int rc;
+
+ list_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
+ rc = hp->hook.setprocattr(name, value, size);
+ if (rc != -EINVAL)
+ return rc;
+ }
+ return -EINVAL;
}
int security_netlink_send(struct sock *sk, struct sk_buff *skb)
--
1.9.1
next prev parent reply other threads:[~2017-06-12 16:59 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-12 16:56 [PATCH 00/11] S.A.R.A. a new stacked LSM Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 01/11] S.A.R.A. Documentation Salvatore Mesoraca
2017-06-12 17:49 ` [kernel-hardening] " Jann Horn
2017-06-13 7:43 ` Salvatore Mesoraca
2017-06-27 22:51 ` Kees Cook
2017-06-27 22:54 ` Kees Cook
2017-07-04 10:12 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 02/11] S.A.R.A. framework creation Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 03/11] Creation of "usb_device_auth" LSM hook Salvatore Mesoraca
2017-06-12 17:35 ` Krzysztof Opasiak
2017-06-13 7:47 ` Salvatore Mesoraca
2017-06-12 19:38 ` Greg Kroah-Hartman
2017-06-13 7:50 ` Salvatore Mesoraca
2017-06-12 21:31 ` Casey Schaufler
2017-06-13 7:51 ` Salvatore Mesoraca
2017-06-13 1:15 ` kbuild test robot
2017-06-13 3:11 ` kbuild test robot
2017-06-12 16:56 ` [PATCH 04/11] S.A.R.A. USB Filtering Salvatore Mesoraca
2017-06-20 7:07 ` Pavel Machek
2017-06-20 7:53 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 05/11] Creation of "check_vmflags" LSM hook Salvatore Mesoraca
2017-06-12 21:31 ` Casey Schaufler
2017-06-13 7:55 ` Salvatore Mesoraca
2017-06-13 6:34 ` Christoph Hellwig
2017-06-13 7:52 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 06/11] S.A.R.A. cred blob management Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 07/11] S.A.R.A. WX Protection Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 08/11] Creation of "pagefault_handler_x86" LSM hook Salvatore Mesoraca
2017-06-12 17:32 ` Thomas Gleixner
2017-06-13 7:41 ` Salvatore Mesoraca
2017-06-12 16:56 ` [PATCH 09/11] Trampoline emulation Salvatore Mesoraca
2017-06-13 0:02 ` kbuild test robot
2017-06-12 16:56 ` Salvatore Mesoraca [this message]
2017-06-12 16:57 ` [PATCH 11/11] S.A.R.A. WX Protection procattr interface Salvatore Mesoraca
2017-07-09 19:35 ` [kernel-hardening] [PATCH 00/11] S.A.R.A. a new stacked LSM Mickaël Salaün
2017-07-10 7:59 ` Salvatore Mesoraca
2017-07-10 23:40 ` Mickaël Salaün
2017-07-11 16:58 ` Salvatore Mesoraca
2017-07-11 17:49 ` Matt Brown
2017-07-11 19:31 ` Mimi Zohar
2017-07-13 12:39 ` Matt Brown
2017-07-13 15:19 ` Mimi Zohar
2017-07-13 19:51 ` Serge E. Hallyn
2017-07-13 22:33 ` Matt Brown
2017-07-24 0:58 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1497286620-15027-11-git-send-email-s.mesoraca16@gmail.com \
--to=s.mesoraca16@gmail.com \
--cc=casey@schaufler-ca.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pageexec@freemail.hu \
--cc=serge@hallyn.com \
--cc=spender@grsecurity.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).