* [PATCH 01/13] LSM: Add the lsmblob data structure.
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-26 13:34 ` Georgia Garcia
2024-08-25 19:00 ` [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
` (11 subsequent siblings)
12 siblings, 1 reply; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
When more than one security module is exporting data to audit and
networking sub-systems a single 32 bit integer is no longer
sufficient to represent the data. Add a structure to be used instead.
The lsmblob structure definition is intended to keep the LSM
specific information private to the individual security modules.
The module specific information is included in a new set of
header files under include/lsm. Each security module is allowed
to define the information included for its use in the lsmblob.
SELinux includes a u32 secid. Smack includes a pointer into its
global label list. The conditional compilation based on feature
inclusion is contained in the include/lsm files.
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm/apparmor.h | 17 +++++++++++++++++
include/linux/lsm/bpf.h | 16 ++++++++++++++++
include/linux/lsm/selinux.h | 16 ++++++++++++++++
include/linux/lsm/smack.h | 17 +++++++++++++++++
include/linux/security.h | 20 ++++++++++++++++++++
5 files changed, 86 insertions(+)
create mode 100644 include/linux/lsm/apparmor.h
create mode 100644 include/linux/lsm/bpf.h
create mode 100644 include/linux/lsm/selinux.h
create mode 100644 include/linux/lsm/smack.h
diff --git a/include/linux/lsm/apparmor.h b/include/linux/lsm/apparmor.h
new file mode 100644
index 000000000000..8ff1cd899a20
--- /dev/null
+++ b/include/linux/lsm/apparmor.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Linux Security Module interface to other subsystems.
+ * AppArmor presents a single u32 value which is known as a secid.
+ */
+#ifndef __LINUX_LSM_APPARMOR_H
+#define __LINUX_LSM_APPARMOR_H
+
+struct aa_label;
+
+struct lsmblob_apparmor {
+#ifdef CONFIG_SECURITY_APPARMOR
+ struct aa_label *label;
+#endif
+};
+
+#endif /* ! __LINUX_LSM_APPARMOR_H */
diff --git a/include/linux/lsm/bpf.h b/include/linux/lsm/bpf.h
new file mode 100644
index 000000000000..48abdcd82ded
--- /dev/null
+++ b/include/linux/lsm/bpf.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Linux Security Module interface to other subsystems.
+ * BPF may present a single u32 value.
+ */
+#ifndef __LINUX_LSM_BPF_H
+#define __LINUX_LSM_BPF_H
+#include <linux/types.h>
+
+struct lsmblob_bpf {
+#ifdef CONFIG_BPF_LSM
+ u32 secid;
+#endif
+};
+
+#endif /* ! __LINUX_LSM_BPF_H */
diff --git a/include/linux/lsm/selinux.h b/include/linux/lsm/selinux.h
new file mode 100644
index 000000000000..fd16456b36ac
--- /dev/null
+++ b/include/linux/lsm/selinux.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Linux Security Module interface to other subsystems.
+ * SELinux presents a single u32 value which is known as a secid.
+ */
+#ifndef __LINUX_LSM_SELINUX_H
+#define __LINUX_LSM_SELINUX_H
+#include <linux/types.h>
+
+struct lsmblob_selinux {
+#ifdef CONFIG_SECURITY_SELINUX
+ u32 secid;
+#endif
+};
+
+#endif /* ! __LINUX_LSM_SELINUX_H */
diff --git a/include/linux/lsm/smack.h b/include/linux/lsm/smack.h
new file mode 100644
index 000000000000..2018f288302f
--- /dev/null
+++ b/include/linux/lsm/smack.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Linux Security Module interface to other subsystems.
+ * Smack presents a pointer into the global Smack label list.
+ */
+#ifndef __LINUX_LSM_SMACK_H
+#define __LINUX_LSM_SMACK_H
+
+struct smack_known;
+
+struct lsmblob_smack {
+#ifdef CONFIG_SECURITY_SMACK
+ struct smack_known *skp;
+#endif
+};
+
+#endif /* ! __LINUX_LSM_SMACK_H */
diff --git a/include/linux/security.h b/include/linux/security.h
index 1390f1efb4f0..0057a22137e8 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -34,6 +34,10 @@
#include <linux/sockptr.h>
#include <linux/bpf.h>
#include <uapi/linux/lsm.h>
+#include <linux/lsm/selinux.h>
+#include <linux/lsm/smack.h>
+#include <linux/lsm/apparmor.h>
+#include <linux/lsm/bpf.h>
struct linux_binprm;
struct cred;
@@ -140,6 +144,22 @@ enum lockdown_reason {
LOCKDOWN_CONFIDENTIALITY_MAX,
};
+/* scaffolding */
+struct lsmblob_scaffold {
+ u32 secid;
+};
+
+/*
+ * Data exported by the security modules
+ */
+struct lsmblob {
+ struct lsmblob_selinux selinux;
+ struct lsmblob_smack smack;
+ struct lsmblob_apparmor apparmor;
+ struct lsmblob_bpf bpf;
+ struct lsmblob_scaffold scaffold;
+};
+
extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
extern u32 lsm_active_cnt;
extern const struct lsm_id *lsm_idlist[];
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* Re: [PATCH 01/13] LSM: Add the lsmblob data structure.
2024-08-25 19:00 ` [PATCH 01/13] LSM: Add the lsmblob data structure Casey Schaufler
@ 2024-08-26 13:34 ` Georgia Garcia
0 siblings, 0 replies; 24+ messages in thread
From: Georgia Garcia @ 2024-08-26 13:34 UTC (permalink / raw)
To: Casey Schaufler, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
Hi Casey,
On Sun, 2024-08-25 at 12:00 -0700, Casey Schaufler wrote:
> When more than one security module is exporting data to audit and
> networking sub-systems a single 32 bit integer is no longer
> sufficient to represent the data. Add a structure to be used instead.
>
> The lsmblob structure definition is intended to keep the LSM
> specific information private to the individual security modules.
> The module specific information is included in a new set of
> header files under include/lsm. Each security module is allowed
> to define the information included for its use in the lsmblob.
> SELinux includes a u32 secid. Smack includes a pointer into its
> global label list. The conditional compilation based on feature
> inclusion is contained in the include/lsm files.
