From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
keescook@chromium.org, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org
Subject: [PATCH v37 22/33] LSM: security_secid_to_secctx module selection
Date: Mon, 27 Jun 2022 17:56:00 -0700 [thread overview]
Message-ID: <20220628005611.13106-23-casey@schaufler-ca.com> (raw)
In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com>
Add a parameter to security_secid_to_secctx() to identify
which of the security modules that may be active should
provide the security context. If the parameter is greater
than or equal to zero, the security module associated with
that LSM "slot" is used. If the value is LSMBLOB_DISPLAY
the "interface lsm" is used. If the value is LSMBLOB_FIRST
the first security module providing a hook is used.
The integrity IMA subsystem has chosen to always use the
LSMBLOB_FIRST behavior, regardless of the lsm_display values.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
drivers/android/binder.c | 2 +-
include/linux/security.h | 7 +++++--
include/net/scm.h | 2 +-
kernel/audit.c | 4 ++--
kernel/auditsc.c | 7 ++++---
net/ipv4/ip_sockglue.c | 2 +-
net/netfilter/nf_conntrack_netlink.c | 4 ++--
net/netfilter/nf_conntrack_standalone.c | 2 +-
net/netfilter/nfnetlink_queue.c | 2 +-
net/netlabel/netlabel_unlabeled.c | 11 +++++++----
net/netlabel/netlabel_user.c | 2 +-
security/security.c | 20 ++++++++++++++++++--
12 files changed, 44 insertions(+), 21 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index f2a0faf6d9c6..06c9263108a8 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3057,7 +3057,7 @@ static void binder_transaction(struct binder_proc *proc,
size_t added_size;
security_cred_getsecid(proc->cred, &blob);
- ret = security_secid_to_secctx(&blob, &lsmctx);
+ ret = security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_DISPLAY);
if (ret) {
binder_txn_error("%d:%d failed to get security context\n",
thread->pid, proc->pid);
diff --git a/include/linux/security.h b/include/linux/security.h
index a4d08b47cbc3..5ebc3ec6948c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -186,6 +186,8 @@ struct lsmblob {
#define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */
#define LSMBLOB_NEEDED -2 /* Slot requested on initialization */
#define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */
+#define LSMBLOB_DISPLAY -4 /* Use the "interface_lsm" slot */
+#define LSMBLOB_FIRST -5 /* Use the first slot */
/**
* lsmblob_init - initialize a lsmblob structure
@@ -628,7 +630,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
-int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp);
+int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp,
+ int ilsm);
int security_secctx_to_secid(const char *secdata, u32 seclen,
struct lsmblob *blob);
void security_release_secctx(struct lsmcontext *cp);
@@ -1482,7 +1485,7 @@ static inline int security_ismaclabel(const char *name)
}
static inline int security_secid_to_secctx(struct lsmblob *blob,
- struct lsmcontext *cp)
+ struct lsmcontext *cp, int ilsm)
{
return -EOPNOTSUPP;
}
diff --git a/include/net/scm.h b/include/net/scm.h
index b77a52f93389..f4d567d4885e 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -101,7 +101,7 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
* and the infrastructure will know which it is.
