From: Daniel Colascione <dancol@google.com>
To: dancol@google.com, timmurray@google.com, nosh@google.com,
nnk@google.com, lokeshgidra@google.com,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
selinux@vger.kernel.org
Subject: [PATCH v2 2/6] Add a concept of a "secure" anonymous file
Date: Tue, 11 Feb 2020 14:55:43 -0800 [thread overview]
Message-ID: <20200211225547.235083-3-dancol@google.com> (raw)
In-Reply-To: <20200211225547.235083-1-dancol@google.com>
A secure anonymous file is one we hooked up to its own inode (as
opposed to the shared inode we use for non-secure anonymous files). A
new selinux hook gives security modules a chance to initialize, label,
and veto the creation of these secure anonymous files. Security
modules had limit ability to interact with non-secure anonymous files
due to all of these files sharing a single inode.
Signed-off-by: Daniel Colascione <dancol@google.com>
---
fs/anon_inodes.c | 45 ++++++++++++++++++++++++++++++---------
include/linux/lsm_hooks.h | 8 +++++++
include/linux/security.h | 2 ++
security/security.c | 8 +++++++
4 files changed, 53 insertions(+), 10 deletions(-)
diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index caa36019afca..d68d76523ad3 100644
--- a/fs/anon_inodes.c
+++ b/fs/anon_inodes.c
@@ -55,6 +55,23 @@ static struct file_system_type anon_inode_fs_type = {
.kill_sb = kill_anon_super,
};
+struct inode *anon_inode_make_secure_inode(const char *name,
+ const struct file_operations *fops)
+{
+ struct inode *inode;
+ int error;
+ inode = alloc_anon_inode(anon_inode_mnt->mnt_sb);
+ if (IS_ERR(inode))
+ return ERR_PTR(PTR_ERR(inode));
+ inode->i_flags &= ~S_PRIVATE;
+ error = security_inode_init_security_anon(inode, name, fops);
+ if (error) {
+ iput(inode);
+ return ERR_PTR(error);
+ }
+ return inode;
+}
+
/**
* anon_inode_getfile2 - creates a new file instance by hooking it up to
* an anonymous inode, and a dentry that describe
@@ -72,7 +89,9 @@ static struct file_system_type anon_inode_fs_type = {
* hence saving memory and avoiding code duplication for the file/inode/dentry
* setup. Returns the newly created file* or an error pointer.
*
- * anon_inode_flags must be zero.
+ * If anon_inode_flags contains ANON_INODE_SECURE, create a new inode
+ * and enable security checks for it. Otherwise, attach a new file to
+ * a singleton placeholder inode with security checks disabled.
*/
struct file *anon_inode_getfile2(const char *name,
const struct file_operations *fops,
@@ -81,17 +100,23 @@ struct file *anon_inode_getfile2(const char *name,
struct inode *inode;
struct file *file;
- if (anon_inode_flags)
+ if (anon_inode_flags & ~ANON_INODE_SECURE)
return ERR_PTR(-EINVAL);
- inode = anon_inode_inode;
- if (IS_ERR(inode))
- return ERR_PTR(-ENODEV);
- /*
- * We know the anon_inode inode count is always
- * greater than zero, so ihold() is safe.
- */
- ihold(inode);
+ if (anon_inode_flags & ANON_INODE_SECURE) {
+ inode = anon_inode_make_secure_inode(name, fops);
+ if (IS_ERR(inode))
+ return ERR_PTR(PTR_ERR(inode));
+ } else {
+ inode = anon_inode_inode;
+ if (IS_ERR(inode))
+ return ERR_PTR(-ENODEV);
+ /*
+ * We know the anon_inode inode count is always
+ * greater than zero, so ihold() is safe.
+ */
+ ihold(inode);
+ }
if (fops->owner && !try_module_get(fops->owner)) {
file = ERR_PTR(-ENOENT);
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 20d8cf194fb7..ba208ce5711d 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -215,6 +215,10 @@
* Returns 0 if @name and @value have been successfully set,
* -EOPNOTSUPP if no security attribute is needed, or
* -ENOMEM on memory allocation failure.
+ * @inode_init_security_anon:
+ * Set up a secure anonymous inode.
+ * Returns 0 on success. Returns -EPERM if the security module denies
+ * the creation of this inode.