>
> Suggested-by: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> include/linux/lsm/apparmor.h | 17 +++++++++++++++++
> include/linux/lsm/bpf.h | 16 ++++++++++++++++
> include/linux/lsm/selinux.h | 16 ++++++++++++++++
> include/linux/lsm/smack.h | 17 +++++++++++++++++
> include/linux/security.h | 20 ++++++++++++++++++++
> 5 files changed, 86 insertions(+)
> create mode 100644 include/linux/lsm/apparmor.h
> create mode 100644 include/linux/lsm/bpf.h
> create mode 100644 include/linux/lsm/selinux.h
> create mode 100644 include/linux/lsm/smack.h
>
> diff --git a/include/linux/lsm/apparmor.h b/include/linux/lsm/apparmor.h
> new file mode 100644
> index 000000000000..8ff1cd899a20
> --- /dev/null
> +++ b/include/linux/lsm/apparmor.h
> @@ -0,0 +1,17 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Linux Security Module interface to other subsystems.
> + * AppArmor presents a single u32 value which is known as a secid.
Just a small nitpick: this comment doesn't match the code since it's
using aa_label instead of a u32 secid.
> + */
> +#ifndef __LINUX_LSM_APPARMOR_H
> +#define __LINUX_LSM_APPARMOR_H
> +
> +struct aa_label;
> +
> +struct lsmblob_apparmor {
> +#ifdef CONFIG_SECURITY_APPARMOR
> + struct aa_label *label;
> +#endif
> +};
> +
> +#endif /* ! __LINUX_LSM_APPARMOR_H */
> diff --git a/include/linux/lsm/bpf.h b/include/linux/lsm/bpf.h
> new file mode 100644
> index 000000000000..48abdcd82ded
> --- /dev/null
> +++ b/include/linux/lsm/bpf.h
> @@ -0,0 +1,16 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Linux Security Module interface to other subsystems.
> + * BPF may present a single u32 value.
> + */
> +#ifndef __LINUX_LSM_BPF_H
> +#define __LINUX_LSM_BPF_H
> +#include <linux/types.h>
> +
> +struct lsmblob_bpf {
> +#ifdef CONFIG_BPF_LSM
> + u32 secid;
> +#endif
> +};
> +
> +#endif /* ! __LINUX_LSM_BPF_H */
> diff --git a/include/linux/lsm/selinux.h b/include/linux/lsm/selinux.h
> new file mode 100644
> index 000000000000..fd16456b36ac
> --- /dev/null
> +++ b/include/linux/lsm/selinux.h
> @@ -0,0 +1,16 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Linux Security Module interface to other subsystems.
> + * SELinux presents a single u32 value which is known as a secid.
> + */
> +#ifndef __LINUX_LSM_SELINUX_H
> +#define __LINUX_LSM_SELINUX_H
> +#include <linux/types.h>
> +
> +struct lsmblob_selinux {
> +#ifdef CONFIG_SECURITY_SELINUX
> + u32 secid;
> +#endif
> +};
> +
> +#endif /* ! __LINUX_LSM_SELINUX_H */
> diff --git a/include/linux/lsm/smack.h b/include/linux/lsm/smack.h
> new file mode 100644
> index 000000000000..2018f288302f
> --- /dev/null
> +++ b/include/linux/lsm/smack.h
> @@ -0,0 +1,17 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Linux Security Module interface to other subsystems.
> + * Smack presents a pointer into the global Smack label list.
> + */
> +#ifndef __LINUX_LSM_SMACK_H
> +#define __LINUX_LSM_SMACK_H
> +
> +struct smack_known;
> +
> +struct lsmblob_smack {
> +#ifdef CONFIG_SECURITY_SMACK
> + struct smack_known *skp;
> +#endif
> +};
> +
> +#endif /* ! __LINUX_LSM_SMACK_H */
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 1390f1efb4f0..0057a22137e8 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -34,6 +34,10 @@
> #include <linux/sockptr.h>
> #include <linux/bpf.h>
> #include <uapi/linux/lsm.h>
> +#include <linux/lsm/selinux.h>
> +#include <linux/lsm/smack.h>
> +#include <linux/lsm/apparmor.h>
> +#include <linux/lsm/bpf.h>
>
> struct linux_binprm;
> struct cred;
> @@ -140,6 +144,22 @@ enum lockdown_reason {
> LOCKDOWN_CONFIDENTIALITY_MAX,
> };
>
> +/* scaffolding */
> +struct lsmblob_scaffold {
> + u32 secid;
> +};
> +
> +/*
> + * Data exported by the security modules
> + */
> +struct lsmblob {
> + struct lsmblob_selinux selinux;
> + struct lsmblob_smack smack;
> + struct lsmblob_apparmor apparmor;
> + struct lsmblob_bpf bpf;
> + struct lsmblob_scaffold scaffold;
> +};
> +
> extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
> extern u32 lsm_active_cnt;
> extern const struct lsm_id *lsm_idlist[];
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
2024-08-25 19:00 ` [PATCH 01/13] LSM: Add the lsmblob data structure Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-26 19:31 ` kernel test robot
2024-08-25 19:00 ` [PATCH 03/13] LSM: Add lsmblob_to_secctx hook Casey Schaufler
` (10 subsequent siblings)
12 siblings, 1 reply; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.
Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: John Johansen <john.johansen@canonical.com>
---
include/linux/lsm_hook_defs.h | 3 ++-
include/linux/security.h | 7 ++++---
kernel/auditfilter.c | 11 +++++++----
kernel/auditsc.c | 18 ++++++++++++++----
security/apparmor/audit.c | 8 ++++++--
security/apparmor/include/audit.h | 2 +-
security/integrity/ima/ima_policy.c | 11 +++++++----
security/security.c | 7 ++++---
security/selinux/include/audit.h | 5 +++--
security/selinux/ss/services.c | 11 ++++++++---
security/smack/smack_lsm.c | 11 ++++++++---
11 files changed, 64 insertions(+), 30 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 855db460e08b..1d3bdf71109e 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -416,7 +416,8 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring,
LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr,
void **lsmrule, gfp_t gfp)
LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule)
-LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule)
+LSM_HOOK(int, 0, audit_rule_match, struct lsmblob *blob, u32 field, u32 op,
+ void *lsmrule)
LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule)
#endif /* CONFIG_AUDIT */
diff --git a/include/linux/security.h b/include/linux/security.h
index 0057a22137e8..c0ed2119a622 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2071,7 +2071,8 @@ static inline void security_key_post_create_or_update(struct key *keyring,
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,
gfp_t gfp);
int security_audit_rule_known(struct audit_krule *krule);
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+ void *lsmrule);
void security_audit_rule_free(void *lsmrule);
#else
@@ -2087,8 +2088,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
return 0;
}
-static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
- void *lsmrule)
+static inline int security_audit_rule_match(struct lsmblob *blob, u32 field,
+ u32 op, void *lsmrule)
{
return 0;
}
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d6ef4f4f9cba..c4c7cda3b846 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1339,8 +1339,8 @@ int audit_filter(int msgtype, unsigned int listtype)
for (i = 0; i < e->rule.field_count; i++) {
struct audit_field *f = &e->rule.fields[i];
+ struct lsmblob blob = { };
pid_t pid;
- u32 sid;
switch (f->type) {
case AUDIT_PID:
@@ -1370,9 +1370,12 @@ int audit_filter(int msgtype, unsigned int listtype)
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
if (f->lsm_rule) {
- security_current_getsecid_subj(&sid);
- result = security_audit_rule_match(sid,
- f->type, f->op, f->lsm_rule);
+ /* scaffolding */
+ security_current_getsecid_subj(
+ &blob.scaffold.secid);
+ result = security_audit_rule_match(
+ &blob, f->type, f->op,
+ f->lsm_rule);
}
break;
case AUDIT_EXE:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6f0d6fb6523f..23adb15cae43 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,7 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred;
int i, need_sid = 1;
u32 sid;
+ struct lsmblob blob = { };
unsigned int sessionid;
if (ctx && rule->prio <= ctx->prio)
@@ -681,7 +682,10 @@ static int audit_filter_rules(struct task_struct *tsk,
security_current_getsecid_subj(&sid);
need_sid = 0;
}
- result = security_audit_rule_match(sid, f->type,
+ /* scaffolding */
+ blob.scaffold.secid = sid;
+ result = security_audit_rule_match(&blob,
+ f->type,
f->op,
f->lsm_rule);
}
@@ -696,15 +700,19 @@ static int audit_filter_rules(struct task_struct *tsk,
if (f->lsm_rule) {
/* Find files that match */
if (name) {
+ /* scaffolding */
+ blob.scaffold.secid = name->osid;
result = security_audit_rule_match(
- name->osid,
+ &blob,
f->type,
f->op,
f->lsm_rule);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
+ /* scaffolding */
+ blob.scaffold.secid = n->osid;
if (security_audit_rule_match(
- n->osid,
+ &blob,
f->type,
f->op,
f->lsm_rule)) {
@@ -716,7 +724,9 @@ static int audit_filter_rules(struct task_struct *tsk,
/* Find ipc objects that match */
if (!ctx || ctx->type != AUDIT_IPC)
break;
- if (security_audit_rule_match(ctx->ipc.osid,
+ /* scaffolding */
+ blob.scaffold.secid = ctx->ipc.osid;
+ if (security_audit_rule_match(&blob,
f->type, f->op,
f->lsm_rule))
++result;
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 6b5181c668b5..758b75a9c1c5 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -264,13 +264,17 @@ int aa_audit_rule_known(struct audit_krule *rule)
return 0;
}
-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
+int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule)
{
struct aa_audit_rule *rule = vrule;
struct aa_label *label;
int found = 0;
- label = aa_secid_to_label(sid);
+ /* scaffolding */
+ if (!blob->apparmor.label && blob->scaffold.secid)
+ label = aa_secid_to_label(blob->scaffold.secid);
+ else
+ label = blob->apparmor.label;
if (!label)
return -ENOENT;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 0c8cc86b417b..c5a516e61318 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -202,6 +202,6 @@ static inline int complain_error(int error)
void aa_audit_rule_free(void *vrule);
int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp);
int aa_audit_rule_known(struct audit_krule *rule);
-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);
+int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule);
#endif /* __AA_AUDIT_H */
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 09da8e639239..40119816b848 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -635,7 +635,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
return false;
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
- u32 osid;
+ struct lsmblob blob = { };
if (!lsm_rule->lsm[i].rule) {
if (!lsm_rule->lsm[i].args_p)
@@ -649,15 +649,18 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
case LSM_OBJ_USER:
case LSM_OBJ_ROLE:
case LSM_OBJ_TYPE:
- security_inode_getsecid(inode, &osid);
- rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type,
+ /* scaffolding */
+ security_inode_getsecid(inode, &blob.scaffold.secid);
+ rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
Audit_equal,
lsm_rule->lsm[i].rule);
break;
case LSM_SUBJ_USER:
case LSM_SUBJ_ROLE:
case LSM_SUBJ_TYPE:
- rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type,
+ /* scaffolding */
+ blob.scaffold.secid = secid;
+ rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
Audit_equal,
lsm_rule->lsm[i].rule);
break;
diff --git a/security/security.c b/security/security.c
index 8cee5b6c6e6d..64a6d6bbd1f4 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5399,7 +5399,7 @@ void security_audit_rule_free(void *lsmrule)
/**
* security_audit_rule_match() - Check if a label matches an audit rule
- * @secid: security label
+ * @lsmblob: security label
* @field: LSM audit field
* @op: matching operator
* @lsmrule: audit rule
@@ -5410,9 +5410,10 @@ void security_audit_rule_free(void *lsmrule)
* Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on
* failure.
*/
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+ void *lsmrule)
{
- return call_int_hook(audit_rule_match, secid, field, op, lsmrule);
+ return call_int_hook(audit_rule_match, blob, field, op, lsmrule);
}
#endif /* CONFIG_AUDIT */
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h
index 29c7d4c86f6d..104165e4c931 100644
--- a/security/selinux/include/audit.h
+++ b/security/selinux/include/audit.h
@@ -41,7 +41,7 @@ void selinux_audit_rule_free(void *rule);
/**
* selinux_audit_rule_match - determine if a context ID matches a rule.
- * @sid: the context ID to check
+ * @blob: includes the context ID to check
* @field: the field this rule refers to
* @op: the operator the rule uses
* @rule: pointer to the audit rule to check against
@@ -49,7 +49,8 @@ void selinux_audit_rule_free(void *rule);
* Returns 1 if the context id matches the rule, 0 if it does not, and
* -errno on failure.
*/
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule);
+int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+ void *rule);
/**
* selinux_audit_rule_known - check to see if rule contains selinux fields.
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e33e55384b75..43eb1d46942c 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3633,7 +3633,8 @@ int selinux_audit_rule_known(struct audit_krule *rule)
return 0;
}
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
+int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+ void *vrule)
{
struct selinux_state *state = &selinux_state;
struct selinux_policy *policy;
@@ -3659,10 +3660,14 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
goto out;
}
- ctxt = sidtab_search(policy->sidtab, sid);
+ /* scaffolding */
+ if (!blob->selinux.secid && blob->scaffold.secid)
+ blob->selinux.secid = blob->scaffold.secid;
+
+ ctxt = sidtab_search(policy->sidtab, blob->selinux.secid);
if (unlikely(!ctxt)) {
WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
- sid);
+ blob->selinux.secid);
match = -ENOENT;
goto out;
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 4164699cd4f6..52d5ef986db8 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4776,7 +4776,7 @@ static int smack_audit_rule_known(struct audit_krule *krule)
/**
* smack_audit_rule_match - Audit given object ?
- * @secid: security id for identifying the object to test
+ * @blob: security id for identifying the object to test
* @field: audit rule flags given from user-space
* @op: required testing operator
* @vrule: smack internal rule presentation
@@ -4784,7 +4784,8 @@ static int smack_audit_rule_known(struct audit_krule *krule)
* The core Audit hook. It's used to take the decision of
* whether to audit or not to audit a given object.
*/
-static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule)
+static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+ void *vrule)
{
struct smack_known *skp;
char *rule = vrule;
@@ -4797,7 +4798,11 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule)
if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
return 0;
- skp = smack_from_secid(secid);
+ /* scaffolding */
+ if (!blob->smack.skp && blob->scaffold.secid)
+ skp = smack_from_secid(blob->scaffold.secid);
+ else
+ skp = blob->smack.skp;
/*
* No need to do string comparisons. If a match occurs,
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* Re: [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match
2024-08-25 19:00 ` [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
@ 2024-08-26 19:31 ` kernel test robot
0 siblings, 0 replies; 24+ messages in thread
From: kernel test robot @ 2024-08-26 19:31 UTC (permalink / raw)
To: Casey Schaufler, paul, linux-security-module
Cc: oe-kbuild-all, jmorris, serge, keescook, john.johansen,
penguin-kernel, stephen.smalley.work, linux-kernel, mic
Hi Casey,
kernel test robot noticed the following build warnings:
[auto build test WARNING on pcmoore-selinux/next]
[also build test WARNING on zohar-integrity/next-integrity linus/master pcmoore-audit/next v6.11-rc5 next-20240826]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Add-the-lsmblob-data-structure/20240826-170520
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next
patch link: https://lore.kernel.org/r/20240825190048.13289-3-casey%40schaufler-ca.com
patch subject: [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match
config: i386-buildonly-randconfig-006-20240827 (https://download.01.org/0day-ci/archive/20240827/202408270317.8wTE4P5l-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240827/202408270317.8wTE4P5l-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202408270317.8wTE4P5l-lkp@intel.com/
All warnings (new ones prefixed by >>):
security/integrity/ima/ima_policy.c: In function 'ima_match_rules':
>> security/integrity/ima/ima_policy.c:654:52: warning: passing argument 1 of 'ima_filter_rule_match' makes integer from pointer without a cast [-Wint-conversion]
654 | rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
| ^~~~~
| |
| struct lsmblob *
In file included from security/integrity/ima/ima_policy.c:22:
security/integrity/ima/ima.h:558:45: note: expected 'u32' {aka 'unsigned int'} but argument is of type 'struct lsmblob *'
558 | static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
| ~~~~^~~~~
security/integrity/ima/ima_policy.c:663:52: warning: passing argument 1 of 'ima_filter_rule_match' makes integer from pointer without a cast [-Wint-conversion]
663 | rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
| ^~~~~
| |
| struct lsmblob *
security/integrity/ima/ima.h:558:45: note: expected 'u32' {aka 'unsigned int'} but argument is of type 'struct lsmblob *'
558 | static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
| ~~~~^~~~~
vim +/ima_filter_rule_match +654 security/integrity/ima/ima_policy.c
553
554 /**
555 * ima_match_rules - determine whether an inode matches the policy rule.
556 * @rule: a pointer to a rule
557 * @idmap: idmap of the mount the inode was found from
558 * @inode: a pointer to an inode
559 * @cred: a pointer to a credentials structure for user validation
560 * @secid: the secid of the task to be validated
561 * @func: LIM hook identifier
562 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
563 * @func_data: func specific data, may be NULL
564 *
565 * Returns true on rule match, false on failure.
