From: Casey Schaufler <casey@schaufler-ca.com>
To: jmorris@namei.org, linux-security-module@vger.kernel.org,
selinux@vger.kernel.org
Cc: keescook@chromium.org, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: [PATCH 81/97] LSM: Change error detection for UDP peer security
Date: Thu, 28 Feb 2019 14:43:40 -0800 [thread overview]
Message-ID: <20190228224356.2608-12-casey@schaufler-ca.com> (raw)
In-Reply-To: <20190228224356.2608-1-casey@schaufler-ca.com>
security_socket_getpeercred_dgram() supplies secids for use
by security_secid_to_secctx(). Sometimes a secid will be invalid.
Move the check for an invalid secid from the LSM specific
socket_getpeercred_dgram hooks into the secid_to_secctx hooks.
This allows for the case where one LSM (Smack) will provide a
secid and another (SELinux) to have an error for the same call.
Regardless of which LSM the caller wants to see the peer security
attributes for the correct result will be provided.
As there is no longer any reason for security_secid_to_secctx()
to return a value make all the secid_to_secctx functions void
instead of int. Add checking for a invalid secid to the Smack
and SELinux secid_to_secctx hooks.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 3 +--
include/linux/security.h | 11 +++++------
net/ipv4/ip_sockglue.c | 4 +---
security/security.c | 7 +++----
security/selinux/hooks.c | 13 +++++++------
security/smack/smack_lsm.c | 17 ++++++++---------
6 files changed, 25 insertions(+), 30 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 58e5465fdd79..fec7f86897ea 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -867,7 +867,6 @@
* @sock is the socket
* @skb is the skbuff for the packet being queried
* @l is a pointer to a buffer in which to copy the security data
- * Return 0 on success, error on failure.
* @sk_alloc_security:
* Allocate and attach a security structure to the sk->sk_security field,
* which is used to copy security attributes between local stream sockets.
@@ -1681,7 +1680,7 @@ union security_list_options {
int (*socket_getpeersec_stream)(struct socket *sock,
char __user *optval,
int __user *optlen, unsigned len);
- int (*socket_getpeersec_dgram)(struct socket *sock,
+ void (*socket_getpeersec_dgram)(struct socket *sock,
struct sk_buff *skb,
struct lsm_export *l);
int (*sk_alloc_security)(struct sock *sk, int family, gfp_t priority);
diff --git a/include/linux/security.h b/include/linux/security.h
index cb392c6b620f..7edceb91d77f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1274,8 +1274,8 @@ int security_socket_shutdown(struct socket *sock, int how);
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len);
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
- struct lsm_export *l);
+void security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+ struct lsm_export *l);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
void security_sk_free(struct sock *sk);
void security_sk_clone(const struct sock *sk, struct sock *newsk);
@@ -1413,11 +1413,10 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
return -ENOPROTOOPT;
}
-static inline int security_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb,
- struct lsm_export *l)
+static inline void security_socket_getpeersec_dgram(struct socket *sock,
+ struct sk_buff *skb,
+ struct lsm_export *l)
{
- return -ENOPROTOOPT;
}
static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 56035b53952d..ae69718d87ae 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -134,9 +134,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
struct lsm_context lc;
int err;
- err = security_socket_getpeersec_dgram(NULL, skb, &le);
- if (err)
- return;
+ security_socket_getpeersec_dgram(NULL, skb, &le);
err = security_secid_to_secctx(&le, &lc);
if (err)
diff --git a/security/security.c b/security/security.c
index c4265ceb6dd0..ab1050a2dce3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2414,12 +2414,11 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
optval, optlen, len);
}
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
- struct lsm_export *l)
+void security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+ struct lsm_export *l)
{
lsm_export_init(l);
- return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, skb,
- l);
+ call_void_hook(socket_getpeersec_dgram, sock, skb, l);
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e149be6226d6..22a190f291c0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4835,9 +4835,9 @@ static int selinux_socket_getpeersec_stream(struct socket *sock,
return err;
}
-static int selinux_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb,
- struct lsm_export *l)
+static void selinux_socket_getpeersec_dgram(struct socket *sock,
+ struct sk_buff *skb,
+ struct lsm_export *l)
{
u32 peer_secid = SECSID_NULL;
u16 family;
