From: David Howells <dhowells@redhat.com> To: torvalds@linux-foundation.org, viro@zeniv.linux.org.uk Cc: Casey Schaufler <casey@schaufler-ca.com>, dhowells@redhat.comcasey@schaufler-ca.com, sds@tycho.nsa.gov, nicolas.dichtel@6wind.com, raven@themaw.net, christian@brauner.io, andres@anarazel.de, jlayton@redhat.com, dray@redhat.com, kzak@redhat.com, keyrings@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 11/17] smack: Implement the watch_key and post_notification hooks [ver #5] Date: Wed, 18 Mar 2020 15:04:55 +0000 [thread overview] Message-ID: <158454389492.2863966.1081946626597156477.stgit@warthog.procyon.org.uk> (raw) In-Reply-To: <158454378820.2863966.10496767254293183123.stgit@warthog.procyon.org.uk> Implement the watch_key security hook in Smack to make sure that a key grants the caller Read permission in order to set a watch on a key. Also implement the post_notification security hook to make sure that the notification source is granted Write permission by the watch queue. For the moment, the watch_devices security hook is left unimplemented as it's not obvious what the object should be since the queue is global and didn't previously exist. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> --- include/linux/lsm_audit.h | 1 + security/smack/smack_lsm.c | 83 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 83 insertions(+), 1 deletion(-) diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 99d629fd9944..28f23b341c1c 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -75,6 +75,7 @@ struct common_audit_data { #define LSM_AUDIT_DATA_IBPKEY 13 #define LSM_AUDIT_DATA_IBENDPORT 14 #define LSM_AUDIT_DATA_LOCKDOWN 15 +#define LSM_AUDIT_DATA_NOTIFICATION 16 union { struct path path; struct dentry *dentry; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8c61d175e195..2862fc383473 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -41,6 +41,7 @@ #include <linux/parser.h> #include <linux/fs_context.h> #include <linux/fs_parser.h> +#include <linux/watch_queue.h> #include "smack.h" #define TRANS_TRUE "TRUE" @@ -4265,7 +4266,7 @@ static int smack_key_permission(key_ref_t key_ref, if (tkp = NULL) return -EACCES; - if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) + if (smack_privileged(CAP_MAC_OVERRIDE)) return 0; #ifdef CONFIG_AUDIT @@ -4311,8 +4312,81 @@ static int smack_key_getsecurity(struct key *key, char **_buffer) return length; } + +#ifdef CONFIG_KEY_NOTIFICATIONS +/** + * smack_watch_key - Smack access to watch a key for notifications. + * @key: The key to be watched + * + * Return 0 if the @watch->cred has permission to read from the key object and + * an error otherwise. + */ +static int smack_watch_key(struct key *key) +{ + struct smk_audit_info ad; + struct smack_known *tkp = smk_of_current(); + int rc; + + if (key = NULL) + return -EINVAL; + /* + * If the key hasn't been initialized give it access so that + * it may do so. + */ + if (key->security = NULL) + return 0; + /* + * This should not occur + */ + if (tkp = NULL) + return -EACCES; + + if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) + return 0; + +#ifdef CONFIG_AUDIT + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); + ad.a.u.key_struct.key = key->serial; + ad.a.u.key_struct.key_desc = key->description; +#endif + rc = smk_access(tkp, key->security, MAY_READ, &ad); + rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc); + return rc; +} +#endif /* CONFIG_KEY_NOTIFICATIONS */ #endif /* CONFIG_KEYS */ +#ifdef CONFIG_WATCH_QUEUE +/** + * smack_post_notification - Smack access to post a notification to a queue + * @w_cred: The credentials of the watcher. + * @cred: The credentials of the event source (may be NULL). + * @n: The notification message to be posted. + */ +static int smack_post_notification(const struct cred *w_cred, + const struct cred *cred, + struct watch_notification *n) +{ + struct smk_audit_info ad; + struct smack_known *subj, *obj; + int rc; + + /* Always let maintenance notifications through. */ + if (n->type = WATCH_TYPE_META) + return 0; + + if (!cred) + return 0; + subj = smk_of_task(smack_cred(cred)); + obj = smk_of_task(smack_cred(w_cred)); + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); + rc = smk_access(subj, obj, MAY_WRITE, &ad); + rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); + return rc; +} +#endif /* CONFIG_WATCH_QUEUE */ + /* * Smack Audit hooks * @@ -4701,8 +4775,15 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(key_free, smack_key_free), LSM_HOOK_INIT(key_permission, smack_key_permission), LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), +#ifdef CONFIG_KEY_NOTIFICATIONS + LSM_HOOK_INIT(watch_key, smack_watch_key), +#endif #endif /* CONFIG_KEYS */ +#ifdef CONFIG_WATCH_QUEUE + LSM_HOOK_INIT(post_notification, smack_post_notification), +#endif + /* Audit hooks */ #ifdef CONFIG_AUDIT LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init),
WARNING: multiple messages have this Message-ID (diff)
From: David Howells <dhowells@redhat.com> To: torvalds@linux-foundation.org, viro@zeniv.linux.org.uk Cc: Casey Schaufler <casey@schaufler-ca.com>, dhowells@redhat.com, casey@schaufler-ca.com, sds@tycho.nsa.gov, nicolas.dichtel@6wind.com, raven@themaw.net, christian@brauner.io, andres@anarazel.de, jlayton@redhat.com, dray@redhat.com, kzak@redhat.com, keyrings@vger.kernel.org, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 11/17] smack: Implement the watch_key and post_notification hooks [ver #5] Date: Wed, 18 Mar 2020 15:04:55 +0000 [thread overview] Message-ID: <158454389492.2863966.1081946626597156477.stgit@warthog.procyon.org.uk> (raw) In-Reply-To: <158454378820.2863966.10496767254293183123.stgit@warthog.procyon.org.uk> Implement the watch_key security hook in Smack to make sure that a key grants the caller Read permission in order to set a watch on a key. Also implement the post_notification security hook to make sure that the notification source is granted Write permission by the watch queue. For the moment, the watch_devices security hook is left unimplemented as it's not obvious what the object should be since the queue is global and didn't previously exist. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> --- include/linux/lsm_audit.h | 1 + security/smack/smack_lsm.c | 83 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 83 insertions(+), 1 deletion(-) diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 99d629fd9944..28f23b341c1c 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -75,6 +75,7 @@ struct common_audit_data { #define LSM_AUDIT_DATA_IBPKEY 13 #define LSM_AUDIT_DATA_IBENDPORT 14 #define LSM_AUDIT_DATA_LOCKDOWN 15 +#define LSM_AUDIT_DATA_NOTIFICATION 16 union { struct path path; struct dentry *dentry; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8c61d175e195..2862fc383473 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -41,6 +41,7 @@ #include <linux/parser.h> #include <linux/fs_context.h> #include <linux/fs_parser.h> +#include <linux/watch_queue.h> #include "smack.h" #define TRANS_TRUE "TRUE" @@ -4265,7 +4266,7 @@ static int smack_key_permission(key_ref_t key_ref, if (tkp == NULL) return -EACCES; - if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) + if (smack_privileged(CAP_MAC_OVERRIDE)) return 0; #ifdef CONFIG_AUDIT @@ -4311,8 +4312,81 @@ static int smack_key_getsecurity(struct key *key, char **_buffer) return length; } + +#ifdef CONFIG_KEY_NOTIFICATIONS +/** + * smack_watch_key - Smack access to watch a key for notifications. + * @key: The key to be watched + * + * Return 0 if the @watch->cred has permission to read from the key object and + * an error otherwise. + */ +static int smack_watch_key(struct key *key) +{ + struct smk_audit_info ad; + struct smack_known *tkp = smk_of_current(); + int rc; + + if (key == NULL) + return -EINVAL; + /* + * If the key hasn't been initialized give it access so that + * it may do so. + */ + if (key->security == NULL) + return 0; + /* + * This should not occur + */ + if (tkp == NULL) + return -EACCES; + + if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) + return 0; + +#ifdef CONFIG_AUDIT + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); + ad.a.u.key_struct.key = key->serial; + ad.a.u.key_struct.key_desc = key->description; +#endif + rc = smk_access(tkp, key->security, MAY_READ, &ad); + rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc); + return rc; +} +#endif /* CONFIG_KEY_NOTIFICATIONS */ #endif /* CONFIG_KEYS */ +#ifdef CONFIG_WATCH_QUEUE +/** + * smack_post_notification - Smack access to post a notification to a queue + * @w_cred: The credentials of the watcher. + * @cred: The credentials of the event source (may be NULL). + * @n: The notification message to be posted. + */ +static int smack_post_notification(const struct cred *w_cred, + const struct cred *cred, + struct watch_notification *n) +{ + struct smk_audit_info ad; + struct smack_known *subj, *obj; + int rc; + + /* Always let maintenance notifications through. */ + if (n->type == WATCH_TYPE_META) + return 0; + + if (!cred) + return 0; + subj = smk_of_task(smack_cred(cred)); + obj = smk_of_task(smack_cred(w_cred)); + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); + rc = smk_access(subj, obj, MAY_WRITE, &ad); + rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); + return rc; +} +#endif /* CONFIG_WATCH_QUEUE */ + /* * Smack Audit hooks * @@ -4701,8 +4775,15 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(key_free, smack_key_free), LSM_HOOK_INIT(key_permission, smack_key_permission), LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), +#ifdef CONFIG_KEY_NOTIFICATIONS + LSM_HOOK_INIT(watch_key, smack_watch_key), +#endif #endif /* CONFIG_KEYS */ +#ifdef CONFIG_WATCH_QUEUE + LSM_HOOK_INIT(post_notification, smack_post_notification), +#endif + /* Audit hooks */ #ifdef CONFIG_AUDIT LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init),
next prev parent reply other threads:[~2020-03-18 15:04 UTC|newest] Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-03-18 15:03 [PATCH 00/17] pipe: Keyrings, mount and superblock notifications [ver #5] David Howells 2020-03-18 15:03 ` David Howells 2020-03-18 15:03 ` [PATCH 01/17] uapi: General notification queue definitions " David Howells 2020-03-18 15:03 ` [PATCH 02/17] security: Add hooks to rule on setting a watch " David Howells 2020-03-18 15:03 ` David Howells 2020-03-18 18:56 ` James Morris 2020-03-18 18:56 ` James Morris 2020-03-18 15:03 ` [PATCH 03/17] security: Add a hook for the point of notification insertion " David Howells 2020-03-18 15:03 ` David Howells 2020-03-18 18:57 ` James Morris 2020-03-18 18:57 ` James Morris 2020-03-18 15:03 ` [PATCH 04/17] pipe: Add O_NOTIFICATION_PIPE " David Howells 2020-03-18 15:03 ` [PATCH 05/17] pipe: Add general notification queue support " David Howells 2020-03-18 15:03 ` David Howells 2020-03-18 15:04 ` [PATCH 06/17] watch_queue: Add a key/keyring notification facility " David Howells 2020-03-18 15:04 ` David Howells 2020-03-18 19:04 ` James Morris 2020-03-18 19:04 ` James Morris 2020-03-18 15:04 ` [PATCH 07/17] Add sample notification program " David Howells 2020-03-18 15:04 ` David Howells 2020-03-18 15:04 ` [PATCH 08/17] pipe: Allow buffers to be marked read-whole-or-error for notifications " David Howells 2020-03-18 15:04 ` David Howells 2020-03-18 15:04 ` [PATCH 09/17] pipe: Add notification lossage handling " David Howells 2020-03-18 15:04 ` David Howells 2020-03-18 15:04 ` [PATCH 10/17] selinux: Implement the watch_key security hook " David Howells 2020-03-18 15:04 ` David Howells 2020-03-18 19:06 ` James Morris 2020-03-18 19:06 ` James Morris 2020-03-18 15:04 ` David Howells [this message] 2020-03-18 15:04 ` [PATCH 11/17] smack: Implement the watch_key and post_notification hooks " David Howells 2020-03-18 15:05 ` [PATCH 12/17] watch_queue: Add security hooks to rule on setting mount and sb watches " David Howells 2020-03-18 15:05 ` David Howells 2020-03-18 19:07 ` James Morris 2020-03-18 19:07 ` James Morris 2020-03-18 15:05 ` [PATCH 13/17] watch_queue: Implement mount topology and attribute change notifications " David Howells 2020-03-18 15:05 ` David Howells 2020-04-02 15:19 ` Miklos Szeredi 2020-04-02 15:19 ` Miklos Szeredi 2020-06-14 3:07 ` Ian Kent 2020-06-14 3:07 ` Ian Kent 2020-06-15 8:44 ` Miklos Szeredi 2020-06-15 8:44 ` Miklos Szeredi 2020-07-23 10:48 ` David Howells 2020-07-23 10:48 ` David Howells 2020-08-03 9:29 ` Miklos Szeredi 2020-08-03 9:29 ` Miklos Szeredi 2020-08-04 11:38 ` Ian Kent 2020-08-04 11:38 ` Ian Kent 2020-08-04 13:19 ` Miklos Szeredi 2020-08-04 13:19 ` Miklos Szeredi 2020-08-05 1:53 ` Ian Kent 2020-08-05 1:53 ` Ian Kent 2020-08-05 7:43 ` Miklos Szeredi 2020-08-05 7:43 ` Miklos Szeredi 2020-08-05 11:36 ` Ian Kent 2020-08-05 11:36 ` Ian Kent 2020-08-05 11:56 ` Miklos Szeredi 2020-08-05 11:56 ` Miklos Szeredi 2020-07-24 10:19 ` David Howells 2020-07-24 10:19 ` David Howells 2020-07-24 10:44 ` Ian Kent 2020-07-24 10:44 ` Ian Kent 2020-07-24 11:36 ` David Howells 2020-07-24 11:36 ` David Howells 2020-08-03 10:02 ` Miklos Szeredi 2020-08-03 10:02 ` Miklos Szeredi 2020-08-03 10:08 ` David Howells 2020-08-03 10:08 ` David Howells 2020-08-03 10:18 ` David Howells 2020-08-03 10:18 ` David Howells 2020-08-03 11:17 ` Miklos Szeredi 2020-08-03 11:17 ` Miklos Szeredi 2020-08-03 11:49 ` David Howells 2020-08-03 11:49 ` David Howells 2020-08-03 12:01 ` Ian Kent 2020-08-03 12:01 ` Ian Kent 2020-08-03 12:31 ` David Howells 2020-08-03 12:31 ` David Howells 2020-08-03 14:30 ` Ian Kent 2020-08-03 14:30 ` Ian Kent 2020-03-18 15:05 ` [PATCH 14/17] watch_queue: sample: Display mount tree " David Howells 2020-03-18 15:05 ` David Howells 2020-03-18 15:05 ` [PATCH 15/17] watch_queue: Introduce a non-repeating system-unique superblock ID " David Howells 2020-03-18 15:05 ` [PATCH 16/17] watch_queue: Add superblock notifications " David Howells 2020-03-18 15:05 ` David Howells 2020-03-18 15:05 ` [PATCH 17/17] watch_queue: sample: Display " David Howells 2020-03-18 15:05 ` David Howells
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=158454389492.2863966.1081946626597156477.stgit@warthog.procyon.org.uk \ --to=dhowells@redhat.com \ --cc=casey@schaufler-ca.com \ --cc=dhowells@redhat.comcasey \ --cc=torvalds@linux-foundation.org \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.