From: Casey Schaufler <casey@schaufler-ca.com>
To: LSM <linux-security-module@vger.kernel.org>,
"James Morris" <jmorris@namei.org>,
"SE Linux" <selinux@tycho.nsa.gov>,
LKLM <linux-kernel@vger.kernel.org>,
"John Johansen" <john.johansen@canonical.com>,
"Kees Cook" <keescook@chromium.org>,
"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
"Paul Moore" <paul@paul-moore.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"Alexey Dobriyan" <adobriyan@gmail.com>,
"Mickaël Salaün" <mic@digikod.net>,
"Salvatore Mesoraca" <s.mesoraca16@gmail.com>
Subject: [PATCH v4 11/19] LSM: Infrastructure management of the file security
Date: Fri, 21 Sep 2018 17:19:00 -0700 [thread overview]
Message-ID: <1ca14e0b-6a95-4efe-7a23-e82d7562df26@schaufler-ca.com> (raw)
In-Reply-To: <e9bfb2d5-d987-55ce-4011-9b32ff745d36@schaufler-ca.com>
Move management of the file->f_security blob out of the
individual security modules and into the infrastructure.
The modules no longer allocate or free the data, instead
they tell the infrastructure how much space they require.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/apparmor/lsm.c | 19 +++++++-------
security/security.c | 54 +++++++++++++++++++++++++++++++++++---
security/selinux/hooks.c | 25 ++----------------
security/smack/smack.h | 2 +-
security/smack/smack_lsm.c | 14 +---------
6 files changed, 66 insertions(+), 49 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 0bef312efd45..167ffbd4d0c0 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2029,6 +2029,7 @@ struct security_hook_list {
*/
struct lsm_blob_sizes {
int lbs_cred;
+ int lbs_file;
};
/*
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index c2566aaa138e..15716b6ff860 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -431,21 +431,21 @@ static int apparmor_file_open(struct file *file)
static int apparmor_file_alloc_security(struct file *file)
{
- int error = 0;
-
- /* freed by apparmor_file_free_security */
+ struct aa_file_ctx *ctx = file_ctx(file);
struct aa_label *label = begin_current_label_crit_section();
- file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
- if (!file_ctx(file))
- error = -ENOMEM;
- end_current_label_crit_section(label);
- return error;
+ spin_lock_init(&ctx->lock);
+ rcu_assign_pointer(ctx->label, aa_get_label(label));
+ end_current_label_crit_section(label);
+ return 0;
}
static void apparmor_file_free_security(struct file *file)
{
- aa_free_file_ctx(file_ctx(file));
+ struct aa_file_ctx *ctx = file_ctx(file);
+
+ if (ctx)
+ aa_put_label(rcu_access_pointer(ctx->label));
}
static int common_file_perm(const char *op, struct file *file, u32 mask)
@@ -1131,6 +1131,7 @@ static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
*/
struct lsm_blob_sizes apparmor_blob_sizes = {
.lbs_cred = sizeof(struct aa_task_ctx *),
+ .lbs_file = sizeof(struct aa_file_ctx),
};
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
diff --git a/security/security.c b/security/security.c
index ff7df14f6db1..5430cae73cf6 100644
--- a/security/security.c
+++ b/security/security.c
@@ -40,6 +40,8 @@
struct security_hook_heads security_hook_heads __lsm_ro_after_init;
static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
+static struct kmem_cache *lsm_file_cache;
+
char *lsm_names;
static struct lsm_blob_sizes blob_sizes;
@@ -92,6 +94,13 @@ int __init security_init(void)
*/
do_security_initcalls();
+ /*
+ * Create any kmem_caches needed for blobs
+ */
+ if (blob_sizes.lbs_file)
+ lsm_file_cache = kmem_cache_create("lsm_file_cache",
+ blob_sizes.lbs_file, 0,
+ SLAB_PANIC, NULL);
/*
* The second call to a module specific init function
* adds hooks to the hook lists and does any other early
@@ -101,6 +110,7 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
+ pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
#endif
return 0;
@@ -277,6 +287,28 @@ static void __init lsm_set_size(int *need, int *lbs)
void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
+ lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+}
+
+/**
+ * lsm_file_alloc - allocate a composite file blob
+ * @file: the file that needs a blob
+ *
+ * Allocate the file blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_file_alloc(struct file *file)
+{
+ if (!lsm_file_cache) {