@@ -4860,9 +4860,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock,
out:
selinux_export_secid(l, peer_secid);
- if (peer_secid == SECSID_NULL)
- return -EINVAL;
- return 0;
+ return;
}
static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
@@ -6206,6 +6204,9 @@ static int selinux_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp)
u32 secid;
selinux_import_secid(l, &secid);
+ if (secid == SECSID_NULL)
+ return -EINVAL;
+
cp->release = selinux_release_secctx;
if (l->flags & LSM_EXPORT_LENGTH)
return security_sid_to_context(&selinux_state, secid,
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index f1e0f1378666..a4c8f93534ec 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3902,9 +3902,9 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
*
* Sets the netlabel socket state on sk from parent
*/
-static int smack_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb,
- struct lsm_export *l)
+static void smack_socket_getpeersec_dgram(struct socket *sock,
+ struct sk_buff *skb,
+ struct lsm_export *l)
{
struct netlbl_lsm_secattr secattr;
@@ -3912,7 +3912,6 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
struct smack_known *skp;
int family = PF_UNSPEC;
u32 s = 0; /* 0 is the invalid secid */
- int rc;
if (skb != NULL) {
if (skb->protocol == htons(ETH_P_IP))
@@ -3942,8 +3941,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
if (sock != NULL && sock->sk != NULL)
ssp = smack_sock(sock->sk);
netlbl_secattr_init(&secattr);
- rc = netlbl_skbuff_getattr(skb, family, &secattr);
- if (rc == 0) {
+ if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) {
skp = smack_from_secattr(&secattr, ssp);
s = skp->smk_secid;
}
@@ -3958,9 +3956,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
break;
}
smack_export_secid(l, s);
- if (s == 0)
- return -EINVAL;
- return 0;
+ return;
}
/**
@@ -4373,6 +4369,9 @@ static int smack_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp)
u32 secid;
smack_import_secid(l, &secid);
+ if (secid == 0)
+ return -EINVAL;
+
skp = smack_from_secid(secid);
cp->context = (l->flags & LSM_EXPORT_LENGTH) ? NULL : skp->smk_known;
--
2.17.0
next prev parent reply other threads:[~2019-02-28 22:44 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-28 22:43 [PATCH 00/97] LSM: Complete module stacking Casey Schaufler
2019-02-28 22:43 ` [PATCH 71/97] LSM: Add secmark refcounting to call_one list Casey Schaufler
2019-02-28 22:43 ` [PATCH 72/97] LSM: Add secmark refcounting to call_one list - part 2 Casey Schaufler
2019-02-28 22:43 ` [PATCH 73/97] LSM: refactor security_setprocattr Casey Schaufler
2019-02-28 22:43 ` [PATCH 74/97] Smack: Detect if secmarks can be safely used Casey Schaufler
2019-02-28 22:43 ` [PATCH 75/97] LSM: Support multiple LSMs using inode_init_security Casey Schaufler
2019-02-28 22:43 ` [PATCH 76/97] LSM: Use full security context in security_inode_setsecctx Casey Schaufler
2019-02-28 22:43 ` [PATCH 77/97] LSM: Correct handling of ENOSYS in inode_setxattr Casey Schaufler
2019-02-28 22:43 ` [PATCH 78/97] LSM: Infrastructure security blobs for mount options Casey Schaufler
2019-02-28 22:43 ` [PATCH 79/97] LSM: Fix for security_init_inode_security Casey Schaufler
2019-02-28 22:43 ` [PATCH 80/97] Smack: Advertise the secid to netlabel Casey Schaufler
2019-02-28 22:43 ` Casey Schaufler [this message]
2019-02-28 22:43 ` [PATCH 82/97] Smack: Fix setting of the CIPSO MLS_CAT flags Casey Schaufler
2019-02-28 22:43 ` [PATCH 83/97] Smack: Set netlabel flags properly on new label import Casey Schaufler
2019-02-28 22:43 ` [PATCH 84/97] Netlabel: Add a secattr comparison API function Casey Schaufler
2019-02-28 22:43 ` [PATCH 85/97] Smack: Let netlabel do the work on the ambient domain Casey Schaufler
2019-02-28 22:43 ` [PATCH 86/97] Smack: Don't set the socket label on each send Casey Schaufler
2019-02-28 22:43 ` [PATCH 87/97] Smack: Let netlabel do the work on connections Casey Schaufler
2019-02-28 22:43 ` [PATCH 88/97] Netlabel: Return the labeling type on socket Casey Schaufler
2019-02-28 22:43 ` [PATCH 89/97] " Casey Schaufler
2019-02-28 22:43 ` [PATCH 90/97] " Casey Schaufler
2019-02-28 22:43 ` [PATCH 91/97] " Casey Schaufler
2019-02-28 22:43 ` [PATCH 92/97] LSM: Remember the NLTYPE of netlabel sockets Casey Schaufler
2019-02-28 22:43 ` [PATCH 93/97] Smack: Use the NLTYPE on output Casey Schaufler
2019-02-28 22:43 ` [PATCH 94/97] LSM: Hook for netlabel reconciliation Casey Schaufler
2019-02-28 22:43 ` [PATCH 95/97] LSM: Avoid network conflicts in SELinux and Smack Casey Schaufler
2019-02-28 22:43 ` [PATCH 96/97] LSM: Apply Netlabel consitancy checks on send and connect Casey Schaufler
2019-02-28 22:43 ` [PATCH 97/97] Smack: Remove the exclusive bit Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190228224356.2608-12-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).