* @inode_create:
* Check permission to create a regular file.
* @dir contains inode structure of the parent of the new file.
@@ -1552,6 +1556,9 @@ union security_list_options {
const struct qstr *qstr,
const char **name, void **value,
size_t *len);
+ int (*inode_init_security_anon)(struct inode *inode,
+ const char *name,
+ const struct file_operations *fops);
int (*inode_create)(struct inode *dir, struct dentry *dentry,
umode_t mode);
int (*inode_link)(struct dentry *old_dentry, struct inode *dir,
@@ -1884,6 +1891,7 @@ struct security_hook_heads {
struct hlist_head inode_alloc_security;
struct hlist_head inode_free_security;
struct hlist_head inode_init_security;
+ struct hlist_head inode_init_security_anon;
struct hlist_head inode_create;
struct hlist_head inode_link;
struct hlist_head inode_unlink;
diff --git a/include/linux/security.h b/include/linux/security.h
index 64b19f050343..8625b647dd0b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -320,6 +320,8 @@ void security_inode_free(struct inode *inode);
int security_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr,
initxattrs initxattrs, void *fs_data);
+int security_inode_init_security_anon(struct inode *inode, const char *name,
+ const struct file_operations *fops);
int security_old_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr, const char **name,
void **value, size_t *len);
diff --git a/security/security.c b/security/security.c
index 565bc9b67276..78dc6096b30f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1033,6 +1033,14 @@ int security_inode_init_security(struct inode *inode, struct inode *dir,
}
EXPORT_SYMBOL(security_inode_init_security);
+int
+security_inode_init_security_anon(struct inode *inode,
+ const char *name,
+ const struct file_operations *fops)
+{
+ return call_int_hook(inode_init_security_anon, 0, inode, name, fops);
+}
+
int security_old_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr, const char **name,
void **value, size_t *len)
--
2.25.0.225.g125e21ebc7-goog
next prev parent reply other threads:[~2020-02-11 22:55 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-11 22:55 [PATCH v2 0/6] Harden userfaultfd Daniel Colascione
2020-02-11 22:55 ` Daniel Colascione
2020-02-11 22:55 ` [PATCH v2 1/6] Add a new flags-accepting interface for anonymous inodes Daniel Colascione
2020-02-12 16:37 ` Stephen Smalley
[not found] ` <88ea16bd-38be-b4f9-dfb3-e0626f5b6aaf-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2020-02-12 17:23 ` Daniel Colascione
2020-02-12 17:23 ` Daniel Colascione
2020-02-11 22:55 ` Daniel Colascione [this message]
2020-02-12 16:49 ` [PATCH v2 2/6] Add a concept of a "secure" anonymous file Stephen Smalley
2020-02-14 22:13 ` kbuild test robot
2020-02-14 22:13 ` kbuild test robot
2020-02-11 22:55 ` [PATCH v2 3/6] Teach SELinux about a new userfaultfd class Daniel Colascione
2020-02-12 17:05 ` Stephen Smalley
2020-02-12 17:19 ` Daniel Colascione
[not found] ` <CAKOZuesUVSYJ6EjHFL3QyiWKVmyhm1fLp5Bm_SHjB3_s1gn08A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2020-02-12 18:04 ` Stephen Smalley
2020-02-12 18:04 ` Stephen Smalley
2020-02-12 18:59 ` Stephen Smalley
[not found] ` <69f4ccce-18b2-42c1-71ac-3fe9caf2dfb6-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2020-02-12 19:04 ` Daniel Colascione
2020-02-12 19:04 ` Daniel Colascione
[not found] ` <CAKOZuevoKDYGVSooWAhi7Jr6Ww-+NEd-sStaPcN5Q6g+NKKRPQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2020-02-12 19:11 ` Stephen Smalley
2020-02-12 19:11 ` Stephen Smalley
[not found] ` <626a2302-5b5f-d7c1-fdef-51094bb1fe0d-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2020-02-12 19:13 ` Daniel Colascione
2020-02-12 19:13 ` Daniel Colascione
2020-02-12 19:17 ` Stephen Smalley
2020-02-11 22:55 ` [PATCH v2 6/6] Add a new sysctl for limiting userfaultfd to user mode faults Daniel Colascione