+ file->f_security = NULL;
+ return 0;
+ }
+
+ file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL);
+ if (file->f_security == NULL)
+ return -ENOMEM;
+ return 0;
}
/*
@@ -962,12 +994,28 @@ int security_file_permission(struct file *file, int mask)
int security_file_alloc(struct file *file)
{
- return call_int_hook(file_alloc_security, 0, file);
+ int rc = lsm_file_alloc(file);
+
+ if (rc)
+ return rc;
+ rc = call_int_hook(file_alloc_security, 0, file);
+ if (unlikely(rc))
+ security_file_free(file);
+ return rc;
}
void security_file_free(struct file *file)
{
+ void *blob;
+
+ if (!lsm_file_cache)
+ return;
+
call_void_hook(file_free_security, file);
+
+ blob = file->f_security;
+ file->f_security = NULL;
+ kmem_cache_free(lsm_file_cache, blob);
}
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
@@ -1085,7 +1133,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
return rc;
rc = call_int_hook(cred_alloc_blank, 0, cred, gfp);
- if (rc)
+ if (unlikely(rc))
security_cred_free(cred);
return rc;
}
@@ -1106,7 +1154,7 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
return rc;
rc = call_int_hook(cred_prepare, 0, new, old, gfp);
- if (rc)
+ if (unlikely(rc))
security_cred_free(new);
return rc;
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 641a8ce726ff..fdda53552224 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -148,7 +148,6 @@ static int __init checkreqprot_setup(char *str)
__setup("checkreqprot=", checkreqprot_setup);
static struct kmem_cache *sel_inode_cache;
-static struct kmem_cache *file_security_cache;
/**
* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
@@ -380,27 +379,15 @@ static void inode_free_security(struct inode *inode)
static int file_alloc_security(struct file *file)
{
- struct file_security_struct *fsec;
+ struct file_security_struct *fsec = selinux_file(file);
u32 sid = current_sid();
- fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
- if (!fsec)
- return -ENOMEM;
-
fsec->sid = sid;
fsec->fown_sid = sid;
- file->f_security = fsec;
return 0;
}
-static void file_free_security(struct file *file)
-{
- struct file_security_struct *fsec = selinux_file(file);
- file->f_security = NULL;
- kmem_cache_free(file_security_cache, fsec);
-}
-
static int superblock_alloc_security(struct super_block *sb)
{
struct superblock_security_struct *sbsec;
@@ -3557,11 +3544,6 @@ static int selinux_file_alloc_security(struct file *file)
return file_alloc_security(file);
}
-static void selinux_file_free_security(struct file *file)
-{
- file_free_security(file);
-}
-
/*
* Check whether a task has the ioctl permission and cmd
* operation to an inode.
@@ -6855,6 +6837,7 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
struct lsm_blob_sizes selinux_blob_sizes = {
.lbs_cred = sizeof(struct task_security_struct),
+ .lbs_file = sizeof(struct file_security_struct),
};
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
@@ -6925,7 +6908,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(file_permission, selinux_file_permission),
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
- LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
@@ -7128,9 +7110,6 @@ static __init int selinux_init(void)
sel_inode_cache = kmem_cache_create("selinux_inode_security",
sizeof(struct inode_security_struct),
0, SLAB_PANIC, NULL);
- file_security_cache = kmem_cache_create("selinux_file_security",
- sizeof(struct file_security_struct),
- 0, SLAB_PANIC, NULL);
avc_init();
avtab_cache_init();
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 22ca30379209..62a22ad8ce92 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -363,7 +363,7 @@ static inline struct task_smack *smack_cred(const struct cred *cred)
static inline struct smack_known **smack_file(const struct file *file)
{
- return (struct smack_known **)&file->f_security;
+ return file->f_security;
}
/*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 9ec595f0c3f1..d1430341798f 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1577,18 +1577,6 @@ static int smack_file_alloc_security(struct file *file)
return 0;
}
-/**
- * smack_file_free_security - clear a file security blob
- * @file: the object
- *
- * The security blob for a file is a pointer to the master
- * label list, so no memory is freed.