566 */
567 static bool ima_match_rules(struct ima_rule_entry *rule,
568 struct mnt_idmap *idmap,
569 struct inode *inode, const struct cred *cred,
570 u32 secid, enum ima_hooks func, int mask,
571 const char *func_data)
572 {
573 int i;
574 bool result = false;
575 struct ima_rule_entry *lsm_rule = rule;
576 bool rule_reinitialized = false;
577
578 if ((rule->flags & IMA_FUNC) &&
579 (rule->func != func && func != POST_SETATTR))
580 return false;
581
582 switch (func) {
583 case KEY_CHECK:
584 case CRITICAL_DATA:
585 return ((rule->func == func) &&
586 ima_match_rule_data(rule, func_data, cred));
587 default:
588 break;
589 }
590
591 if ((rule->flags & IMA_MASK) &&
592 (rule->mask != mask && func != POST_SETATTR))
593 return false;
594 if ((rule->flags & IMA_INMASK) &&
595 (!(rule->mask & mask) && func != POST_SETATTR))
596 return false;
597 if ((rule->flags & IMA_FSMAGIC)
598 && rule->fsmagic != inode->i_sb->s_magic)
599 return false;
600 if ((rule->flags & IMA_FSNAME)
601 && strcmp(rule->fsname, inode->i_sb->s_type->name))
602 return false;
603 if ((rule->flags & IMA_FSUUID) &&
604 !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid))
605 return false;
606 if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
607 return false;
608 if (rule->flags & IMA_EUID) {
609 if (has_capability_noaudit(current, CAP_SETUID)) {
610 if (!rule->uid_op(cred->euid, rule->uid)
611 && !rule->uid_op(cred->suid, rule->uid)
612 && !rule->uid_op(cred->uid, rule->uid))
613 return false;
614 } else if (!rule->uid_op(cred->euid, rule->uid))
615 return false;
616 }
617 if ((rule->flags & IMA_GID) && !rule->gid_op(cred->gid, rule->gid))
618 return false;
619 if (rule->flags & IMA_EGID) {
620 if (has_capability_noaudit(current, CAP_SETGID)) {
621 if (!rule->gid_op(cred->egid, rule->gid)
622 && !rule->gid_op(cred->sgid, rule->gid)
623 && !rule->gid_op(cred->gid, rule->gid))
624 return false;
625 } else if (!rule->gid_op(cred->egid, rule->gid))
626 return false;
627 }
628 if ((rule->flags & IMA_FOWNER) &&
629 !rule->fowner_op(i_uid_into_vfsuid(idmap, inode),
630 rule->fowner))
631 return false;
632 if ((rule->flags & IMA_FGROUP) &&
633 !rule->fgroup_op(i_gid_into_vfsgid(idmap, inode),
634 rule->fgroup))
635 return false;
636 for (i = 0; i < MAX_LSM_RULES; i++) {
637 int rc = 0;
638 struct lsmblob blob = { };
639
640 if (!lsm_rule->lsm[i].rule) {
641 if (!lsm_rule->lsm[i].args_p)
642 continue;
643 else
644 return false;
645 }
646
647 retry:
648 switch (i) {
649 case LSM_OBJ_USER:
650 case LSM_OBJ_ROLE:
651 case LSM_OBJ_TYPE:
652 /* scaffolding */
653 security_inode_getsecid(inode, &blob.scaffold.secid);
> 654 rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
655 Audit_equal,
656 lsm_rule->lsm[i].rule);
657 break;
658 case LSM_SUBJ_USER:
659 case LSM_SUBJ_ROLE:
660 case LSM_SUBJ_TYPE:
661 /* scaffolding */
662 blob.scaffold.secid = secid;
663 rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
664 Audit_equal,
665 lsm_rule->lsm[i].rule);
666 break;
667 default:
668 break;
669 }
670
671 if (rc == -ESTALE && !rule_reinitialized) {
672 lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC);
673 if (lsm_rule) {
674 rule_reinitialized = true;
675 goto retry;
676 }
677 }
678 if (!rc) {
679 result = false;
680 goto out;
681 }
682 }
683 result = true;
684
685 out:
686 if (rule_reinitialized) {
687 for (i = 0; i < MAX_LSM_RULES; i++)
688 ima_filter_rule_free(lsm_rule->lsm[i].rule);
689 kfree(lsm_rule);
690 }
691 return result;
692 }
693
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 03/13] LSM: Add lsmblob_to_secctx hook
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
2024-08-25 19:00 ` [PATCH 01/13] LSM: Add the lsmblob data structure Casey Schaufler
2024-08-25 19:00 ` [PATCH 02/13] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-26 17:43 ` Georgia Garcia
2024-08-25 19:00 ` [PATCH 04/13] Audit: maintain an lsmblob in audit_context Casey Schaufler
` (9 subsequent siblings)
12 siblings, 1 reply; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
Add a new hook security_lsmblob_to_secctx() and its LSM specific
implementations. The LSM specific code will use the lsmblob element
allocated for that module. This allows for the possibility that more
than one module may be called upon to translate a secid to a string,
as can occur in the audit code.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hook_defs.h | 2 ++
include/linux/security.h | 11 +++++++++-
security/apparmor/include/secid.h | 2 ++
security/apparmor/lsm.c | 1 +
security/apparmor/secid.c | 36 +++++++++++++++++++++++++++++++
security/security.c | 30 ++++++++++++++++++++++++++
security/selinux/hooks.c | 16 ++++++++++++--
security/smack/smack_lsm.c | 31 +++++++++++++++++++++-----
8 files changed, 121 insertions(+), 8 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 1d3bdf71109e..3e5f6baa7b9f 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -291,6 +291,8 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)
LSM_HOOK(int, 0, ismaclabel, const char *name)
LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
u32 *seclen)
+LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob,
+ char **secdata, u32 *seclen)
LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen)
LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
diff --git a/include/linux/security.h b/include/linux/security.h
index c0ed2119a622..457fafc32fb0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -520,6 +520,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+ u32 *seclen);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
void security_release_secctx(char *secdata, u32 seclen);
void security_inode_invalidate_secctx(struct inode *inode);
@@ -1461,7 +1463,14 @@ static inline int security_ismaclabel(const char *name)
return 0;
}
-static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static inline int security_secid_to_secctx(u32 secid, char **secdata,
+ u32 *seclen)
+{
+ return -EOPNOTSUPP;
+}
+
+static inline int security_lsmblob_to_secctx(struct lsmblob *blob,
+ char **secdata, u32 *seclen)
{
return -EOPNOTSUPP;
}
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index a912a5d5d04f..816a425e2023 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -26,6 +26,8 @@ extern int apparmor_display_secid_mode;
struct aa_label *aa_secid_to_label(u32 secid);
int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+ u32 *seclen);
int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
void apparmor_release_secctx(char *secdata, u32 seclen);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 808060f9effb..050d103f5ca5 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1532,6 +1532,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
#endif
LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
+ LSM_HOOK_INIT(lsmblob_to_secctx, apparmor_lsmblob_to_secctx),
LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 83d3d1e6d9dc..3c389e5810cd 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -90,6 +90,42 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
return 0;
}
+int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+ u32 *seclen)
+{
+ /* TODO: cache secctx and ref count so we don't have to recreate */
+ struct aa_label *label;
+ int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT;
+ int len;
+
+ AA_BUG(!seclen);
+
+ /* scaffolding */
+ if (!blob->apparmor.label && blob->scaffold.secid)
+ label = aa_secid_to_label(blob->scaffold.secid);
+ else
+ label = blob->apparmor.label;
+
+ if (!label)
+ return -EINVAL;
+
+ if (apparmor_display_secid_mode)
+ flags |= FLAG_SHOW_MODE;
+
+ if (secdata)
+ len = aa_label_asxprint(secdata, root_ns, label,
+ flags, GFP_ATOMIC);
+ else
+ len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
+
+ if (len < 0)
+ return -ENOMEM;
+
+ *seclen = len;
+
+ return 0;
+}
+
int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
struct aa_label *label;
diff --git a/security/security.c b/security/security.c
index 64a6d6bbd1f4..bb541a3be410 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4192,6 +4192,36 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
}
EXPORT_SYMBOL(security_secid_to_secctx);
+/**
+ * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx
+ * @blob: lsm specific information
+ * @secdata: secctx
+ * @seclen: secctx length
+ *
+ * Convert a @blob entry to security context. If @secdata is NULL the
+ * length of the result will be returned in @seclen, but no @secdata
+ * will be returned. This does mean that the length could change between
+ * calls to check the length and the next call which actually allocates
+ * and returns the @secdata.