[not found] ` <20200211225547.235083-1-dancol-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2020-02-11 22:55 ` [PATCH v2 4/6] Wire UFFD up to SELinux Daniel Colascione
2020-02-11 22:55 ` Daniel Colascione
2020-02-11 22:55 ` [PATCH v2 5/6] Let userfaultfd opt out of handling kernel-mode faults Daniel Colascione
2020-02-11 22:55 ` Daniel Colascione
2020-02-11 23:13 ` [PATCH v2 0/6] Harden userfaultfd Casey Schaufler
2020-02-11 23:13 ` Casey Schaufler
2020-02-11 23:27 ` Daniel Colascione
2020-02-12 16:09 ` Stephen Smalley
2020-02-21 17:56 ` James Morris
2020-02-12 7:50 ` Kees Cook
2020-02-12 7:50 ` Kees Cook
2020-02-12 16:54 ` Jann Horn
2020-02-12 16:54 ` Jann Horn
2020-02-12 17:14 ` Peter Xu
2020-02-12 19:41 ` Andrea Arcangeli
2020-02-12 19:41 ` Andrea Arcangeli
2020-02-12 20:04 ` Daniel Colascione
2020-02-12 23:41 ` Andrea Arcangeli
2020-02-12 17:12 ` Daniel Colascione
2020-02-12 17:12 ` Daniel Colascione
2020-02-14 3:26 ` [PATCH 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-02-14 3:26 ` [PATCH 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-02-14 3:26 ` [PATCH 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-02-14 16:39 ` Stephen Smalley
2020-02-14 17:21 ` Daniel Colascione
2020-02-14 18:02 ` Stephen Smalley
2020-02-14 18:08 ` Stephen Smalley
2020-02-14 20:24 ` Stephen Smalley
2020-02-14 3:26 ` [PATCH 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-03-25 23:02 ` [PATCH v2 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-03-25 23:02 ` [PATCH v2 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-03-26 13:53 ` Stephen Smalley
2020-03-25 23:02 ` [PATCH v2 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-03-26 13:58 ` Stephen Smalley
2020-03-26 17:59 ` Daniel Colascione
2020-03-26 17:37 ` Stephen Smalley
2020-03-25 23:02 ` [PATCH v2 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-03-25 23:49 ` Casey Schaufler
2020-03-26 18:14 ` [PATCH v3 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-03-26 18:14 ` [PATCH v3 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-03-26 19:00 ` Stephen Smalley
2020-03-26 18:14 ` [PATCH v3 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-03-26 19:02 ` Stephen Smalley
2020-03-26 18:14 ` [PATCH v3 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-03-26 20:06 ` [PATCH v4 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-03-26 20:06 ` [PATCH v4 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-03-27 13:40 ` Stephen Smalley
2020-03-26 20:06 ` [PATCH v4 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-03-27 13:41 ` Stephen Smalley
2020-03-26 20:06 ` [PATCH v4 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-04-01 21:39 ` [PATCH v5 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-04-01 21:39 ` [PATCH v5 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
2020-05-07 16:02 ` James Morris
2020-08-04 21:22 ` Eric Biggers
2020-04-01 21:39 ` [PATCH v5 2/3] Teach SELinux about anonymous inodes Daniel Colascione
2020-04-01 21:39 ` [PATCH v5 3/3] Wire UFFD up to SELinux Daniel Colascione
2020-08-04 21:16 ` Eric Biggers
2020-04-13 13:29 ` [PATCH v5 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
2020-04-22 16:55 ` James Morris
2020-04-22 17:12 ` Casey Schaufler
2020-04-23 22:24 ` Casey Schaufler
2020-04-27 16:18 ` Casey Schaufler
2020-04-27 16:48 ` Stephen Smalley
2020-04-27 17:12 ` Casey Schaufler
2020-04-29 17:02 ` Stephen Smalley
2020-04-27 17:15 ` Casey Schaufler
2020-04-27 19:40 ` Stephen Smalley
2020-06-04 3:56 ` James Morris
2020-06-04 18:51 ` Stephen Smalley
2020-06-04 19:24 ` Lokesh Gidra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200211225547.235083-3-dancol@google.com \
--to=dancol@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lokeshgidra@google.com \
--cc=nnk@google.com \
--cc=nosh@google.com \
--cc=selinux@vger.kernel.org \
--cc=timmurray@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.