Re: [TOMOYO #16 17/25] TOMOYO: Add capability support.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [TOMOYO #16 17/25] TOMOYO: Add capability support.
Date: Thu, 29 Oct 2009 00:23:01 -0500	[thread overview]
Message-ID: <20091029052301.GC11558@us.ibm.com> (raw)
In-Reply-To: <20091004125332.899378759@I-love.SAKURA.ne.jp>

Quoting Tetsuo Handa (penguin-kernel@I-love.SAKURA.ne.jp):
> This patch contains code for checking non-posix capability.
> 
> TOMOYO is ready to support 65536 types of non-posix capabilities.
> But I can't utilize TOMOYO's ability because
> 
>  (1) Hooks are missing.

please send patches.

>    or
>  (2) Posix's capability and functionality are not one to one mapping.
>      Therefore I can't derive functionality the caller wants to use from
>      posix's capability number (e.g. CAP_SYS_ADMIN).

Hmm, it should be possible to address this in a back-compatible way.  I.e.,

#define CAP_CHOWN 0
...
#define CAP_SYS_ADMIN 21
...
#define CAP_MAC_ADMIN 33

/* start enhanced capabilities */
#ifdef CONFIG_CAPABILITIES_ENHANCED
#define CAP_SAK_CONFIG 200
#define CAP_RND_ADMIN 201
#define CAP_SYS_HOSTNAME 202
...
#else
#define CAP_SAK_CONFIG CAP_SYS_ADMIN
#define CAP_RND_ADMIN CAP_SYS_ADMIN
#define CAP_SYS_HOSTNAME CAP_SYS_ADMIN
#endif

Plus of course all that is needed (if CONFIG_CAPABILITIES_ENHANCED=y)
to support all those caps.

>    or
>  (3) Hooks are provided but it is not permitted to sleep (e.g. CAP_SYS_NICE)
>      while TOMOYO needs hooks where it is permitted to sleep.
>    or
>  (4) System calls and device drivers use the same posix's capability number.
>      Thus whether MAC's policy suits or not depends on hardware the system
>      is running. TOMOYO wants to distinguish requests from userland
>      applications and requests from kernel drivers, but I can't distinguish
>      it from posix's capability number.

Same thing?