+ *
+ * Return: Return 0 on success, error on failure.
+ */
+int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+ u32 *seclen)
+{
+ struct security_hook_list *hp;
+ int rc;
+
+ hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
+ rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen);
+ if (rc != LSM_RET_DEFAULT(secid_to_secctx))
+ return rc;
+ }
+
+ return LSM_RET_DEFAULT(secid_to_secctx);
+}
+EXPORT_SYMBOL(security_lsmblob_to_secctx);
+
/**
* security_secctx_to_secid() - Convert a secctx to a secid
* @secdata: secctx
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 55c78c318ccd..102489e6d579 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6610,8 +6610,19 @@ static int selinux_ismaclabel(const char *name)
static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
- return security_sid_to_context(secid,
- secdata, seclen);
+ return security_sid_to_context(secid, secdata, seclen);
+}
+
+static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+ u32 *seclen)
+{
+ u32 secid = blob->selinux.secid;
+
+ /* scaffolding */
+ if (!secid)
+ secid = blob->scaffold.secid;
+
+ return security_sid_to_context(secid, secdata, seclen);
}
static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
@@ -7388,6 +7399,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
+ LSM_HOOK_INIT(lsmblob_to_secctx, selinux_lsmblob_to_secctx),
LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 52d5ef986db8..5d74d8590862 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4787,7 +4787,7 @@ static int smack_audit_rule_known(struct audit_krule *krule)
static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
void *vrule)
{
- struct smack_known *skp;
+ struct smack_known *skp = blob->smack.skp;
char *rule = vrule;
if (unlikely(!rule)) {
@@ -4799,10 +4799,8 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
return 0;
/* scaffolding */
- if (!blob->smack.skp && blob->scaffold.secid)
+ if (!skp && blob->scaffold.secid)
skp = smack_from_secid(blob->scaffold.secid);
- else
- skp = blob->smack.skp;
/*
* No need to do string comparisons. If a match occurs,
@@ -4833,7 +4831,6 @@ static int smack_ismaclabel(const char *name)
return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
}
-
/**
* smack_secid_to_secctx - return the smack label for a secid
* @secid: incoming integer
@@ -4852,6 +4849,29 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
return 0;
}
+/**
+ * smack_lsmblob_to_secctx - return the smack label
+ * @blob: includes incoming Smack data
+ * @secdata: destination
+ * @seclen: how long it is
+ *
+ * Exists for audit code.
+ */
+static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+ u32 *seclen)
+{
+ struct smack_known *skp = blob->smack.skp;
+
+ /* scaffolding */
+ if (!skp && blob->scaffold.secid)
+ skp = smack_from_secid(blob->scaffold.secid);
+
+ if (secdata)
+ *secdata = skp->smk_known;
+ *seclen = strlen(skp->smk_known);
+ return 0;
+}
+
/**
* smack_secctx_to_secid - return the secid for a smack label
* @secdata: smack label
@@ -5208,6 +5228,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(ismaclabel, smack_ismaclabel),
LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx),
+ LSM_HOOK_INIT(lsmblob_to_secctx, smack_lsmblob_to_secctx),
LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid),
LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* Re: [PATCH 03/13] LSM: Add lsmblob_to_secctx hook
2024-08-25 19:00 ` [PATCH 03/13] LSM: Add lsmblob_to_secctx hook Casey Schaufler
@ 2024-08-26 17:43 ` Georgia Garcia
2024-08-26 18:45 ` Casey Schaufler
0 siblings, 1 reply; 24+ messages in thread
From: Georgia Garcia @ 2024-08-26 17:43 UTC (permalink / raw)
To: Casey Schaufler, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
Hi Casey
On Sun, 2024-08-25 at 12:00 -0700, Casey Schaufler wrote:
> Add a new hook security_lsmblob_to_secctx() and its LSM specific
> implementations. The LSM specific code will use the lsmblob element
> allocated for that module. This allows for the possibility that more
> than one module may be called upon to translate a secid to a string,
> as can occur in the audit code.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> include/linux/lsm_hook_defs.h | 2 ++
> include/linux/security.h | 11 +++++++++-
> security/apparmor/include/secid.h | 2 ++
> security/apparmor/lsm.c | 1 +
> security/apparmor/secid.c | 36 +++++++++++++++++++++++++++++++
> security/security.c | 30 ++++++++++++++++++++++++++
> security/selinux/hooks.c | 16 ++++++++++++--
> security/smack/smack_lsm.c | 31 +++++++++++++++++++++-----
> 8 files changed, 121 insertions(+), 8 deletions(-)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 1d3bdf71109e..3e5f6baa7b9f 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -291,6 +291,8 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)
> LSM_HOOK(int, 0, ismaclabel, const char *name)
> LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
> u32 *seclen)
> +LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob,
> + char **secdata, u32 *seclen)
> LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
> LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen)
> LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index c0ed2119a622..457fafc32fb0 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -520,6 +520,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
> int security_netlink_send(struct sock *sk, struct sk_buff *skb);
> int security_ismaclabel(const char *name);
> int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> + u32 *seclen);
> int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
> void security_release_secctx(char *secdata, u32 seclen);
> void security_inode_invalidate_secctx(struct inode *inode);
> @@ -1461,7 +1463,14 @@ static inline int security_ismaclabel(const char *name)
> return 0;
> }
>
> -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> +static inline int security_secid_to_secctx(u32 secid, char **secdata,
> + u32 *seclen)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +static inline int security_lsmblob_to_secctx(struct lsmblob *blob,
> + char **secdata, u32 *seclen)