- */
-static void smack_file_free_security(struct file *file)
-{
- file->f_security = NULL;
-}
-
/**
* smack_file_ioctl - Smack check on ioctls
* @file: the object
@@ -4630,6 +4618,7 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
struct lsm_blob_sizes smack_blob_sizes = {
.lbs_cred = sizeof(struct task_smack),
+ .lbs_file = sizeof(struct smack_known *),
};
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
@@ -4667,7 +4656,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
- LSM_HOOK_INIT(file_free_security, smack_file_free_security),
LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
LSM_HOOK_INIT(file_lock, smack_file_lock),
LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
--
2.17.1
next prev parent reply other threads:[~2018-09-22 0:19 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-21 23:59 [PATCH v4 00/19] LSM: Module stacking for SARA and Landlock Casey Schaufler
2018-09-22 0:16 ` [PATCH v4 01/19] procfs: add smack subdir to attrs Casey Schaufler
2018-09-22 0:17 ` [PATCH v4 02/19] Smack: Abstract use of cred security blob Casey Schaufler
2018-09-22 2:44 ` Kees Cook
2018-09-22 0:17 ` [PATCH v4 03/19] SELinux: " Casey Schaufler
2018-09-22 0:17 ` [PATCH v4 04/19] SELinux: Remove cred security blob poisoning Casey Schaufler
2018-09-22 2:43 ` Kees Cook
2018-09-27 22:13 ` James Morris
2018-09-27 22:32 ` Casey Schaufler
2018-09-22 0:17 ` [PATCH v4 05/19] SELinux: Remove unused selinux_is_enabled Casey Schaufler
2018-09-22 2:43 ` Kees Cook
2018-09-22 0:17 ` [PATCH v4 06/19] AppArmor: Abstract use of cred security blob Casey Schaufler
2018-09-22 2:46 ` Kees Cook
2018-09-22 0:18 ` [PATCH v4 07/19] TOMOYO: " Casey Schaufler
2018-09-22 2:47 ` Kees Cook
2018-09-22 0:18 ` [PATCH v4 08/19] Infrastructure management of the " Casey Schaufler
2018-09-22 2:50 ` Kees Cook
2018-09-22 0:18 ` [PATCH v4 09/19] SELinux: Abstract use of file " Casey Schaufler
2018-09-22 0:18 ` [PATCH v4 10/19] Smack: " Casey Schaufler
2018-09-22 2:51 ` Kees Cook
2018-09-22 0:19 ` Casey Schaufler [this message]
2018-09-22 2:53 ` [PATCH v4 11/19] LSM: Infrastructure management of the file security Kees Cook
2018-09-22 0:19 ` [PATCH v4 12/19] SELinux: Abstract use of inode security blob Casey Schaufler
2018-09-22 0:19 ` [PATCH v4 13/19] Smack: " Casey Schaufler
2018-09-22 0:19 ` [PATCH v4 14/19] LSM: Infrastructure management of the inode security Casey Schaufler
2018-09-22 2:55 ` Kees Cook
2018-10-03 18:13 ` James Morris
2018-10-04 4:49 ` Casey Schaufler
2018-09-22 0:19 ` [PATCH v4 15/19] LSM: Infrastructure management of the task security Casey Schaufler
2018-09-22 2:56 ` Kees Cook
2018-09-22 0:19 ` [PATCH v4 16/19] SELinux: Abstract use of ipc security blobs Casey Schaufler
2018-09-22 2:56 ` Kees Cook
2018-09-22 0:19 ` [PATCH v4 17/19] Smack: " Casey Schaufler
2018-09-22 2:57 ` Kees Cook
2018-09-22 0:20 ` [PATCH v4 18/19] LSM: Infrastructure management of the ipc security blob Casey Schaufler
2018-09-22 2:58 ` Kees Cook
2018-09-22 0:20 ` [PATCH v4 19/19] LSM: Blob sharing support for S.A.R.A and LandLock Casey Schaufler
2018-09-22 0:22 ` [PATCH v4 09/19] SELinux: Abstract use of file security blob Casey Schaufler
2018-09-22 3:02 ` [PATCH v4 00/19] LSM: Module stacking for SARA and Landlock Kees Cook
2018-09-22 16:38 ` Casey Schaufler
2018-09-23 2:43 ` Kees Cook
2018-09-23 15:59 ` Tetsuo Handa
2018-09-23 17:09 ` Casey Schaufler
2018-09-24 1:53 ` Tetsuo Handa
2018-09-24 17:16 ` Casey Schaufler
2018-09-24 17:53 ` Tetsuo Handa
2018-09-24 20:33 ` Casey Schaufler
2018-09-24 15:01 ` Stephen Smalley
2018-09-24 16:15 ` Casey Schaufler
2018-09-24 17:22 ` Tetsuo Handa
2018-10-01 17:58 ` James Morris
2018-09-26 21:57 ` [PATCH v4 20/19] LSM: Correct file blob free empty blob check Casey Schaufler
2018-10-01 20:29 ` Kees Cook
2018-09-26 21:57 ` [PATCH 21/19] LSM: Cleanup and fixes from Tetsuo Handa Casey Schaufler
2018-10-01 21:48 ` Kees Cook
2018-10-12 20:07 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1ca14e0b-6a95-4efe-7a23-e82d7562df26@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=adobriyan@gmail.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=s.mesoraca16@gmail.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).