[PATCH 4/5] LSM: Define SELinux function to measure security state

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, stephen.smalley@gmail.com, casey@schaufler-ca.com
Cc: jmorris@namei.org, linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 4/5] LSM: Define SELinux function to measure security state
Date: Fri, 12 Jun 2020 19:41:29 -0700	[thread overview]
Message-ID: <20200613024130.3356-5-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20200613024130.3356-1-nramas@linux.microsoft.com>

SELinux needs to implement the interface function, security_state(), for
the LSM to gather SELinux data for measuring. Define the security_state()
function in SELinux.

The security modules should be able to notify the LSM when there is
a change in the module's data. Define a function namely 
security_state_change() in the LSM that the security modules
can call to provide the updated data for measurement.

Call security_state_change() function from SELinux to report data
when SELinux's state is updated.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
 include/linux/lsm_hooks.h           |  3 ++
 security/security.c                 |  5 ++++
 security/selinux/hooks.c            | 43 +++++++++++++++++++++++++++++
 security/selinux/include/security.h |  2 ++
 security/selinux/selinuxfs.c        |  1 +
 5 files changed, 54 insertions(+)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index da248c3fd4ac..a63de046139e 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1572,6 +1572,9 @@ struct lsm_info {
 			      int *state_len); /*Optional */
 };
 
+/* Called by LSMs to notify security state change */
+extern void security_state_change(char *lsm_name, void *state, int state_len);
+
 extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
 extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
 
diff --git a/security/security.c b/security/security.c
index a6e2d1cd95af..e7175db5a093 100644
--- a/security/security.c
+++ b/security/security.c
@@ -238,6 +238,11 @@ static void __init initialize_lsm(struct lsm_info *lsm)
 	}
 }
 
+void security_state_change(char *lsm_name, void *state, int state_len)
+{
+	ima_lsm_state(lsm_name, state, state_len);
+}
+
 static int measure_security_state(struct lsm_info *lsm)
 {
 	char *lsm_name = NULL;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7e954b555be6..bbc908a1fcd1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7225,6 +7225,47 @@ static __init int selinux_init(void)
 	return 0;
 }
 
+static int selinux_security_state(char **lsm_name, void **state,
+				  int *state_len)
+{
+	int rc = 0;
+	char *new_state;
+	static char *security_state_string = "enabled=%d;enforcing=%d";
+
+	*lsm_name = kstrdup("selinux", GFP_KERNEL);
+	if (!*lsm_name)
+		return -ENOMEM;
+
+	new_state = kzalloc(strlen(security_state_string) + 1, GFP_KERNEL);
+	if (!new_state) {
+		kfree(*lsm_name);
+		*lsm_name = NULL;
+		rc = -ENOMEM;
+		goto out;
+	}
+
+	*state_len = sprintf(new_state, security_state_string,
+			     !selinux_disabled(&selinux_state),
+			     enforcing_enabled(&selinux_state));
+	*state = new_state;
+
+out:
+	return rc;
+}
+
+void notify_security_state_change(void)
+{
+	char *lsm_name = NULL;
+	void *state = NULL;
+	int state_len = 0;
+
+	if (!selinux_security_state(&lsm_name, &state, &state_len)) {
+		security_state_change(lsm_name, state, state_len);
+		kfree(state);
+		kfree(lsm_name);
+	}
+}
+
 static void delayed_superblock_init(struct super_block *sb, void *unused)
 {
 	selinux_set_mnt_opts(sb, NULL, 0, NULL);
@@ -7247,6 +7288,7 @@ DEFINE_LSM(selinux) = {
 	.enabled = &selinux_enabled_boot,
 	.blobs = &selinux_blob_sizes,
 	.init = selinux_init,
+	.security_state = selinux_security_state,
 };
 
 #if defined(CONFIG_NETFILTER)
@@ -7357,6 +7399,7 @@ int selinux_disable(struct selinux_state *state)
 	}
 
 	selinux_mark_disabled(state);
+	notify_security_state_change();
 
 	pr_info("SELinux:  Disabled at runtime.\n");
 
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index b0e02cfe3ce1..83c6ada45c7c 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -232,6 +232,8 @@ size_t security_policydb_len(struct selinux_state *state);
 int security_policycap_supported(struct selinux_state *state,
 				 unsigned int req_cap);
 
+void notify_security_state_change(void);
+
 #define SEL_VEC_MAX 32
 struct av_decision {
 	u32 allowed;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 4781314c2510..8a5ba32a7775 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -173,6 +173,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
 			from_kuid(&init_user_ns, audit_get_loginuid(current)),
 			audit_get_sessionid(current));
 		enforcing_set(state, new_value);
+		notify_security_state_change();
 		if (new_value)
 			avc_ss_reset(state->avc, 0);
 		selnl_notify_setenforce(new_value);
-- 
2.27.0

next prev parent reply	other threads:[~2020-06-13  2:41 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-13  2:41 [PATCH 0/5] LSM: Measure security module state Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 1/5] IMA: Add LSM_STATE func to measure LSM data Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 3/5] LSM: Add security_state function pointer in lsm_info struct Lakshmi Ramasubramanian
2020-06-13  2:41 ` Lakshmi Ramasubramanian [this message]
2020-06-15 11:57   ` [PATCH 4/5] LSM: Define SELinux function to measure security state Stephen Smalley
2020-06-15 12:15     ` Stephen Smalley
2020-06-15 16:45     ` Lakshmi Ramasubramanian
2020-06-15 17:33       ` Casey Schaufler
2020-06-15 17:44         ` Mimi Zohar
2020-06-15 23:18           ` Casey Schaufler
2020-06-16  0:44             ` Mimi Zohar
2020-06-16  8:38           ` John Johansen
2020-06-15 20:31       ` Stephen Smalley
2020-06-13  2:41 ` [PATCH 5/5] LSM: Define workqueue for measuring security module state Lakshmi Ramasubramanian
2020-06-15 13:33   ` Stephen Smalley
2020-06-15 14:59     ` Mimi Zohar
2020-06-15 15:47       ` Stephen Smalley
2020-06-15 16:10         ` Mimi Zohar

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:da248c3fd4a dfblob:a63de046139 dfblob:a6e2d1cd95a
dfblob:e7175db5a09 dfblob:7e954b555be dfblob:bbc908a1fcd
dfblob:b0e02cfe3ce dfblob:83c6ada45c7 dfblob:4781314c251
dfblob:8a5ba32a777 )
 OR (
bs:"[PATCH 4/5] LSM: Define SELinux function to measure security state" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200613024130.3356-5-nramas@linux.microsoft.com \
    --to=nramas@linux.microsoft.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=stephen.smalley@gmail.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.