> {
> return -EOPNOTSUPP;
> }
> diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
> index a912a5d5d04f..816a425e2023 100644
> --- a/security/apparmor/include/secid.h
> +++ b/security/apparmor/include/secid.h
> @@ -26,6 +26,8 @@ extern int apparmor_display_secid_mode;
>
> struct aa_label *aa_secid_to_label(u32 secid);
> int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> + u32 *seclen);
> int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
> void apparmor_release_secctx(char *secdata, u32 seclen);
>
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 808060f9effb..050d103f5ca5 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -1532,6 +1532,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
> #endif
>
> LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
> + LSM_HOOK_INIT(lsmblob_to_secctx, apparmor_lsmblob_to_secctx),
> LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
> LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
>
> diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
> index 83d3d1e6d9dc..3c389e5810cd 100644
> --- a/security/apparmor/secid.c
> +++ b/security/apparmor/secid.c
> @@ -90,6 +90,42 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> return 0;
> }
>
> +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> + u32 *seclen)
> +{
> + /* TODO: cache secctx and ref count so we don't have to recreate */
> + struct aa_label *label;
> + int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT;
> + int len;
> +
> + AA_BUG(!seclen);
> +
> + /* scaffolding */
> + if (!blob->apparmor.label && blob->scaffold.secid)
> + label = aa_secid_to_label(blob->scaffold.secid);
> + else
> + label = blob->apparmor.label;
> +
It would improve maintainability if the rest of the function was
refactored into label_to_secctx(...), for example, so it could be
shared by apparmor_secid_to_secctx and apparmor_lsmblob_to_secctx.
> + if (!label)
> + return -EINVAL;
> +
> + if (apparmor_display_secid_mode)
> + flags |= FLAG_SHOW_MODE;
> +
> + if (secdata)
> + len = aa_label_asxprint(secdata, root_ns, label,
> + flags, GFP_ATOMIC);
> + else
> + len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
> +
> + if (len < 0)
> + return -ENOMEM;
> +
> + *seclen = len;
> +
> + return 0;
> +}
> +
> int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
> {
> struct aa_label *label;
> diff --git a/security/security.c b/security/security.c
> index 64a6d6bbd1f4..bb541a3be410 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -4192,6 +4192,36 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> }
> EXPORT_SYMBOL(security_secid_to_secctx);
>
> +/**
> + * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx
> + * @blob: lsm specific information
> + * @secdata: secctx
> + * @seclen: secctx length
> + *
> + * Convert a @blob entry to security context. If @secdata is NULL the
> + * length of the result will be returned in @seclen, but no @secdata
> + * will be returned. This does mean that the length could change between
> + * calls to check the length and the next call which actually allocates
> + * and returns the @secdata.
> + *
> + * Return: Return 0 on success, error on failure.
> + */
> +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> + u32 *seclen)
> +{
> + struct security_hook_list *hp;
> + int rc;
> +
> + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
> + rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen);
> + if (rc != LSM_RET_DEFAULT(secid_to_secctx))
> + return rc;
> + }
> +
> + return LSM_RET_DEFAULT(secid_to_secctx);
> +}
> +EXPORT_SYMBOL(security_lsmblob_to_secctx);
> +
> /**
> * security_secctx_to_secid() - Convert a secctx to a secid
> * @secdata: secctx
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 55c78c318ccd..102489e6d579 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6610,8 +6610,19 @@ static int selinux_ismaclabel(const char *name)
>
> static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> {
> - return security_sid_to_context(secid,
> - secdata, seclen);
> + return security_sid_to_context(secid, secdata, seclen);
> +}
> +
> +static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> + u32 *seclen)
> +{
> + u32 secid = blob->selinux.secid;
> +
> + /* scaffolding */
> + if (!secid)
> + secid = blob->scaffold.secid;
> +
> + return security_sid_to_context(secid, secdata, seclen);
> }
>
> static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
> @@ -7388,6 +7399,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
> LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
> LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
> + LSM_HOOK_INIT(lsmblob_to_secctx, selinux_lsmblob_to_secctx),
> LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
> LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
> LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 52d5ef986db8..5d74d8590862 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -4787,7 +4787,7 @@ static int smack_audit_rule_known(struct audit_krule *krule)
> static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
> void *vrule)
> {
> - struct smack_known *skp;
> + struct smack_known *skp = blob->smack.skp;
> char *rule = vrule;
>
> if (unlikely(!rule)) {
> @@ -4799,10 +4799,8 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
> return 0;
>
> /* scaffolding */
> - if (!blob->smack.skp && blob->scaffold.secid)
> + if (!skp && blob->scaffold.secid)
> skp = smack_from_secid(blob->scaffold.secid);
> - else
> - skp = blob->smack.skp;
>
> /*
> * No need to do string comparisons. If a match occurs,
> @@ -4833,7 +4831,6 @@ static int smack_ismaclabel(const char *name)
> return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
> }
>
> -
> /**
> * smack_secid_to_secctx - return the smack label for a secid
> * @secid: incoming integer
> @@ -4852,6 +4849,29 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> return 0;
> }
>
> +/**
> + * smack_lsmblob_to_secctx - return the smack label
> + * @blob: includes incoming Smack data
> + * @secdata: destination
> + * @seclen: how long it is
> + *
> + * Exists for audit code.
