From: "Mickaël Salaün" <mic@digikod.net>
To: Casey Schaufler <casey@schaufler-ca.com>,
casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: keescook@chromium.org, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
sds@tycho.nsa.gov
Subject: Re: [PATCH v13 02/25] LSM: Create and manage the lsmblob data structure.
Date: Wed, 25 Dec 2019 21:34:12 +0100 [thread overview]
Message-ID: <b7ad7c0d-bf83-c37f-1248-f6ea27939ccc@digikod.net> (raw)
In-Reply-To: <20191224235939.7483-3-casey@schaufler-ca.com>
On 25/12/2019 00:59, Casey Schaufler wrote:
> When more than one security module is exporting data to
> audit and networking sub-systems a single 32 bit integer
> is no longer sufficient to represent the data. Add a
> structure to be used instead.
>
> The lsmblob structure is currently an array of
> u32 "secids". There is an entry for each of the
> security modules built into the system that would
> use secids if active. The system assigns the module
> a "slot" when it registers hooks. If modules are
> compiled in but not registered there will be unused
> slots.
>
> A new lsm_id structure, which contains the name
> of the LSM and its slot number, is created. There
> is an instance for each LSM, which assigns the name
> and passes it to the infrastructure to set the slot.
>
> Reviewed-by: John Johansen <john.johansen@canonical.com>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> include/linux/lsm_hooks.h | 12 ++++++--
> include/linux/security.h | 58 ++++++++++++++++++++++++++++++++++++
> security/apparmor/lsm.c | 7 ++++-
> security/commoncap.c | 7 ++++-
> security/loadpin/loadpin.c | 8 ++++-
> security/lockdown/lockdown.c | 7 ++++-
> security/safesetid/lsm.c | 8 ++++-
> security/security.c | 28 +++++++++++++----
> security/selinux/hooks.c | 8 ++++-
> security/smack/smack_lsm.c | 7 ++++-
> security/tomoyo/tomoyo.c | 8 ++++-
> security/yama/yama_lsm.c | 7 ++++-
> 12 files changed, 148 insertions(+), 17 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index c2b1af29a8f0..7eb808cde051 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -2077,6 +2077,14 @@ struct security_hook_heads {
> #endif
> } __randomize_layout;
>
> +/*
> + * Information that identifies a security module.
> + */
> +struct lsm_id {
> + const char *lsm; /* Name of the LSM */
> + int slot; /* Slot in lsmblob if one is allocated */
> +};
> +
> /*
> * Security module hook list structure.
> * For use with generic list macros for common operations.
> @@ -2085,7 +2093,7 @@ struct security_hook_list {
> struct hlist_node list;
> struct hlist_head *head;
> union security_list_options hook;
> - char *lsm;
> + struct lsm_id *lsmid;
> } __randomize_layout;
>
> /*
> @@ -2114,7 +2122,7 @@ extern struct security_hook_heads security_hook_heads;
> extern char *lsm_names;
>
> extern void security_add_hooks(struct security_hook_list *hooks, int count,
> - char *lsm);
> + struct lsm_id *lsmid);
>
> #define LSM_FLAG_LEGACY_MAJOR BIT(0)
> #define LSM_FLAG_EXCLUSIVE BIT(1)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 3e8d4bacd59d..b74dc70088ca 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -128,6 +128,64 @@ enum lockdown_reason {
> LOCKDOWN_CONFIDENTIALITY_MAX,
> };
>
> +/*
> + * Data exported by the security modules
> + *
> + * Any LSM that provides secid or secctx based hooks must be included.
> + */
> +#define LSMBLOB_ENTRIES ( \
> + (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \
> + (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \
> + (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0))
> +
> +struct lsmblob {
> + u32 secid[LSMBLOB_ENTRIES];
> +};
> +
> +#define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */
> +#define LSMBLOB_NEEDED -2 /* Slot requested on initialization */
> +#define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */
> +
> +/**
> + * lsmblob_init - initialize an lsmblob structure.
> + * @blob: Pointer to the data to initialize
> + * @secid: The initial secid value
> + *
> + * Set all secid for all modules to the specified value.
> + */
> +static inline void lsmblob_init(struct lsmblob *blob, u32 secid)
> +{
> + int i;
> +
> + for (i = 0; i < LSMBLOB_ENTRIES; i++)
> + blob->secid[i] = secid;
> +}
> +
> +/**
> + * lsmblob_is_set - report if there is an value in the lsmblob
> + * @blob: Pointer to the exported LSM data
> + *
> + * Returns true if there is a secid set, false otherwise
> + */
> +static inline bool lsmblob_is_set(struct lsmblob *blob)
> +{
> + struct lsmblob empty = {};
> +
> + return !!memcmp(blob, &empty, sizeof(*blob));
> +}
> +
> +/**
> + * lsmblob_equal - report if the two lsmblob's are equal
> + * @bloba: Pointer to one LSM data
> + * @blobb: Pointer to the other LSM data
> + *
> + * Returns true if all entries in the two are equal, false otherwise
> + */
> +static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
> +{
> + return !memcmp(bloba, blobb, sizeof(*bloba));
> +}
> +
> /* These functions are in security/commoncap.c */
> extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
> int cap, unsigned int opts);
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 61b24f4eb355..146d75e5e021 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -1147,6 +1147,11 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
> .lbs_sock = sizeof(struct aa_sk_ctx),
> };
>
> +static struct lsm_id apparmor_lsmid __lsm_ro_after_init = {
> + .lsm = "apparmor",
> + .slot = LSMBLOB_NEEDED
> +};
> +
> static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
> LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
> @@ -1847,7 +1852,7 @@ static int __init apparmor_init(void)
> goto buffers_out;
> }
> security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
> - "apparmor");
> + &apparmor_lsmid);
>
> /* Report that AppArmor successfully initialized */
> apparmor_initialized = 1;
> diff --git a/security/commoncap.c b/security/commoncap.c
> index f4ee0ae106b2..9dcfd2a0e891 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -1339,6 +1339,11 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,
>
> #ifdef CONFIG_SECURITY
>
> +static struct lsm_id capability_lsmid __lsm_ro_after_init = {
> + .lsm = "capability",
> + .slot = LSMBLOB_NOT_NEEDED
> +};
> +
> static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(capable, cap_capable),
> LSM_HOOK_INIT(settime, cap_settime),
> @@ -1363,7 +1368,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
> static int __init capability_init(void)
> {
> security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
> - "capability");
> + &capability_lsmid);
> return 0;
> }
>
> diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
> index ee5cb944f4ad..86317e78899f 100644
> --- a/security/loadpin/loadpin.c
> +++ b/security/loadpin/loadpin.c
> @@ -180,6 +180,11 @@ static int loadpin_load_data(enum kernel_load_data_id id)
> return loadpin_read_file(NULL, (enum kernel_read_file_id) id);
> }
>
> +static struct lsm_id loadpin_lsmid __lsm_ro_after_init = {
> + .lsm = "loadpin",
> + .slot = LSMBLOB_NOT_NEEDED
> +};
> +
> static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
> LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
> @@ -227,7 +232,8 @@ static int __init loadpin_init(void)
> pr_info("ready to pin (currently %senforcing)\n",
> enforce ? "" : "not ");
> parse_exclude();
> - security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
> + security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks),
> + &loadpin_lsmid);
> return 0;
> }
>
> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index b2f87015d6e9..91662325e450 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -102,6 +102,11 @@ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
> };
>
> +static struct lsm_id lockdown_lsmid __lsm_ro_after_init = {
> + .lsm = "landlock",
Working on it but not there yet ;)
next prev parent reply other threads:[~2019-12-25 20:40 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20191224235939.7483-1-casey.ref@schaufler-ca.com>
2019-12-24 23:59 ` [PATCH v13 00/25] LSM: Module stacking for AppArmor Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 01/25] LSM: Infrastructure management of the sock security Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 02/25] LSM: Create and manage the lsmblob data structure Casey Schaufler
2019-12-25 20:34 ` Mickaël Salaün [this message]
2019-12-24 23:59 ` [PATCH v13 03/25] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2019-12-31 13:13 ` Mimi Zohar
2020-01-02 23:36 ` Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 04/25] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 05/25] net: Prepare UDS for security module stacking Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 06/25] Use lsmblob in security_secctx_to_secid Casey Schaufler
2020-01-07 17:45 ` Stephen Smalley
2019-12-24 23:59 ` [PATCH v13 07/25] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 08/25] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 09/25] LSM: Use lsmblob in security_task_getsecid Casey Schaufler
2020-01-07 17:53 ` Stephen Smalley
2019-12-24 23:59 ` [PATCH v13 10/25] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 11/25] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 12/25] IMA: Change internal interfaces to use lsmblobs Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 13/25] LSM: Specify which LSM to display Casey Schaufler
2020-01-07 19:02 ` Stephen Smalley
2019-12-24 23:59 ` [PATCH v13 14/25] LSM: Ensure the correct LSM context releaser Casey Schaufler
2020-01-07 19:16 ` Stephen Smalley
2019-12-24 23:59 ` [PATCH v13 15/25] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2020-01-06 16:15 ` Stephen Smalley
2019-12-24 23:59 ` [PATCH v13 16/25] LSM: Use lsmcontext in security_dentry_init_security Casey Schaufler
2020-01-07 19:23 ` Stephen Smalley
2019-12-24 23:59 ` [PATCH v13 17/25] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 18/25] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 19/25] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2020-01-07 19:25 ` Stephen Smalley
2020-01-07 21:58 ` Casey Schaufler
2020-01-09 14:34 ` Stephen Smalley
2019-12-24 23:59 ` [PATCH v13 20/25] LSM: Verify LSM display sanity in binder Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 21/25] Audit: Add subj_LSM fields when necessary Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 22/25] Audit: Include object data for all security modules Casey Schaufler
2019-12-24 23:59 ` [PATCH v13 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs Casey Schaufler
2020-01-06 17:15 ` Stephen Smalley
2020-01-06 17:29 ` Simon McVittie
2020-01-06 18:03 ` Casey Schaufler
2020-01-06 18:45 ` Stephen Smalley
2020-01-06 18:43 ` Stephen Smalley
2019-12-24 23:59 ` [PATCH 24/25] LSM: Add /proc attr entry for full LSM context Casey Schaufler
2020-01-06 16:22 ` Stephen Smalley
2019-12-24 23:59 ` [PATCH v13 25/25] AppArmor: Remove the exclusive flag Casey Schaufler
2020-01-03 18:53 ` [PATCH v13 26/25] Audit: Multiple LSM support in audit rules Casey Schaufler
2020-01-09 16:33 ` Mimi Zohar
2020-01-10 19:40 ` Casey Schaufler
2020-01-12 15:37 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b7ad7c0d-bf83-c37f-1248-f6ea27939ccc@digikod.net \
--to=mic@digikod.net \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).