From: Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
To: Paul Osmialowski
<p.osmialowsk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>,
Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
James Morris
<james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>,
"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Tetsuo Handa
<penguin-kernel-JPay3/Yim36HaxMnTkn67Xf5DAMn2ifp@public.gmane.org>,
Neil Brown <neilb-l3A5Bk7waGM@public.gmane.org>,
Mark Rustad
<mark.d.rustad-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
Greg Kroah-Hartman
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
Daniel Mack <daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>,
David Herrmann
<dh.herrmann-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>,
Djalal Harouni <tixxdz-Umm1ozX2/EEdnm+yROfE0A@public.gmane.org>,
Shuah Khan <shuahkh-JPH+aEBZ4P+UEJcrhfAQsw@public.gmane.org>,
Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: Karol Lewandowski
<k.lewandowsk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>,
Lukasz Skalski
<l.skalski-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
Subject: Re: [RFC 5/8] kdbus: use LSM hooks in kdbus code
Date: Fri, 10 Jul 2015 12:56:00 -0400 [thread overview]
Message-ID: <559FF920.2020302@tycho.nsa.gov> (raw)
In-Reply-To: <559D27AB.4010402-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
On 07/08/2015 09:37 AM, Stephen Smalley wrote:
> On 07/08/2015 06:25 AM, Paul Osmialowski wrote:
>> Originates from:
>>
>> https://github.com/lmctl/kdbus.git (branch: kdbus-lsm-v4.for-systemd-v212)
>> commit: aa0885489d19be92fa41c6f0a71df28763228a40
>>
>> Signed-off-by: Karol Lewandowski <k.lewandowsk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
>> Signed-off-by: Paul Osmialowski <p.osmialowsk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
>> ---
>> ipc/kdbus/bus.c | 12 ++++++++++-
>> ipc/kdbus/bus.h | 3 +++
>> ipc/kdbus/connection.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++
>> ipc/kdbus/connection.h | 4 ++++
>> ipc/kdbus/domain.c | 9 ++++++++-
>> ipc/kdbus/domain.h | 2 ++
>> ipc/kdbus/endpoint.c | 11 ++++++++++
>> ipc/kdbus/names.c | 11 ++++++++++
>> ipc/kdbus/queue.c | 30 ++++++++++++++++++----------
>> 9 files changed, 124 insertions(+), 12 deletions(-)
>>
>>
>
>> diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
>> index 9993753..b85cdc7 100644
>> --- a/ipc/kdbus/connection.c
>> +++ b/ipc/kdbus/connection.c
>> @@ -31,6 +31,7 @@
>> #include <linux/slab.h>
>> #include <linux/syscalls.h>
>> #include <linux/uio.h>
>> +#include <linux/security.h>
>>
>> #include "bus.h"
>> #include "connection.h"
>> @@ -73,6 +74,8 @@ static struct kdbus_conn *kdbus_conn_new(struct kdbus_ep *ep, bool privileged,
>> bool is_activator;
>> bool is_monitor;
>> struct kvec kvec;
>> + u32 sid, len;
>> + char *label;
>> int ret;
>>
>> struct {
>> @@ -222,6 +225,14 @@ static struct kdbus_conn *kdbus_conn_new(struct kdbus_ep *ep, bool privileged,
>> }
>> }
>>
>> + security_task_getsecid(current, &sid);
>> + security_secid_to_secctx(sid, &label, &len);
>> + ret = security_kdbus_connect(conn, label, len);
>> + if (ret) {
>> + ret = -EPERM;
>> + goto exit_unref;
>> + }
>
> This seems convoluted and expensive. If you always want the label of
> the current task here, then why not just have security_kdbus_connect()
> internally extract the label of the current task?
>
>> @@ -1107,6 +1119,12 @@ static int kdbus_conn_reply(struct kdbus_conn *src, struct kdbus_kmsg *kmsg)
>> if (ret < 0)
>> goto exit;
>>
>> + ret = security_kdbus_talk(src, dst);
>> + if (ret) {
>> + ret = -EPERM;
>> + goto exit;
>> + }
>
> Where does kdbus apply its uid-based or other restrictions on
> connections? Why do we need to insert separate hooks into each of these
> functions? Is there no central chokepoint already for permission
> checking that we can hook?
For example, why wouldn't you insert a single hook into
kdbus_conn_policy_talk() where they perform their DAC checking?
You would need to restructure it slightly to ensure that the security
hook is only called if it passes the DAC (privileged || uid_eq) check so
that we do not trigger MAC denials when DAC wouldn't have allowed it
anyway. Also, kdbus_conn_policy_talk() takes a separate conn_creds
argument - that should be passed through to the hook as well.
