From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0F7BC433ED for ; Thu, 13 May 2021 20:20:56 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E922A613B5 for ; Thu, 13 May 2021 20:20:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E922A613B5 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-211-rqL9Df7aNvq49UHCUGCiZg-1; Thu, 13 May 2021 16:20:52 -0400 X-MC-Unique: rqL9Df7aNvq49UHCUGCiZg-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2887B1083E9B; Thu, 13 May 2021 20:20:37 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0BDBC10016F9; Thu, 13 May 2021 20:20:37 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C9D6055343; Thu, 13 May 2021 20:20:36 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 14DKKZ5A022629 for ; Thu, 13 May 2021 16:20:35 -0400 Received: by smtp.corp.redhat.com (Postfix) id 44FE511E5DC; Thu, 13 May 2021 20:20:35 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3E9CE16542C for ; Thu, 13 May 2021 20:20:32 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D383583395A for ; Thu, 13 May 2021 20:20:32 +0000 (UTC) Received: from sonic317-38.consmr.mail.ne1.yahoo.com (sonic317-38.consmr.mail.ne1.yahoo.com [66.163.184.49]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-591-zzf0S328NUqScuAeEI4Byw-1; Thu, 13 May 2021 16:20:30 -0400 X-MC-Unique: zzf0S328NUqScuAeEI4Byw-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1620937230; bh=CoaNrB3CRBpk6LX9pfQp7CMPBksU3zn51/3s1lo3MoX=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=M6vyo22m24h85yXycefGyxIJPDWXxKP554WioNQMuuhuMCpfI4/Jyndb0n0WXR7lJQzqgALplHMubyy3DOJKz5ziq+Z1YsnxYNXJht4xHphWkh7pyRcUf8H9Vb5xFcs+PsBv/XNrRC7fm8WustF6gzhnRJsD9C5GL+NLJ44VBaPiT98c5y5t27gD7F8aXzD0+UY4N3aCJdoTifiNn3cMcsyneEO+K4EVPv6lPpUSmi32zudFp75y3iWRwmCGFGjjGaxUnJejv+5DJNRlexojqP5bE8Qu6LD7tD2IhiGmPo0mXF51U2adhYlJyL4ru9A28e1Sdrt5ks0ZlpFDUm4YcA== X-YMail-OSG: oVSiAMsVM1l2nqAKLeraETLGtxNHRDHFFqouEU1bEPPhiDmAQNGNZgPMU6Z76St SjvpBF2v6rRrkH7sP.K2iKs4c4qCWRNZIiX6f8_f3RrbJiLDAicE9Ta48TdcoCCO4Sa3CkKx.LWw et9nSrkVpjTsypeeir0UqGFKWMzhQ.whO_.5dopMgf_k0DYY0FkQA0c2MGiQsT_irjJx4Fg_jO0I YynhG4GMQKuO2hIDvdI5aZviKHcoiCokWTMQThB9eBOtNZeeDX3uGBnLnHw05dxnYy7I2jXi7F_a tfaV6I3wny0xKeydacQYHKa1zW0Tg1rQjXNkrSOzLQSeuhBB4hhusxrqDw7OL5BgGRZeR8_CU_9p sYyZokKdQW9XtEWIh6CsLO74_I9qvDCBnpVce2PWJPyoiyv_gR5DUZAm5zluBJjUMYYTcaPwOyEu 1Sfgl9PSCd_pJQE_2OlVdiT4PTHKl60lAiHcf2ScXwO_qa5JSfrnl64CrbsvYiJOf1ol4kCnl_Rj ctQ4CzwSuAxN2HeJ61Q0IIVfGyvOLmQ.cYT5Wp_voVPUAUZ99ccuUE3Y2t3PJOOPiLpt0k7neHg6 yQZBVrWngwF.TYwGpu5a8E44U5OUcOyMBRV2bJ1rJt.0TYfDBobkTJwYrkSH9LRJPrE5Mt4pG3fo Fa8QXM3bs6Dkefuo4hXmeLabEfAp8c3.HlDKiDct_D05v5SbsGCFThdjSNlCvjykY4fBV0QV7QrE WP5xbFBM5lE.eF8l5qiW0m2N4oFB2Bx8LQmZpghrOmsGewvweYwnYrnCDjuxTeM786cUdtjkRii4 cefa6SbwYL7jDPpN7_DQUGdCYXUV5i1uvKPqQkh_t33nMiVdScBx2mpYOTkR1kNoLBK8BG6rKHsg 5IBZ8NNh5fZ0EMcVRsoxF5jQPJw.VbB2IjPf2CXdI74hP8O.zz43OfezPOm5FIm_RfWGcTSwsPba lk1rFKI4WBhGmlg9pD.c3zD_ZlhQAr.5tE5DARn.7GioxfIVCL1_9UBQFhNeii2AlvtOZLM0yLm4 RZRm6dyBBMqiIejVZLzrBzMMbbkxmFzTTUq9R3LIS935boHPPem1o4WnYSlnPzjHMkiz8OBQQNwz QuXgFlFYbj6WZWqD2WjrVQtT88oO4IL23hNR05KNMxVX1AhqL5wMN9Tinx72R9pyup5VTZb64XV7 