> Therefore, LSM version of TOMOYO has very poor support compared to non-LSM
> version of TOMOYO. I hope this problem is solved in the future.
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  security/tomoyo/capability.c |  141 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 141 insertions(+)
> 
> --- /dev/null
> +++ security-testing-2.6/security/tomoyo/capability.c
> @@ -0,0 +1,141 @@
> +/*
> + * security/tomoyo/capability.c
> + *
> + * Copyright (C) 2005-2009  NTT DATA CORPORATION
> + */
> +#include "internal.h"
> +
> +/**
> + * tomoyo_audit_capability_log - Audit capability log.
> + *
> + * @r:          Pointer to "struct tomoyo_request_info".
> + * @operation:  Type of operation.
> + * @is_granted: True if this is a granted log.
> + *
> + * Returns 0 on success, negative value otherwise.
> + */
> +static int tomoyo_audit_capability_log(struct tomoyo_request_info *r,
> +				       const u8 operation,
> +				       const bool is_granted)
> +{
> +	if (!is_granted)
> +		tomoyo_warn_log(r, "capability %s",
> +				tomoyo_cap2keyword(operation));
> +	return tomoyo_write_audit_log(is_granted, r,
> +				      TOMOYO_KEYWORD_ALLOW_CAPABILITY "%s\n",
> +				      tomoyo_cap2keyword(operation));
> +}
> +
> +/**
> + * tomoyo_capable - Check permission for capability.
> + *
> + * @operation: Type of operation.
> + *
> + * Returns true on success, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
> + */
> +static bool tomoyo_capable2(const u8 operation)
> +{
> +	struct tomoyo_request_info r;
> +	struct tomoyo_acl_info *ptr;
> +	int error;
> +	if (tomoyo_init_request_info(&r, NULL, TOMOYO_MAX_MAC_INDEX +
> +				     operation) == TOMOYO_CONFIG_DISABLED)
> +		return true;
> +	do {
> +		error = -EPERM;
> +		list_for_each_entry_rcu(ptr, &r.domain->acl_info_list, list) {
> +			struct tomoyo_capability_acl *acl;
> +			if (ptr->is_deleted ||
> +			    ptr->type != TOMOYO_TYPE_CAPABILITY_ACL)
> +				continue;
> +			acl = container_of(ptr, struct tomoyo_capability_acl,
> +					   head);
> +			if (acl->operation != operation ||
> +			    !tomoyo_condition(&r, ptr))
> +				continue;
> +			r.cond = ptr->cond;
> +			error = 0;
> +			break;
> +		}
> +		tomoyo_audit_capability_log(&r, operation, !error);
> +		if (!error)
> +			break;
> +		error = tomoyo_supervisor(&r, TOMOYO_KEYWORD_ALLOW_CAPABILITY
> +					  "%s\n",
> +					  tomoyo_cap2keyword(operation));
> +	} while (error == 1);
> +	return !error;
> +}
> +
> +/**
> + * tomoyo_capable - Check permission for capability.
> + *
> + * @operation: Type of operation.
> + *
> + * Returns true on success, false otherwise.
> + */
> +bool tomoyo_capable(const u8 operation)
> +{
> +	const int idx = tomoyo_read_lock();
> +	const int error = tomoyo_capable2(operation);
> +	tomoyo_read_unlock(idx);
> +	return error;
> +}
> +
> +/**
> + * tomoyo_write_capability_policy - Write "struct tomoyo_capability_acl" list.
> + *
> + * @data:      String to parse.
> + * @domain:    Pointer to "struct tomoyo_domain_info".
> + * @condition: Pointer to "struct tomoyo_condition". May be NULL.
> + * @is_delete: True if it is a delete request.
> + *
> + * Returns 0 on success, negative value otherwise.
> + */
> +int tomoyo_write_capability_policy(char *data,
> +				   struct tomoyo_domain_info *domain,
> +				   struct tomoyo_condition *condition,
> +				   const bool is_delete)
> +{
> +	struct tomoyo_capability_acl e = {
> +		.head.type = TOMOYO_TYPE_CAPABILITY_ACL,
> +		.head.cond = condition,
> +	};
> +	struct tomoyo_capability_acl *entry = NULL;
> +	struct tomoyo_acl_info *ptr;
> +	int error = is_delete ? -ENOENT : -ENOMEM;
> +	u8 capability;
> +	for (capability = 0; capability < TOMOYO_MAX_CAPABILITY_INDEX;
> +	     capability++) {
> +		if (strcmp(data, tomoyo_cap2keyword(capability)))
> +			continue;
> +		break;
> +	}
> +	if (capability == TOMOYO_MAX_CAPABILITY_INDEX)
> +		return -EINVAL;
> +	e.operation = capability;
> +	if (!is_delete)
> +		entry = kmalloc(sizeof(e), GFP_KERNEL);
> +	mutex_lock(&tomoyo_policy_lock);
> +	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
> +		struct tomoyo_capability_acl *acl =
> +			container_of(ptr, struct tomoyo_capability_acl,
> +				     head);
> +		if (ptr->type != TOMOYO_TYPE_CAPABILITY_ACL ||
> +		    ptr->cond != condition || acl->operation != capability)
> +			continue;
> +		ptr->is_deleted = is_delete;
> +		error = 0;
> +		break;
> +	}
> +	if (!is_delete && error && tomoyo_commit_ok(entry, &e, sizeof(e))) {
> +		tomoyo_add_domain_acl(domain, &entry->head);
> +		entry = NULL;
> +		error = 0;
> +	}
> +	mutex_unlock(&tomoyo_policy_lock);
> +	kfree(entry);
> +	return error;
> +}
> 
> -- 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2009-10-29  5:22 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-04 12:49 [TOMOYO #16 00/25] Starting TOMOYO 2.3 Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() and security_path_chown() Tetsuo Handa
2009-10-08 17:10   ` John Johansen
2009-10-12  1:04     ` James Morris
2009-10-13 11:34       ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() andsecurity_path_chown() Tetsuo Handa
2009-10-13 11:37         ` [PATCH] TOMOYO: Add recursive directory matching operator support Tetsuo Handa
2009-10-13 11:39           ` [PATCH] TOMOYO: Use RCU primitives for list operation Tetsuo Handa
2009-10-13 11:41             ` [PATCH] TOMOYO: Bring memory allocation to outside semaphore Tetsuo Handa
2009-10-29  5:40             ` [PATCH] TOMOYO: Use RCU primitives for list operation Serge E. Hallyn
2009-12-04 12:34               ` Tetsuo Handa
2009-10-29  5:12   ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() and security_path_chown() Serge E. Hallyn
2009-10-29 15:56     ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() andsecurity_path_chown() Tetsuo Handa
2009-11-22  2:49       ` [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock() Tetsuo Handa
2009-11-23 10:09         ` John Johansen
2009-11-23 21:50           ` James Morris
2009-10-04 12:49 ` [TOMOYO #16 02/25] LSM: Add security_path_chroot() Tetsuo Handa
2009-10-08 17:12   ` John Johansen
2009-10-29  5:32   ` Serge E. Hallyn
2009-10-04 12:49 ` [TOMOYO #16 03/25] LSM: Pass original mount flags to security_sb_mount() Tetsuo Handa
2009-10-08 17:22   ` John Johansen
2009-10-04 12:49 ` [TOMOYO #16 04/25] TOMOYO: Add header file Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 05/25] TOMOYO: Add per task_struct variables Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 06/25] TOMOYO: Add LSM adaptor Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 07/25] TOMOYO: Add path_group keyword support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 08/25] TOMOYO: Add number_group " Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 09/25] TOMOYO: Add address_group " Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 10/25] TOMOYO: Add conditional ACL support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 11/25] TOMOYO: Add auditing support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 12/25] TOMOYO: Memory management support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 13/25] TOMOYO: Add garbage collector support Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 14/25] TOMOYO: Add network restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 15/25] TOMOYO: Add mount restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 16/25] TOMOYO: Add environment variables restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 17/25] TOMOYO: Add capability support Tetsuo Handa
2009-10-29  5:23   ` Serge E. Hallyn [this message]
2009-10-04 12:50 ` [TOMOYO #16 18/25] TOMOYO: Add utility functions Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 19/25] TOMOYO: Add policy I/O handler Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 20/25] TOMOYO: Add policy loader launcher Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 21/25] TOMOYO: Add securityfs interface Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 22/25] TOMOYO: Add pathname calculation functions Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 23/25] TOMOYO: Add file access restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 24/25] TOMOYO: Add domain transition handler Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 25/25] TOMOYO: Update Kconfig and Makefile Tetsuo Handa
2009-10-06  9:39 ` [TOMOYO #16 00/25] Starting TOMOYO 2.3 Pavel Machek
2009-10-07  4:09   ` Tetsuo Handa
2009-10-07  7:38     ` Pavel Machek
2009-10-07 13:30       ` Tetsuo Handa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20091029052301.GC11558@us.ibm.com \
    --to=serue@us.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=penguin-kernel@I-love.SAKURA.ne.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.