linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: LSM <linux-security-module@vger.kernel.org>,
	"James Morris" <jmorris@namei.org>,
	"SE Linux" <selinux@tycho.nsa.gov>,
	LKLM <linux-kernel@vger.kernel.org>,
	"John Johansen" <john.johansen@canonical.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
	"Paul Moore" <paul@paul-moore.com>,
	"Stephen Smalley" <sds@tycho.nsa.gov>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	"Alexey Dobriyan" <adobriyan@gmail.com>,
	"Mickaël Salaün" <mic@digikod.net>,
	"Salvatore Mesoraca" <s.mesoraca16@gmail.com>
Subject: [PATCH v4 07/19] TOMOYO: Abstract use of cred security blob
Date: Fri, 21 Sep 2018 17:18:07 -0700	[thread overview]
Message-ID: <8ea966f7-924e-b805-56e8-9ad74e7f9d86@schaufler-ca.com> (raw)
In-Reply-To: <e9bfb2d5-d987-55ce-4011-9b32ff745d36@schaufler-ca.com>

Don't use the cred->security pointer directly.
Provide helper functions that provide the security blob pointer.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/tomoyo/common.h        | 21 +++++++++++++++--
 security/tomoyo/domain.c        |  4 +++-
 security/tomoyo/securityfs_if.c | 15 +++++++++----
 security/tomoyo/tomoyo.c        | 40 +++++++++++++++++++++++++--------
 4 files changed, 64 insertions(+), 16 deletions(-)

diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 539bcdd30bb8..c9d8c49e3210 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -29,6 +29,7 @@
 #include <linux/in.h>
 #include <linux/in6.h>
 #include <linux/un.h>
+#include <linux/lsm_hooks.h>
 #include <net/sock.h>
 #include <net/af_unix.h>
 #include <net/ip.h>
@@ -1062,6 +1063,7 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
 /********** External variable definitions. **********/
 
 extern bool tomoyo_policy_loaded;
+extern bool tomoyo_enabled;
 extern const char * const tomoyo_condition_keyword
 [TOMOYO_MAX_CONDITION_KEYWORD];
 extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
@@ -1196,6 +1198,17 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
 		atomic_dec(&group->head.users);
 }
 
+/**
+ * tomoyo_cred - Get a pointer to the tomoyo cred security blob
+ * @cred - the relevant cred
+ *
+ * Returns pointer to the tomoyo cred blob.
+ */
+static inline struct tomoyo_domain_info **tomoyo_cred(const struct cred *cred)
+{
+	return (struct tomoyo_domain_info **)&cred->security;
+}
+
 /**
  * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread.
  *
@@ -1203,7 +1216,9 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
  */
 static inline struct tomoyo_domain_info *tomoyo_domain(void)
 {
-	return current_cred()->security;
+	struct tomoyo_domain_info **blob = tomoyo_cred(current_cred());
+
+	return *blob;
 }
 
 /**
@@ -1216,7 +1231,9 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void)
 static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
 							    *task)
 {
-	return task_cred_xxx(task, security);
+	struct tomoyo_domain_info **blob = tomoyo_cred(get_task_cred(task));
+
+	return *blob;
 }
 
 /**
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index f6758dad981f..b7469fdbff01 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -678,6 +678,7 @@ static int tomoyo_environ(struct tomoyo_execve *ee)
  */
 int tomoyo_find_next_domain(struct linux_binprm *bprm)
 {
+	struct tomoyo_domain_info **blob;
 	struct tomoyo_domain_info *old_domain = tomoyo_domain();
 	struct tomoyo_domain_info *domain = NULL;
 	const char *original_name = bprm->filename;
@@ -843,7 +844,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
 		domain = old_domain;
 	/* Update reference count on "struct tomoyo_domain_info". */
 	atomic_inc(&domain->users);
-	bprm->cred->security = domain;
+	blob = tomoyo_cred(bprm->cred);
+	*blob = domain;
 	kfree(exename.name);
 	if (!retval) {
 		ee->r.domain = domain;
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 1d3d7e7a1f05..768dff9608b1 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -71,9 +71,12 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
 				if (!cred) {
 					error = -ENOMEM;
 				} else {
-					struct tomoyo_domain_info *old_domain =
-						cred->security;
-					cred->security = new_domain;
+					struct tomoyo_domain_info **blob;
+					struct tomoyo_domain_info *old_domain;
+
+					blob = tomoyo_cred(cred);
+					old_domain = *blob;
+					*blob = new_domain;
 					atomic_inc(&new_domain->users);
 					atomic_dec(&old_domain->users);
 					commit_creds(cred);
@@ -234,10 +237,14 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode,
  */
 static int __init tomoyo_initerface_init(void)
 {
+	struct tomoyo_domain_info *domain;
 	struct dentry *tomoyo_dir;
 