*/
lsmblob_init(&lb, scm->secid);
- err = security_secid_to_secctx(&lb, &context);
+ err = security_secid_to_secctx(&lb, &context, LSMBLOB_DISPLAY);
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len,
diff --git a/kernel/audit.c b/kernel/audit.c
index 6500d97ce9ad..99439dcc75fc 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1464,7 +1464,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (lsmblob_is_set(&audit_sig_lsm)) {
err = security_secid_to_secctx(&audit_sig_lsm,
- &context);
+ &context, LSMBLOB_FIRST);
if (err)
return err;
}
@@ -2176,7 +2176,7 @@ int audit_log_task_context(struct audit_buffer *ab)
if (!lsmblob_is_set(&blob))
return 0;
- error = security_secid_to_secctx(&blob, &context);
+ error = security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST);
if (error) {
if (error != -EINVAL)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 25a6c2a5b4b3..318529b1f930 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1132,7 +1132,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
if (lsmblob_is_set(blob)) {
- if (security_secid_to_secctx(blob, &lsmctx)) {
+ if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) {
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
@@ -1425,7 +1425,8 @@ static void show_special(struct audit_context *context, int *call_panic)
struct lsmblob blob;
lsmblob_init(&blob, osid);
- if (security_secid_to_secctx(&blob, &lsmcxt)) {
+ if (security_secid_to_secctx(&blob, &lsmcxt,
+ LSMBLOB_FIRST)) {
audit_log_format(ab, " osid=%u", osid);
*call_panic = 1;
} else {
@@ -1593,7 +1594,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
struct lsmcontext lsmctx;
lsmblob_init(&blob, n->osid);
- if (security_secid_to_secctx(&blob, &lsmctx)) {
+ if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) {
audit_log_format(ab, " osid=%u", n->osid);
if (call_panic)
*call_panic = 2;
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index ad5be7707bca..9b5c44dec1e9 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -140,7 +140,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
return;
lsmblob_init(&lb, secid);
- err = security_secid_to_secctx(&lb, &context);
+ err = security_secid_to_secctx(&lb, &context, LSMBLOB_DISPLAY);
if (err)
return;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 8bd6ce5f9e93..14d0d4f705eb 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -353,7 +353,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
* security_secid_to_secctx() will know which security module
* to use to create the secctx. */
lsmblob_init(&blob, ct->secmark);
- ret = security_secid_to_secctx(&blob, &context);
+ ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY);
if (ret)
return 0;
@@ -663,7 +663,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
int len;
struct lsmblob blob;
- len = security_secid_to_secctx(&blob, NULL);
+ len = security_secid_to_secctx(&blob, NULL, LSMBLOB_DISPLAY);
if (len <= 0)
return 0;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 5003acf79794..8921e269c381 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -180,7 +180,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
struct lsmcontext context;
lsmblob_init(&blob, ct->secmark);
- ret = security_secid_to_secctx(&blob, &context);
+ ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY);
if (ret)
return;
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index f60a0b6240ff..844955b2e163 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -316,7 +316,7 @@ static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context)
* blob. security_secid_to_secctx() will know which security
* module to use to create the secctx. */
lsmblob_init(&blob, skb->secmark);
- security_secid_to_secctx(&blob, context);
+ security_secid_to_secctx(&blob, context, LSMBLOB_DISPLAY);
}
read_unlock_bh(&skb->sk->sk_callback_lock);
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 910a03f15b0d..8deee7e176a9 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -437,7 +437,8 @@ int netlbl_unlhsh_add(struct net *net,
unlhsh_add_return:
rcu_read_unlock();
if (audit_buf != NULL) {
- if (security_secid_to_secctx(lsmblob, &context) == 0) {
+ if (security_secid_to_secctx(lsmblob, &context,
+ LSMBLOB_FIRST) == 0) {
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
@@ -491,7 +492,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
addr->s_addr, mask->s_addr);
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(&entry->lsmblob, &context) == 0) {
+ security_secid_to_secctx(&entry->lsmblob, &context,
+ LSMBLOB_FIRST) == 0) {
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
@@ -550,7 +552,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
addr, mask);
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(&entry->lsmblob, &context) == 0) {
+ security_secid_to_secctx(&entry->lsmblob, &context,
+ LSMBLOB_FIRST) == 0) {
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
@@ -1120,7 +1123,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
lsmb = (struct lsmblob *)&addr6->lsmblob;
}
- ret_val = security_secid_to_secctx(lsmb, &context);
+ ret_val = security_secid_to_secctx(lsmb, &context, LSMBLOB_FIRST);
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 951ba0639d20..1941877fd16f 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -100,7 +100,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
lsmblob_init(&blob, audit_info->secid);
if (audit_info->secid != 0 &&
- security_secid_to_secctx(&blob, &context) == 0) {
+ security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST) == 0) {
audit_log_format(audit_buf, " subj=%s", context.context);
security_release_secctx(&context);
}
diff --git a/security/security.c b/security/security.c
index 96a89fd5802b..a9a56be58e73 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2353,20 +2353,36 @@ EXPORT_SYMBOL(security_ismaclabel);
* security_secid_to_secctx - convert secid to secctx
* @blob: set of secids
* @cp: lsm context into which result is put
+ * @ilsm: which security module to report
*
* Translate secid information into a secctx string.
* Return a negative value on error.
* If cp is NULL return the length of the string.
* Otherwise, return 0.
*/
-int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
+int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp,
+ int ilsm)
{
struct security_hook_list *hp;
- int ilsm = lsm_task_ilsm(current);
if (cp)
memset(cp, 0, sizeof(*cp));
+ /*
+ * ilsm either is the slot number use for formatting
+ * or an instruction on which relative slot to use.
+ */
+ if (ilsm == LSMBLOB_DISPLAY)
+ ilsm = lsm_task_ilsm(current);
+ else if (ilsm == LSMBLOB_FIRST)
+ ilsm = LSMBLOB_INVALID;
+ else if (ilsm < 0) {
+ WARN_ONCE(true, "LSM: %s unknown interface LSM\n", __func__);
+ ilsm = LSMBLOB_INVALID;
+ } else if (ilsm >= lsm_slot) {
+ WARN_ONCE(true, "LSM: %s invalid interface LSM\n", __func__);
+ ilsm = LSMBLOB_INVALID;
+ }
hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
continue;
--
2.36.1
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org,
linux-audit@redhat.com
Subject: [PATCH v37 22/33] LSM: security_secid_to_secctx module selection
Date: Mon, 27 Jun 2022 17:56:00 -0700 [thread overview]
Message-ID: <20220628005611.13106-23-casey@schaufler-ca.com> (raw)
In-Reply-To: <20220628005611.13106-1-casey@schaufler-ca.com>
Add a parameter to security_secid_to_secctx() to identify
which of the security modules that may be active should
provide the security context. If the parameter is greater
than or equal to zero, the security module associated with
that LSM "slot" is used. If the value is LSMBLOB_DISPLAY
the "interface lsm" is used. If the value is LSMBLOB_FIRST
the first security module providing a hook is used.
The integrity IMA subsystem has chosen to always use the
LSMBLOB_FIRST behavior, regardless of the lsm_display values.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
drivers/android/binder.c | 2 +-
include/linux/security.h | 7 +++++--
include/net/scm.h | 2 +-
kernel/audit.c | 4 ++--
kernel/auditsc.c | 7 ++++---
net/ipv4/ip_sockglue.c | 2 +-
net/netfilter/nf_conntrack_netlink.c | 4 ++--
net/netfilter/nf_conntrack_standalone.c | 2 +-
net/netfilter/nfnetlink_queue.c | 2 +-
net/netlabel/netlabel_unlabeled.c | 11 +++++++----
net/netlabel/netlabel_user.c | 2 +-
security/security.c | 20 ++++++++++++++++++--
12 files changed, 44 insertions(+), 21 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index f2a0faf6d9c6..06c9263108a8 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3057,7 +3057,7 @@ static void binder_transaction(struct binder_proc *proc,
size_t added_size;
security_cred_getsecid(proc->cred, &blob);
- ret = security_secid_to_secctx(&blob, &lsmctx);
+ ret = security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_DISPLAY);
if (ret) {
binder_txn_error("%d:%d failed to get security context\n",
thread->pid, proc->pid);
diff --git a/include/linux/security.h b/include/linux/security.h
index a4d08b47cbc3..5ebc3ec6948c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -186,6 +186,8 @@ struct lsmblob {
#define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */
#define LSMBLOB_NEEDED -2 /* Slot requested on initialization */
#define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */
+#define LSMBLOB_DISPLAY -4 /* Use the "interface_lsm" slot */
+#define LSMBLOB_FIRST -5 /* Use the first slot */
/**
* lsmblob_init - initialize a lsmblob structure
@@ -628,7 +630,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
-int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp);
+int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp,
+ int ilsm);
int security_secctx_to_secid(const char *secdata, u32 seclen,
struct lsmblob *blob);
void security_release_secctx(struct lsmcontext *cp);
@@ -1482,7 +1485,7 @@ static inline int security_ismaclabel(const char *name)
}
static inline int security_secid_to_secctx(struct lsmblob *blob,
- struct lsmcontext *cp)
+ struct lsmcontext *cp, int ilsm)
{
return -EOPNOTSUPP;
}
diff --git a/include/net/scm.h b/include/net/scm.h
index b77a52f93389..f4d567d4885e 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -101,7 +101,7 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
* and the infrastructure will know which it is.
*/
lsmblob_init(&lb, scm->secid);
- err = security_secid_to_secctx(&lb, &context);
+ err = security_secid_to_secctx(&lb, &context, LSMBLOB_DISPLAY);
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len,
diff --git a/kernel/audit.c b/kernel/audit.c
index 6500d97ce9ad..99439dcc75fc 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1464,7 +1464,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (lsmblob_is_set(&audit_sig_lsm)) {
err = security_secid_to_secctx(&audit_sig_lsm,
- &context);
+ &context, LSMBLOB_FIRST);
if (err)
return err;
}
@@ -2176,7 +2176,7 @@ int audit_log_task_context(struct audit_buffer *ab)
if (!lsmblob_is_set(&blob))
return 0;
- error = security_secid_to_secctx(&blob, &context);
+ error = security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST);
if (error) {
if (error != -EINVAL)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 25a6c2a5b4b3..318529b1f930 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1132,7 +1132,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
if (lsmblob_is_set(blob)) {
- if (security_secid_to_secctx(blob, &lsmctx)) {
+ if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) {
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
@@ -1425,7 +1425,8 @@ static void show_special(struct audit_context *context, int *call_panic)
struct lsmblob blob;
lsmblob_init(&blob, osid);
- if (security_secid_to_secctx(&blob, &lsmcxt)) {
+ if (security_secid_to_secctx(&blob, &lsmcxt,
+ LSMBLOB_FIRST)) {
audit_log_format(ab, " osid=%u", osid);
*call_panic = 1;
} else {
@@ -1593,7 +1594,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
struct lsmcontext lsmctx;
lsmblob_init(&blob, n->osid);
- if (security_secid_to_secctx(&blob, &lsmctx)) {
+ if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) {
audit_log_format(ab, " osid=%u", n->osid);
if (call_panic)
*call_panic = 2;
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index ad5be7707bca..9b5c44dec1e9 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -140,7 +140,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
return;
lsmblob_init(&lb, secid);
- err = security_secid_to_secctx(&lb, &context);
+ err = security_secid_to_secctx(&lb, &context, LSMBLOB_DISPLAY);
if (err)
return;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 8bd6ce5f9e93..14d0d4f705eb 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -353,7 +353,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
* security_secid_to_secctx() will know which security module
* to use to create the secctx. */
lsmblob_init(&blob, ct->secmark);
- ret = security_secid_to_secctx(&blob, &context);
+ ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY);
if (ret)
return 0;
@@ -663,7 +663,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
int len;
struct lsmblob blob;
- len = security_secid_to_secctx(&blob, NULL);
+ len = security_secid_to_secctx(&blob, NULL, LSMBLOB_DISPLAY);
if (len <= 0)
return 0;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 5003acf79794..8921e269c381 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -180,7 +180,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
struct lsmcontext context;
lsmblob_init(&blob, ct->secmark);
- ret = security_secid_to_secctx(&blob, &context);
+ ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY);
if (ret)
return;
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index f60a0b6240ff..844955b2e163 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -316,7 +316,7 @@ static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context)
* blob. security_secid_to_secctx() will know which security
* module to use to create the secctx. */
lsmblob_init(&blob, skb->secmark);
- security_secid_to_secctx(&blob, context);
+ security_secid_to_secctx(&blob, context, LSMBLOB_DISPLAY);
}
read_unlock_bh(&skb->sk->sk_callback_lock);
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 910a03f15b0d..8deee7e176a9 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -437,7 +437,8 @@ int netlbl_unlhsh_add(struct net *net,
unlhsh_add_return:
rcu_read_unlock();
if (audit_buf != NULL) {
- if (security_secid_to_secctx(lsmblob, &context) == 0) {
+ if (security_secid_to_secctx(lsmblob, &context,
+ LSMBLOB_FIRST) == 0) {
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
@@ -491,7 +492,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
addr->s_addr, mask->s_addr);
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(&entry->lsmblob, &context) == 0) {
+ security_secid_to_secctx(&entry->lsmblob, &context,
+ LSMBLOB_FIRST) == 0) {
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
@@ -550,7 +552,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
addr, mask);
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(&entry->lsmblob, &context) == 0) {
+ security_secid_to_secctx(&entry->lsmblob, &context,
+ LSMBLOB_FIRST) == 0) {
audit_log_format(audit_buf, " sec_obj=%s",
context.context);
security_release_secctx(&context);
@@ -1120,7 +1123,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
lsmb = (struct lsmblob *)&addr6->lsmblob;
}
- ret_val = security_secid_to_secctx(lsmb, &context);
+ ret_val = security_secid_to_secctx(lsmb, &context, LSMBLOB_FIRST);
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 951ba0639d20..1941877fd16f 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -100,7 +100,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
lsmblob_init(&blob, audit_info->secid);
if (audit_info->secid != 0 &&
- security_secid_to_secctx(&blob, &context) == 0) {
+ security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST) == 0) {
audit_log_format(audit_buf, " subj=%s", context.context);
security_release_secctx(&context);
}
diff --git a/security/security.c b/security/security.c
index 96a89fd5802b..a9a56be58e73 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2353,20 +2353,36 @@ EXPORT_SYMBOL(security_ismaclabel);
* security_secid_to_secctx - convert secid to secctx
* @blob: set of secids
* @cp: lsm context into which result is put
+ * @ilsm: which security module to report
*
* Translate secid information into a secctx string.