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Paul Osmialowski <p.osmialowsk@samsung.com>,
Paul Moore <pmoore@redhat.com>,
James Morris <james.l.morris@oracle.com>,
Casey Schaufler <casey@schaufler-ca.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Kees Cook <keescook@chromium.org>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Neil Brown <neilb@suse.de>, Mark Rustad <mark.d.rustad@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Daniel Mack <daniel@zonque.org>,
David Herrmann <dh.herrmann@googlemail.com>,
Djalal Harouni <tixxdz@opendz.org>,
Shuah Khan <shuahkh@osg.samsung.com>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org
Cc: Karol Lewandowski <k.lewandowsk@samsung.com>,
Lukasz Skalski <l.skalski@samsung.com>
Subject: Re: [RFC 5/8] kdbus: use LSM hooks in kdbus code
Date: Fri, 10 Jul 2015 12:56:00 -0400 [thread overview]
Message-ID: <559FF920.2020302@tycho.nsa.gov> (raw)
In-Reply-To: <559D27AB.4010402@tycho.nsa.gov>
On 07/08/2015 09:37 AM, Stephen Smalley wrote:
> On 07/08/2015 06:25 AM, Paul Osmialowski wrote:
>> Originates from:
>>
>> https://github.com/lmctl/kdbus.git (branch: kdbus-lsm-v4.for-systemd-v212)
>> commit: aa0885489d19be92fa41c6f0a71df28763228a40
>>
>> Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
>> Signed-off-by: Paul Osmialowski <p.osmialowsk@samsung.com>
>> ---
>> ipc/kdbus/bus.c | 12 ++++++++++-
>> ipc/kdbus/bus.h | 3 +++
>> ipc/kdbus/connection.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++
>> ipc/kdbus/connection.h | 4 ++++
>> ipc/kdbus/domain.c | 9 ++++++++-
>> ipc/kdbus/domain.h | 2 ++
>> ipc/kdbus/endpoint.c | 11 ++++++++++
>> ipc/kdbus/names.c | 11 ++++++++++
>> ipc/kdbus/queue.c | 30 ++++++++++++++++++----------
>> 9 files changed, 124 insertions(+), 12 deletions(-)
>>
>>
>
>> diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
>> index 9993753..b85cdc7 100644
>> --- a/ipc/kdbus/connection.c
>> +++ b/ipc/kdbus/connection.c
>> @@ -31,6 +31,7 @@
>> #include <linux/slab.h>
>> #include <linux/syscalls.h>
>> #include <linux/uio.h>
>> +#include <linux/security.h>
>>
>> #include "bus.h"
>> #include "connection.h"
>> @@ -73,6 +74,8 @@ static struct kdbus_conn *kdbus_conn_new(struct kdbus_ep *ep, bool privileged,
>> bool is_activator;
>> bool is_monitor;
>> struct kvec kvec;
>> + u32 sid, len;
>> + char *label;
>> int ret;
>>
>> struct {
>> @@ -222,6 +225,14 @@ static struct kdbus_conn *kdbus_conn_new(struct kdbus_ep *ep, bool privileged,
>> }
>> }
>>
>> + security_task_getsecid(current, &sid);
>> + security_secid_to_secctx(sid, &label, &len);
>> + ret = security_kdbus_connect(conn, label, len);
>> + if (ret) {
>> + ret = -EPERM;
>> + goto exit_unref;
>> + }
>
> This seems convoluted and expensive. If you always want the label of
> the current task here, then why not just have security_kdbus_connect()
> internally extract the label of the current task?
>
>> @@ -1107,6 +1119,12 @@ static int kdbus_conn_reply(struct kdbus_conn *src, struct kdbus_kmsg *kmsg)
>> if (ret < 0)
>> goto exit;
>>
>> + ret = security_kdbus_talk(src, dst);
>> + if (ret) {
>> + ret = -EPERM;
>> + goto exit;
>> + }
>
> Where does kdbus apply its uid-based or other restrictions on
> connections? Why do we need to insert separate hooks into each of these
> functions? Is there no central chokepoint already for permission
> checking that we can hook?
For example, why wouldn't you insert a single hook into
kdbus_conn_policy_talk() where they perform their DAC checking?
You would need to restructure it slightly to ensure that the security
hook is only called if it passes the DAC (privileged || uid_eq) check so
that we do not trigger MAC denials when DAC wouldn't have allowed it
anyway. Also, kdbus_conn_policy_talk() takes a separate conn_creds
argument - that should be passed through to the hook as well.
next prev parent reply other threads:[~2015-07-10 16:56 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-08 10:25 [RFC 0/8] Introduce LSM to KDBUS Paul Osmialowski
2015-07-08 10:25 ` [RFC 1/8] lsm: make security_file_receive available for external modules Paul Osmialowski
[not found] ` <1436351110-5902-1-git-send-email-p.osmialowsk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-07-08 10:25 ` [RFC 2/8] lsm: smack: Make ipc/kdbus includes visible so smack callbacks could see them Paul Osmialowski
2015-07-08 10:25 ` Paul Osmialowski
2015-07-08 16:43 ` Daniel Mack
2015-07-08 10:25 ` [RFC 3/8] lsm: kdbus security hooks Paul Osmialowski
2015-07-08 10:25 ` Paul Osmialowski
[not found] ` <1436351110-5902-4-git-send-email-p.osmialowsk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-07-08 11:00 ` Lukasz Pawelczyk
2015-07-08 11:00 ` Lukasz Pawelczyk
2015-07-08 14:14 ` Greg Kroah-Hartman
2015-07-08 10:25 ` [RFC 4/8] lsm: smack: smack callbacks for " Paul Osmialowski
2015-07-08 10:25 ` Paul Osmialowski
2015-07-08 13:42 ` Stephen Smalley
2015-07-08 16:38 ` Casey Schaufler
[not found] ` <559D5201.6060400-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2015-07-08 20:07 ` Paul Moore
2015-07-08 20:07 ` Paul Moore
2015-07-09 10:08 ` Sergei Zviagintsev
[not found] ` <20150709100808.GH25971-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2015-07-09 15:24 ` Casey Schaufler
2015-07-09 15:24 ` Casey Schaufler
2015-07-08 10:25 ` [RFC 5/8] kdbus: use LSM hooks in kdbus code Paul Osmialowski
2015-07-08 10:25 ` Paul Osmialowski
[not found] ` <1436351110-5902-6-git-send-email-p.osmialowsk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-07-08 11:06 ` Lukasz Pawelczyk
2015-07-08 11:06 ` Lukasz Pawelczyk
2015-07-08 11:09 ` Lukasz Pawelczyk
2015-07-08 11:09 ` Lukasz Pawelczyk
[not found] ` <1436353775.2331.2.camel-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2015-07-08 12:12 ` Paul Osmialowski
2015-07-08 12:12 ` Paul Osmialowski
2015-07-09 10:55 ` Sergei Zviagintsev
[not found] ` <20150709105510.GI25971-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2015-07-09 11:28 ` Paul Osmialowski
2015-07-09 11:28 ` Paul Osmialowski
2015-07-08 14:13 ` Greg Kroah-Hartman
2015-07-08 14:13 ` Greg Kroah-Hartman
2015-07-08 13:37 ` Stephen Smalley
[not found] ` <559D27AB.4010402-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2015-07-10 16:56 ` Stephen Smalley [this message]
2015-07-10 16:56 ` Stephen Smalley
2015-07-10 18:20 ` Stephen Smalley
2015-07-10 18:20 ` Stephen Smalley
2015-07-08 16:24 ` Casey Schaufler
2015-07-08 10:25 ` [RFC 6/8] kdbus: TEST_CREATE_CONN now does no depend on TEST_CREATE_BUS Paul Osmialowski
2015-07-08 10:25 ` [RFC 7/8] kdbus: selftests extended Paul Osmialowski
2015-07-08 10:25 ` [RFC 8/8] kdbus: Ability to run kdbus test by executable binary name Paul Osmialowski
2015-07-08 14:16 ` Greg Kroah-Hartman
2015-07-08 14:58 ` Paul Osmialowski
2015-07-08 16:46 ` [RFC 0/8] Introduce LSM to KDBUS Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=559FF920.2020302@tycho.nsa.gov \
--to=sds-+05t5uksl2qpzymllgbcsa@public.gmane.org \
--cc=casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org \
--cc=daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org \
--cc=dh.herrmann-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=k.lewandowsk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=l.skalski-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mark.d.rustad-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=neilb-l3A5Bk7waGM@public.gmane.org \
--cc=p.osmialowsk-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org \
--cc=penguin-kernel-JPay3/Yim36HaxMnTkn67Xf5DAMn2ifp@public.gmane.org \
--cc=pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=shuahkh-JPH+aEBZ4P+UEJcrhfAQsw@public.gmane.org \
--cc=tixxdz-Umm1ozX2/EEdnm+yROfE0A@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.