ecmM6iUH8luYqZhSkYsRTsP7X8zl.SxdsR8.S2qas_TeqSxYPbZ3gPdEeeyQfOYHU127lZmxouYU wgT3Pobm_aWkRmy6CFbs4jLWk6skwBVKdatwLZ77lunuJXmpLGCusm4BPSIyD_UcWv4EtkmRpaFh y.uW9ojBw32Wc9QPRdZv12fLoS8H2lpNjMSBNTRKAR54v7qh0QgTvo3SnQ_.8BTjEDrWqJGWLmi5 UhofzDLX.8y3Z4YPJAdIx3DEEFUyrYUEZ_KmL79obET4i8w9N9dj4azF2nDcEFi4PkTyEPtfcfp7 Vm.om1pRXUk0mK2HNlHxpQLzVGtsU9EjkBv6_l7kOyxHMaeNNQ_CEB.rL.T4e1JW3Q2TQmwQ9foP q7LViFeSWVtKetMuwOSHF3fvc92g5LTjGZVye8ZkatdJjsMWVyUYOYxnriFr15ixlHih6mz5_nxg eZ4mSc0mg3JbQnZ.zSI7NEyJnDxXJWpHs0I.qq9Nd7kWyprDobNuekRN1e.R2T5Zz9Vf6RkQ2sVJ 8xt2_4DEAz2e7HSaJwc.QmC.LKxSI8b8egqFP.2EqDTS8qNqDwNH7.FV9s1j5rLx.0kBfSME_yhX MiYHDIuLCA8cqGfqq_lUsy0AoFUW3vGJn3BgHL940Qbj34TX_TzPDwfLuqiMIJV.Jf.VtGqr6lB8 Yy6NB1KmPEmENLOVT0Wcej0SnHlcFk54mP4sXg4Fop0SgGgVDM7advhAeudJUs8Cfxn_DcbU32_t gXuFsuO6SG.4Bkm8AEPz9Cp6jAASw3HpwytX4ehbLbXmsDX3ezr0OCJXhToeL9dPV2R8dousAcQv 8PItVbCEAnlPDc3z.ik7ibS5BSGa0GpKME_gTE5IHXlEV1joR9lCpZOK..VJoCgtu8fHNAkB1PaI mYXBoz1Ti2LucOydNuQvsPRippuiPdmy_D_3A_5uyvEjxBreij1BNm8fBsW5LdamKlauV.kdM2kt z6ozLtbnKew183IqbXwngzAQMBz3xBRnlKZrrmuUtbicNrRbW8Z5kmzkH0k92u6XK47D_n5gsJe9 RAWb4oe6LR_JJL3WUGPJYBAmQl7nrs8oIWeqsjHuDEB8HerJc41fXl46vLTiBhJ9xdsx3JD0T2jq nlpNOTimAZPCr3UEnaelz.0xI2INMsxmCSd8bD0HN6V7p1CaXYN2lgw.0iFT_eJ8edg9kl26RhYQ AxT81Fa6BjjGH66nGvRqwc8Fv9.gSo7zfas2ps2xUKue3CTK_Ets9JaPkDU9RGVkMAPyJqj7ngc6 Z3zK1uVZD._eYiZezqV2ikl5TPjyONNaihxmzwiL_1WwzcpH_Meyz.jAZXdnrTKlvHEekxCFGQTR PXfHM8N1jfTbazHFw564UICeOkQdbyQvjVphfjshQ6Wu8_oasPYUjRv7CXQCWbgj0pC7d7I3G.jA PMd7cDpr6L.94zgeknG0o_9wO7dY946e7MVDQFoa6GgJDfpymRTg8l0gA3DXH8FTnjkQkvBjywu. 6TBSaMJSsUcayuCd63e5XJyP7pxmU.Jc5LvYSRmCiHBnR926XxmKFVipyHPpoai.F.a2_jn4_.yy F4xhmn_Co7eDpqZdhL1NLSU6DKRGFSX2GWAySVlcY2lwgUMcQ54pKrCFgBSjLN2uvP4P6p7dLygZ igY5e0X2KjSVuCgKvu7cBD.VBroLYrcbjTCGNAvxEpjasdU4bQzBTqICyKnyMevlqEu3XkhRE_kW 4TpQ1j0sDlsV_MnMINCVcKkZzNuOlwYETJXwAs3D54aeByGdYCtLukuci_5zau8QHyRowU8CPmTR _ZLPHHNIGlhEUaAeU2ad.L6_IhRjGA8_3z3xhNufnSSTI6x6M22bM.stgqqEeyA8a78X7c0768Uu IQaTOgrYv5At6HBpviHZi8f8gTrDUi2x6LnXwlpCBCP9jJVOErfyxNZkZ9MVc7.uSnoh1bg3WNL3 EZi.6A1soydGG6yymLSK8mMCrXh8kGlEyZcqWJFmGnVj.W9PaeC2FVRq8hrg.w5j0zF_N._ZvtYi _o.WurloS61pjq_o6vdmjO7LLY6UGzHXlwbLd25rplzdHVMATqw-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Thu, 13 May 2021 20:20:30 +0000 Received: by kubenode566.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 884178ba24598ea363d74a2dc49a1ae8; Thu, 13 May 2021 20:20:26 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v26 11/25] LSM: Use lsmblob in security_inode_getsecid Date: Thu, 13 May 2021 13:07:53 -0700 Message-Id: <20210513200807.15910-12-casey@schaufler-ca.com> In-Reply-To: <20210513200807.15910-1-casey@schaufler-ca.com> References: <20210513200807.15910-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, linux-kernel@vger.kernel.org, linux-audit@redhat.com, linux-integrity@vger.kernel.org, sds@tycho.nsa.gov X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Change the security_inode_getsecid() interface to fill in a lsmblob structure instead of a u32 secid. This allows for its callers to gather data from all registered LSMs. Data is provided for IMA and audit. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-audit@redhat.com --- include/linux/security.h | 7 ++++--- kernel/auditsc.c | 6 +++++- security/integrity/ima/ima_policy.c | 4 +--- security/security.c | 11 +++++++++-- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 60f4515b9181..64f898e5e854 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -454,7 +454,7 @@ int security_inode_getsecurity(struct user_namespace *mnt_userns, void **buffer, bool alloc); int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); -void security_inode_getsecid(struct inode *inode, u32 *secid); +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob); int security_inode_copy_up(struct dentry *src, struct cred **new); int security_inode_copy_up_xattr(const char *name); int security_kernfs_init_security(struct kernfs_node *kn_dir, @@ -1005,9 +1005,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer, return 0; } -static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +static inline void security_inode_getsecid(struct inode *inode, + struct lsmblob *blob) { - *secid = 0; + lsmblob_init(blob, 0); } static inline int security_inode_copy_up(struct dentry *src, struct cred **new) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index dd902b68433e..6684927f12fc 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1962,13 +1962,17 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { + struct lsmblob blob; + name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &name->osid); + security_inode_getsecid(inode, &blob); + /* scaffolding until osid is updated */ + name->osid = blob.secid[0]; if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a05841e1012b..5ee7629fd782 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -606,7 +606,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule, return false; for (i = 0; i < MAX_LSM_RULES; i++) { int rc = 0; - u32 osid; struct lsmblob lsmdata; if (!ima_lsm_isset(rule, i)) { @@ -619,8 +618,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, case LSM_OBJ_USER: case LSM_OBJ_ROLE: case LSM_OBJ_TYPE: - security_inode_getsecid(inode, &osid); - lsmblob_init(&lsmdata, osid); + security_inode_getsecid(inode, &lsmdata); rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type, Audit_equal, rule->lsm[i].rule); diff --git a/security/security.c b/security/security.c index f3b985f76dab..54f4a4ead69f 100644 --- a/security/security.c +++ b/security/security.c @@ -1546,9 +1546,16 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer } EXPORT_SYMBOL(security_inode_listsecurity); -void security_inode_getsecid(struct inode *inode, u32 *secid) +void security_inode_getsecid(struct inode *inode, struct lsmblob *blob) { - call_void_hook(inode_getsecid, inode, secid); + struct security_hook_list *hp; + + lsmblob_init(blob, 0); + hlist_for_each_entry(hp, &security_hook_heads.inode_getsecid, list) { + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + hp->hook.inode_getsecid(inode, &blob->secid[hp->lsmid->slot]); + } } int security_inode_copy_up(struct dentry *src, struct cred **new) -- 2.29.2 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit