From: Stephen Smalley <stephen.smalley@gmail.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: "Schaufler, Casey" <casey.schaufler@intel.com>,
James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Subject: Re: [PATCH 58/59] LSM: Specify which LSM to display with /proc/self/attr/display
Date: Wed, 10 Apr 2019 10:09:40 -0400 [thread overview]
Message-ID: <CAB9W1A2Bgr+gVGNxyVOwd7A52Gp8Kx0dPyd91pSjtXKp4UHoxw@mail.gmail.com> (raw)
In-Reply-To: <CAB9W1A0ZVUHAtAEhYw+HSyOnRdekg=6WQ2RP8PqNAirmDxBkZw@mail.gmail.com>
On Wed, Apr 10, 2019 at 8:43 AM Stephen Smalley
<stephen.smalley@gmail.com> wrote:
>
> On Tue, Apr 9, 2019 at 5:42 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >
> > Create a new entry "display" in /proc/.../attr for controlling
> > which LSM security information is displayed for a process.
> > The name of an active LSM that supplies hooks for human readable
> > data may be written to "display" to set the value. The name of
> > the LSM currently in use can be read from "display".
> >
> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > ---
> > fs/proc/base.c | 1 +
> > security/security.c | 123 ++++++++++++++++++++++++++++++++++++++++++--
> > 2 files changed, 121 insertions(+), 3 deletions(-)
> >
> > diff --git a/fs/proc/base.c b/fs/proc/base.c
> > index ddef482f1334..7bf70e041315 100644
> > --- a/fs/proc/base.c
> > +++ b/fs/proc/base.c
> > @@ -2618,6 +2618,7 @@ static const struct pid_entry attr_dir_stuff[] = {
> > ATTR(NULL, "fscreate", 0666),
> > ATTR(NULL, "keycreate", 0666),
> > ATTR(NULL, "sockcreate", 0666),
> > + ATTR(NULL, "display", 0666),
> > #ifdef CONFIG_SECURITY_SMACK
> > DIR("smack", 0555,
> > proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
> > diff --git a/security/security.c b/security/security.c
> > index 29149db3f78a..6e304aa796f9 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -47,9 +47,13 @@ static struct kmem_cache *lsm_inode_cache;
> >
> > char *lsm_names;
> >
> > -/* Socket blobs include infrastructure managed data */
> > +/*
> > + * Socket blobs include infrastructure managed data
> > + * Cred blobs include context display instructions
> > + */
> > static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init = {
> > .lbs_sock = sizeof(struct lsm_export),
> > + .lbs_cred = sizeof(struct lsm_one_hooks),
> > };
> >
> > /**
> > @@ -751,7 +755,10 @@ int lsm_superblock_alloc(struct super_block *sb)
> >
> > #define call_one_int_hook(FUNC, IRC, ...) ({ \
> > int RC = IRC; \
> > - if (lsm_base_one.FUNC.FUNC) \
> > + struct lsm_one_hooks *LOH = current_cred()->security; \
> > + if (LOH->FUNC.FUNC) \
> > + RC = LOH->FUNC.FUNC(__VA_ARGS__); \
> > + else if (LOH->lsm == NULL && lsm_base_one.FUNC.FUNC) \
> > RC = lsm_base_one.FUNC.FUNC(__VA_ARGS__); \
> > RC; \
> > })
> > @@ -1617,6 +1624,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
> >
> > void security_cred_free(struct cred *cred)
> > {
> > + struct lsm_one_hooks *loh;
> > /*
> > * There is a failure case in prepare_creds() that
> > * may result in a call here with ->security being NULL.
> > @@ -1626,26 +1634,44 @@ void security_cred_free(struct cred *cred)
> >
> > call_void_hook(cred_free, cred);
> >
> > + loh = cred->security;
> > + kfree(loh->lsm);
> > kfree(cred->security);
> > cred->security = NULL;
> > }
> >
> > +static int copy_loh(struct lsm_one_hooks *new, struct lsm_one_hooks *old,
> > + gfp_t gfp)
> > +{
> > + *new = *old;
> > + if (old->lsm) {
> > + new->lsm = kstrdup(old->lsm, gfp);
> > + if (unlikely(new->lsm == NULL))
> > + return -ENOMEM;
> > + }
> > + return 0;
> > +}
> > +
> > int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
> > {
> > int rc = lsm_cred_alloc(new, gfp);
> >
> > - if (rc)
> > + if (unlikely(rc))
> > return rc;
> >
> > rc = call_int_hook(cred_prepare, 0, new, old, gfp);
> > if (unlikely(rc))
> > security_cred_free(new);
> > + else
> > + rc = copy_loh(new->security, old->security, gfp);
> > +
> > return rc;
> > }
> >
> > void security_transfer_creds(struct cred *new, const struct cred *old)
> > {
> > call_void_hook(cred_transfer, new, old);
> > + WARN_ON(copy_loh(new->security, old->security, GFP_KERNEL));
> > }
> >
> > void security_cred_getsecid(const struct cred *c, struct lsm_export *l)
> > @@ -1960,10 +1986,28 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
> > char **value)
> > {
> > struct security_hook_list *hp;
> > + struct lsm_one_hooks *loh = current_cred()->security;
> > + char *s;
> > +
> > + if (!strcmp(name, "display")) {
> > + if (loh->lsm)
> > + s = loh->lsm;
> > + else if (lsm_base_one.lsm)
> > + s = lsm_base_one.lsm;
> > + else
> > + return -EINVAL;
> > +
> > + *value = kstrdup(s, GFP_KERNEL);
> > + if (*value)
> > + return strlen(s);
> > + return -ENOMEM;
> > + }
> >
> > hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
> > if (lsm != NULL && strcmp(lsm, hp->lsm))
> > continue;
> > + if (lsm == NULL && loh->lsm && strcmp(loh->lsm, hp->lsm))
> > + continue;
> > return hp->hook.getprocattr(p, name, value);
> > }
> > return -EINVAL;
> > @@ -1973,10 +2017,83 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
> > size_t size)
> > {
> > struct security_hook_list *hp;
> > + struct lsm_one_hooks *loh = current_cred()->security;
> > + bool found = false;
> > + char *s;
> > +
> > + /*
> > + * End the passed name at a newline.
> > + */
> > + s = strnchr(value, size, '\n');
> > + if (s)
> > + *s = '\0';
> > +
> > + if (!strcmp(name, "display")) {
> > + union security_list_options secid_to_secctx;
> > + union security_list_options secctx_to_secid;
> > + union security_list_options socket_getpeersec_stream;
> > +
> > + if (size == 0 || size >= 100)
> > + return -EINVAL;
> > +
> > + secid_to_secctx.secid_to_secctx = NULL;
> > + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx,
> > + list) {
> > + if (size >= strlen(hp->lsm) &&
> > + !strncmp(value, hp->lsm, size)) {
> > + secid_to_secctx = hp->hook;
> > + found = true;
> > + break;
> > + }
> > + }
> > + secctx_to_secid.secctx_to_secid = NULL;
> > + hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid,
> > + list) {
> > + if (size >= strlen(hp->lsm) &&
> > + !strncmp(value, hp->lsm, size)) {
> > + secctx_to_secid = hp->hook;
> > + found = true;
> > + break;
> > + }
> > + }
> > + socket_getpeersec_stream.socket_getpeersec_stream = NULL;
> > + hlist_for_each_entry(hp,
> > + &security_hook_heads.socket_getpeersec_stream,
> > + list) {
> > + if (size >= strlen(hp->lsm) &&
> > + !strncmp(value, hp->lsm, size)) {
> > + socket_getpeersec_stream = hp->hook;
> > + found = true;
> > + break;
> > + }
> > + }
> > + if (!found)
> > + return -EINVAL;
> > +
> > + /*
> > + * The named lsm is active and supplies one or more
> > + * of the relevant hooks. Switch to it.
> > + */
> > + s = kmemdup(value, size + 1, GFP_KERNEL);
> > + if (s == NULL)
> > + return -ENOMEM;
> > + s[size] = '\0';
> > +
> > + if (loh->lsm)
> > + kfree(loh->lsm);
> > + loh->lsm = s;
> > + loh->secid_to_secctx = secid_to_secctx;
> > + loh->secctx_to_secid = secctx_to_secid;
> > + loh->socket_getpeersec_stream = socket_getpeersec_stream;
>
> You can't just write to the cred security blob like this; it is a
> shared data structure, not per-task.
To be clear, you either need to perform a new = prepare_creds(); /*
modify new->security as desired */; commit_creds(new); sequence here,
or use the task security blob instead of the cred security blob. The
latter seems more amenable to your needs.
>
> > +
> > + return size;
> > + }
> >
> > hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
> > if (lsm != NULL && strcmp(lsm, hp->lsm))
> > continue;
> > + if (lsm == NULL && loh->lsm && strcmp(loh->lsm, hp->lsm))
> > + continue;
> > return hp->hook.setprocattr(name, value, size);
> > }
> > return -EINVAL;
> > --
> > 2.19.1
> >
next prev parent reply other threads:[~2019-04-10 14:10 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 21:38 [PATCH 00/59] LSM: Module stacking for AppArmor Casey Schaufler
2019-04-09 21:38 ` [PATCH 01/59] LSM: Infrastructure management of the superblock Casey Schaufler
2019-04-09 21:38 ` [PATCH 02/59] LSM: Infrastructure management of the sock security Casey Schaufler
2019-04-09 21:38 ` [PATCH 03/59] LSM: Infrastructure management of the key security blob Casey Schaufler
2019-04-09 21:38 ` [PATCH 04/59] LSM: Create an lsm_export data structure Casey Schaufler
2019-04-09 21:38 ` [PATCH 05/59] LSM: Use lsm_export in the inode_getsecid hooks Casey Schaufler
2019-04-09 21:38 ` [PATCH 06/59] LSM: Use lsm_export in the cred_getsecid hooks Casey Schaufler
2019-04-09 21:38 ` [PATCH 07/59] LSM: Use lsm_export in the ipc_getsecid and task_getsecid hooks Casey Schaufler
2019-04-09 21:38 ` [PATCH 08/59] LSM: Use lsm_export in the kernel_ask_as hooks Casey Schaufler
2019-04-09 21:38 ` [PATCH 09/59] LSM: Use lsm_export in the getpeersec_dgram hooks Casey Schaufler
2019-04-09 21:38 ` [PATCH 10/59] LSM: Use lsm_export in the audit_rule_match hooks Casey Schaufler
2019-04-09 21:38 ` [PATCH 11/59] LSM: Fix logical operation in lsm_export checks Casey Schaufler
2019-04-09 21:38 ` [PATCH 12/59] LSM: Use lsm_export in the secid_to_secctx hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 13/59] LSM: Use lsm_export in the secctx_to_secid hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 14/59] LSM: Use lsm_export in security_audit_rule_match Casey Schaufler
2019-04-09 21:39 ` [PATCH 15/59] LSM: Use lsm_export in security_kernel_act_as Casey Schaufler
2019-04-09 21:39 ` [PATCH 16/59] LSM: Use lsm_export in security_socket_getpeersec_dgram Casey Schaufler
2019-04-09 21:39 ` [PATCH 17/59] LSM: Use lsm_export in security_secctx_to_secid Casey Schaufler
2019-04-09 21:39 ` [PATCH 18/59] LSM: Use lsm_export in security_secid_to_secctx Casey Schaufler
2019-04-09 21:39 ` [PATCH 19/59] LSM: Use lsm_export in security_ipc_getsecid Casey Schaufler
2019-04-09 21:39 ` [PATCH 20/59] LSM: Use lsm_export in security_task_getsecid Casey Schaufler
2019-04-09 21:39 ` [PATCH 21/59] LSM: Use lsm_export in security_inode_getsecid Casey Schaufler
2019-04-09 21:39 ` [PATCH 22/59] LSM: Use lsm_export in security_cred_getsecid Casey Schaufler
2019-04-09 21:39 ` [PATCH 23/59] Audit: Change audit_sig_sid to audit_sig_lsm Casey Schaufler
2019-04-09 21:39 ` [PATCH 24/59] Audit: Convert target_sid to an lsm_export structure Casey Schaufler
2019-04-09 21:39 ` [PATCH 25/59] Audit: Convert osid " Casey Schaufler
2019-04-09 21:39 ` [PATCH 26/59] IMA: Clean out lsm_export scaffolding Casey Schaufler
2019-04-09 21:39 ` [PATCH 27/59] NET: Store LSM access information in the socket blob for UDS Casey Schaufler
2019-04-10 12:28 ` Stephen Smalley