+	if (!tomoyo_enabled)
+		return 0;
+	domain = tomoyo_domain();
 	/* Don't create securityfs entries unless registered. */
-	if (current_cred()->security != &tomoyo_kernel_domain)
+	if (domain != &tomoyo_kernel_domain)
 		return 0;
 
 	tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 9f932e2d6852..25739888921f 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -18,7 +18,9 @@
  */
 static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
 {
-	new->security = NULL;
+	struct tomoyo_domain_info **blob = tomoyo_cred(new);
+
+	*blob = NULL;
 	return 0;
 }
 
@@ -34,8 +36,13 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
 static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
 			       gfp_t gfp)
 {
-	struct tomoyo_domain_info *domain = old->security;
-	new->security = domain;
+	struct tomoyo_domain_info **old_blob = tomoyo_cred(old);
+	struct tomoyo_domain_info **new_blob = tomoyo_cred(new);
+	struct tomoyo_domain_info *domain;
+
+	domain = *old_blob;
+	*new_blob = domain;
+
 	if (domain)
 		atomic_inc(&domain->users);
 	return 0;
@@ -59,7 +66,9 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
  */
 static void tomoyo_cred_free(struct cred *cred)
 {
-	struct tomoyo_domain_info *domain = cred->security;
+	struct tomoyo_domain_info **blob = tomoyo_cred(cred);
+	struct tomoyo_domain_info *domain = *blob;
+
 	if (domain)
 		atomic_dec(&domain->users);
 }
@@ -73,6 +82,9 @@ static void tomoyo_cred_free(struct cred *cred)
  */
 static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
 {
+	struct tomoyo_domain_info **blob;
+	struct tomoyo_domain_info *domain;
+
 	/*
 	 * Do only if this function is called for the first time of an execve
 	 * operation.
@@ -93,13 +105,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
 	 * stored inside "bprm->cred->security" will be acquired later inside
 	 * tomoyo_find_next_domain().
 	 */
-	atomic_dec(&((struct tomoyo_domain_info *)
-		     bprm->cred->security)->users);
+	blob = tomoyo_cred(bprm->cred);
+	domain = *blob;
+	atomic_dec(&domain->users);
 	/*
 	 * Tell tomoyo_bprm_check_security() is called for the first time of an
 	 * execve operation.
 	 */
-	bprm->cred->security = NULL;
+	*blob = NULL;
 	return 0;
 }
 
@@ -112,8 +125,11 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
  */
 static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
 {
-	struct tomoyo_domain_info *domain = bprm->cred->security;
+	struct tomoyo_domain_info **blob;
+	struct tomoyo_domain_info *domain;
 
+	blob = tomoyo_cred(bprm->cred);
+	domain = *blob;
 	/*
 	 * Execute permission is checked against pathname passed to do_execve()
 	 * using current domain.
@@ -531,6 +547,8 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
 /* Lock for GC. */
 DEFINE_SRCU(tomoyo_ss);
 
+bool tomoyo_enabled;
+
 /**
  * tomoyo_init - Register TOMOYO Linux as a LSM module.
  *
@@ -539,13 +557,17 @@ DEFINE_SRCU(tomoyo_ss);
 static int __init tomoyo_init(void)
 {
 	struct cred *cred = (struct cred *) current_cred();
+	struct tomoyo_domain_info **blob;
 
 	if (!security_module_enable("tomoyo"))
 		return 0;
+	tomoyo_enabled = true;
+
 	/* register ourselves with the security framework */
 	security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
 	printk(KERN_INFO "TOMOYO Linux initialized\n");
-	cred->security = &tomoyo_kernel_domain;
+	blob = tomoyo_cred(cred);
+	*blob = &tomoyo_kernel_domain;
 	tomoyo_mm_init();
 	return 0;
 }
-- 
2.17.1