* Return a negative value on error.
* If cp is NULL return the length of the string.
* Otherwise, return 0.
*/
-int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
+int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp,
+ int ilsm)
{
struct security_hook_list *hp;
- int ilsm = lsm_task_ilsm(current);
if (cp)
memset(cp, 0, sizeof(*cp));
+ /*
+ * ilsm either is the slot number use for formatting
+ * or an instruction on which relative slot to use.
+ */
+ if (ilsm == LSMBLOB_DISPLAY)
+ ilsm = lsm_task_ilsm(current);
+ else if (ilsm == LSMBLOB_FIRST)
+ ilsm = LSMBLOB_INVALID;
+ else if (ilsm < 0) {
+ WARN_ONCE(true, "LSM: %s unknown interface LSM\n", __func__);
+ ilsm = LSMBLOB_INVALID;
+ } else if (ilsm >= lsm_slot) {
+ WARN_ONCE(true, "LSM: %s invalid interface LSM\n", __func__);
+ ilsm = LSMBLOB_INVALID;
+ }
hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
continue;
--
2.36.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2022-06-28 1:10 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220628005611.13106-1-casey.ref@schaufler-ca.com>
2022-06-28 0:55 ` [PATCH v37 00/33] LSM: Module stacking for AppArmor Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 01/33] integrity: disassociate ima_filter_rule from security_audit_rule Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 02/33] LSM: Infrastructure management of the sock security Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 03/33] LSM: Add the lsmblob data structure Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 04/33] LSM: provide lsm name and id slot mappings Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 05/33] IMA: avoid label collisions with stacked LSMs Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 06/33] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 07/33] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 08/33] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 09/33] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 10/33] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 11/33] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 12/33] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 13/33] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 14/33] LSM: Specify which LSM to display Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 15/33] LSM: Ensure the correct LSM context releaser Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 16/33] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 17/33] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 18/33] LSM: Use lsmcontext in security_dentry_init_security Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 5:36 ` kernel test robot
2022-06-28 5:36 ` kernel test robot
2022-06-28 8:44 ` kernel test robot
2022-06-28 8:44 ` kernel test robot
2022-06-28 11:24 ` kernel test robot
2022-06-28 11:24 ` kernel test robot
2022-06-28 0:55 ` [PATCH v37 19/33] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 20/33] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:55 ` [PATCH v37 21/33] binder: Pass LSM identifier for confirmation Casey Schaufler
2022-06-28 0:55 ` Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler [this message]
2022-06-28 0:56 ` [PATCH v37 22/33] LSM: security_secid_to_secctx module selection Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 23/33] Audit: Keep multiple LSM data in audit_names Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 24/33] Audit: Create audit_stamp structure Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 25/33] LSM: Add a function to report multiple LSMs Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 26/33] Audit: Allow multiple records in an audit_buffer Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 27/33] Audit: Add record for multiple task security contexts Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 28/33] audit: multiple subject lsm values for netlabel Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 29/33] Audit: Add record for multiple object contexts Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 30/33] netlabel: Use a struct lsmblob in audit data Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 31/33] LSM: Removed scaffolding function lsmcontext_init Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 32/33] LSM: Add /proc attr entry for full LSM context Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-06-28 0:56 ` [PATCH v37 33/33] AppArmor: Remove the exclusive flag Casey Schaufler
2022-06-28 0:56 ` Casey Schaufler
2022-07-12 21:42 ` [PATCH v37 00/33] LSM: Module stacking for AppArmor John Johansen
2022-07-12 21:42 ` John Johansen
2022-07-12 21:58 ` Casey Schaufler
2022-07-12 21:58 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220628005611.13106-23-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.