2019-04-09 21:39 ` [PATCH 28/59] NET: Remove scaffolding on secmarks Casey Schaufler
2019-04-09 21:39 ` [PATCH 29/59] NET: Remove scaffolding on new secmarks Casey Schaufler
2019-04-09 21:39 ` [PATCH 30/59] NET: Remove netfilter scaffolding for lsm_export Casey Schaufler
2019-04-09 21:39 ` [PATCH 31/59] Netlabel: Replace secids with lsm_export Casey Schaufler
2019-04-09 21:39 ` [PATCH 32/59] LSM: Remove lsm_export scaffolding functions Casey Schaufler
2019-04-09 21:39 ` [PATCH 33/59] IMA: FIXUP prototype using lsm_export Casey Schaufler
2019-04-09 21:39 ` [PATCH 34/59] Smack: Restore the release_secctx hook Casey Schaufler
2019-04-09 21:39 ` [PATCH 35/59] AppArmor: Remove unnecessary hook stub Casey Schaufler
2019-04-09 21:39 ` [PATCH 36/59] LSM: Limit calls to certain module hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 37/59] LSM: Create a data structure for a security context Casey Schaufler
2019-04-09 21:39 ` [PATCH 38/59] LSM: Use lsm_context in secid_to_secctx hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 39/59] LSM: Use lsm_context in secctx_to_secid hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 40/59] LSM: Use lsm_context in inode_getsecctx hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 41/59] LSM: Use lsm_context in inode_notifysecctx hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 42/59] LSM: Use lsm_context in dentry_init_security hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 43/59] LSM: Use lsm_context in security_dentry_init_security Casey Schaufler
2019-04-09 21:39 ` [PATCH 44/59] LSM: Use lsm_context in security_inode_notifysecctx Casey Schaufler
2019-04-09 21:39 ` [PATCH 45/59] LSM: Use lsm_context in security_inode_getsecctx Casey Schaufler
2019-04-09 21:39 ` [PATCH 46/59] LSM: Use lsm_context in security_secctx_to_secid Casey Schaufler
2019-04-09 21:39 ` [PATCH 47/59] LSM: Use lsm_context in release_secctx hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 48/59] LSM: Use lsm_context in security_release_secctx Casey Schaufler
2019-04-09 21:39 ` [PATCH 49/59] LSM: Use lsm_context in security_secid_to_secctx Casey Schaufler
2019-04-09 21:39 ` [PATCH 50/59] fs: remove lsm_context scaffolding Casey Schaufler
2019-04-09 21:39 ` [PATCH 51/59] LSM: Add the release function to the lsm_context Casey Schaufler
2019-04-09 21:39 ` [PATCH 52/59] LSM: Use lsm_context in inode_setsecctx hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 53/59] LSM: Use lsm_context in security_inode_setsecctx Casey Schaufler
2019-04-09 21:39 ` [PATCH 54/59] kernfs: remove lsm_context scaffolding Casey Schaufler
2019-04-09 21:39 ` [PATCH 55/59] LSM: Remove unused macro Casey Schaufler
2019-04-09 21:39 ` [PATCH 56/59] LSM: Special handling for secctx lsm hooks Casey Schaufler
2019-04-09 21:39 ` [PATCH 57/59] SELinux: Use blob offset in current_sid Casey Schaufler
2019-04-09 21:39 ` [PATCH 58/59] LSM: Specify which LSM to display with /proc/self/attr/display Casey Schaufler
2019-04-10 12:43 ` Stephen Smalley
2019-04-10 14:09 ` Stephen Smalley [this message]
2019-04-10 17:18 ` Casey Schaufler
2019-04-09 21:39 ` [PATCH 59/59] AppArmor: Remove the exclusive flag Casey Schaufler
2019-04-10 12:52 ` [PATCH 00/59] LSM: Module stacking for AppArmor Stephen Smalley
2019-04-10 15:36 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAB9W1A2Bgr+gVGNxyVOwd7A52Gp8Kx0dPyd91pSjtXKp4UHoxw@mail.gmail.com \
--to=stephen.smalley@gmail.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).