  parent reply	other threads:[~2018-09-22  0:18 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-21 23:59 [PATCH v4 00/19] LSM: Module stacking for SARA and Landlock Casey Schaufler
2018-09-22  0:16 ` [PATCH v4 01/19] procfs: add smack subdir to attrs Casey Schaufler
2018-09-22  0:17 ` [PATCH v4 02/19] Smack: Abstract use of cred security blob Casey Schaufler
2018-09-22  2:44   ` Kees Cook
2018-09-22  0:17 ` [PATCH v4 03/19] SELinux: " Casey Schaufler
2018-09-22  0:17 ` [PATCH v4 04/19] SELinux: Remove cred security blob poisoning Casey Schaufler
2018-09-22  2:43   ` Kees Cook
2018-09-27 22:13   ` James Morris
2018-09-27 22:32     ` Casey Schaufler
2018-09-22  0:17 ` [PATCH v4 05/19] SELinux: Remove unused selinux_is_enabled Casey Schaufler
2018-09-22  2:43   ` Kees Cook
2018-09-22  0:17 ` [PATCH v4 06/19] AppArmor: Abstract use of cred security blob Casey Schaufler
2018-09-22  2:46   ` Kees Cook
2018-09-22  0:18 ` Casey Schaufler [this message]
2018-09-22  2:47   ` [PATCH v4 07/19] TOMOYO: " Kees Cook
2018-09-22  0:18 ` [PATCH v4 08/19] Infrastructure management of the " Casey Schaufler
2018-09-22  2:50   ` Kees Cook
2018-09-22  0:18 ` [PATCH v4 09/19] SELinux: Abstract use of file " Casey Schaufler
2018-09-22  0:18 ` [PATCH v4 10/19] Smack: " Casey Schaufler
2018-09-22  2:51   ` Kees Cook
2018-09-22  0:19 ` [PATCH v4 11/19] LSM: Infrastructure management of the file security Casey Schaufler
2018-09-22  2:53   ` Kees Cook
2018-09-22  0:19 ` [PATCH v4 12/19] SELinux: Abstract use of inode security blob Casey Schaufler
2018-09-22  0:19 ` [PATCH v4 13/19] Smack: " Casey Schaufler
2018-09-22  0:19 ` [PATCH v4 14/19] LSM: Infrastructure management of the inode security Casey Schaufler
2018-09-22  2:55   ` Kees Cook
2018-10-03 18:13     ` James Morris
2018-10-04  4:49       ` Casey Schaufler
2018-09-22  0:19 ` [PATCH v4 15/19] LSM: Infrastructure management of the task security Casey Schaufler
2018-09-22  2:56   ` Kees Cook
2018-09-22  0:19 ` [PATCH v4 16/19] SELinux: Abstract use of ipc security blobs Casey Schaufler
2018-09-22  2:56   ` Kees Cook
2018-09-22  0:19 ` [PATCH v4 17/19] Smack: " Casey Schaufler
2018-09-22  2:57   ` Kees Cook
2018-09-22  0:20 ` [PATCH v4 18/19] LSM: Infrastructure management of the ipc security blob Casey Schaufler
2018-09-22  2:58   ` Kees Cook
2018-09-22  0:20 ` [PATCH v4 19/19] LSM: Blob sharing support for S.A.R.A and LandLock Casey Schaufler
2018-09-22  0:22 ` [PATCH v4 09/19] SELinux: Abstract use of file security blob Casey Schaufler
2018-09-22  3:02 ` [PATCH v4 00/19] LSM: Module stacking for SARA and Landlock Kees Cook
2018-09-22 16:38   ` Casey Schaufler
2018-09-23  2:43     ` Kees Cook
2018-09-23 15:59       ` Tetsuo Handa
2018-09-23 17:09         ` Casey Schaufler
2018-09-24  1:53           ` Tetsuo Handa
2018-09-24 17:16             ` Casey Schaufler
2018-09-24 17:53               ` Tetsuo Handa
2018-09-24 20:33                 ` Casey Schaufler
2018-09-24 15:01           ` Stephen Smalley
2018-09-24 16:15             ` Casey Schaufler
2018-09-24 17:22               ` Tetsuo Handa
2018-10-01 17:58           ` James Morris
2018-09-26 21:57 ` [PATCH v4 20/19] LSM: Correct file blob free empty blob check Casey Schaufler
2018-10-01 20:29   ` Kees Cook
2018-09-26 21:57 ` [PATCH 21/19] LSM: Cleanup and fixes from Tetsuo Handa Casey Schaufler
2018-10-01 21:48   ` Kees Cook
2018-10-12 20:07     ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8ea966f7-924e-b805-56e8-9ad74e7f9d86@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=adobriyan@gmail.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=s.mesoraca16@gmail.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).