> + */
> +static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> + u32 *seclen)
> +{
> + struct smack_known *skp = blob->smack.skp;
> +
> + /* scaffolding */
> + if (!skp && blob->scaffold.secid)
> + skp = smack_from_secid(blob->scaffold.secid);
> +
> + if (secdata)
> + *secdata = skp->smk_known;
> + *seclen = strlen(skp->smk_known);
> + return 0;
> +}
> +
> /**
> * smack_secctx_to_secid - return the secid for a smack label
> * @secdata: smack label
> @@ -5208,6 +5228,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
>
> LSM_HOOK_INIT(ismaclabel, smack_ismaclabel),
> LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx),
> + LSM_HOOK_INIT(lsmblob_to_secctx, smack_lsmblob_to_secctx),
> LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid),
> LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
> LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 03/13] LSM: Add lsmblob_to_secctx hook
2024-08-26 17:43 ` Georgia Garcia
@ 2024-08-26 18:45 ` Casey Schaufler
2024-08-27 14:45 ` Georgia Garcia
0 siblings, 1 reply; 24+ messages in thread
From: Casey Schaufler @ 2024-08-26 18:45 UTC (permalink / raw)
To: Georgia Garcia, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic, Casey Schaufler
On 8/26/2024 10:43 AM, Georgia Garcia wrote:
> Hi Casey
>
> On Sun, 2024-08-25 at 12:00 -0700, Casey Schaufler wrote:
>> Add a new hook security_lsmblob_to_secctx() and its LSM specific
>> implementations. The LSM specific code will use the lsmblob element
>> allocated for that module. This allows for the possibility that more
>> than one module may be called upon to translate a secid to a string,
>> as can occur in the audit code.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> ---
>> include/linux/lsm_hook_defs.h | 2 ++
>> include/linux/security.h | 11 +++++++++-
>> security/apparmor/include/secid.h | 2 ++
>> security/apparmor/lsm.c | 1 +
>> security/apparmor/secid.c | 36 +++++++++++++++++++++++++++++++
>> security/security.c | 30 ++++++++++++++++++++++++++
>> security/selinux/hooks.c | 16 ++++++++++++--
>> security/smack/smack_lsm.c | 31 +++++++++++++++++++++-----
>> 8 files changed, 121 insertions(+), 8 deletions(-)
>>
>> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
>> index 1d3bdf71109e..3e5f6baa7b9f 100644
>> --- a/include/linux/lsm_hook_defs.h
>> +++ b/include/linux/lsm_hook_defs.h
>> @@ -291,6 +291,8 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)
>> LSM_HOOK(int, 0, ismaclabel, const char *name)
>> LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
>> u32 *seclen)
>> +LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob,
>> + char **secdata, u32 *seclen)
>> LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
>> LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen)
>> LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index c0ed2119a622..457fafc32fb0 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -520,6 +520,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
>> int security_netlink_send(struct sock *sk, struct sk_buff *skb);
>> int security_ismaclabel(const char *name);
>> int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
>> +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
>> + u32 *seclen);
>> int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
>> void security_release_secctx(char *secdata, u32 seclen);
>> void security_inode_invalidate_secctx(struct inode *inode);
>> @@ -1461,7 +1463,14 @@ static inline int security_ismaclabel(const char *name)
>> return 0;
>> }
>>
>> -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>> +static inline int security_secid_to_secctx(u32 secid, char **secdata,
>> + u32 *seclen)
>> +{
>> + return -EOPNOTSUPP;
>> +}
>> +
>> +static inline int security_lsmblob_to_secctx(struct lsmblob *blob,
>> + char **secdata, u32 *seclen)
>> {
>> return -EOPNOTSUPP;
>> }
>> diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
>> index a912a5d5d04f..816a425e2023 100644
>> --- a/security/apparmor/include/secid.h
>> +++ b/security/apparmor/include/secid.h
>> @@ -26,6 +26,8 @@ extern int apparmor_display_secid_mode;
>>
>> struct aa_label *aa_secid_to_label(u32 secid);
>> int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
>> +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
>> + u32 *seclen);
>> int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
>> void apparmor_release_secctx(char *secdata, u32 seclen);
>>
>> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
>> index 808060f9effb..050d103f5ca5 100644
>> --- a/security/apparmor/lsm.c
>> +++ b/security/apparmor/lsm.c
>> @@ -1532,6 +1532,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
>> #endif
>>
>> LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
>> + LSM_HOOK_INIT(lsmblob_to_secctx, apparmor_lsmblob_to_secctx),
>> LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
>> LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
>>
>> diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
>> index 83d3d1e6d9dc..3c389e5810cd 100644
>> --- a/security/apparmor/secid.c
>> +++ b/security/apparmor/secid.c
>> @@ -90,6 +90,42 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>> return 0;
>> }
>>
>> +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
>> + u32 *seclen)
>> +{
>> + /* TODO: cache secctx and ref count so we don't have to recreate */
>> + struct aa_label *label;
>> + int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT;
>> + int len;
>> +
>> + AA_BUG(!seclen);
>> +
>> + /* scaffolding */
>> + if (!blob->apparmor.label && blob->scaffold.secid)
>> + label = aa_secid_to_label(blob->scaffold.secid);
>> + else
>> + label = blob->apparmor.label;
>> +
> It would improve maintainability if the rest of the function was
> refactored into label_to_secctx(...), for example, so it could be
> shared by apparmor_secid_to_secctx and apparmor_lsmblob_to_secctx.
All uses of scaffold.secid disappear by patch 13/13 of this set.
This code, being temporary and short lived, would not benefit much
from being maintainable.
>
>> + if (!label)
>> + return -EINVAL;
>> +
>> + if (apparmor_display_secid_mode)
>> + flags |= FLAG_SHOW_MODE;
>> +
>> + if (secdata)
>> + len = aa_label_asxprint(secdata, root_ns, label,
>> + flags, GFP_ATOMIC);
>> + else
>> + len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
>> +
>> + if (len < 0)
>> + return -ENOMEM;
>> +
>> + *seclen = len;
>> +
>> + return 0;
>> +}
>> +
>> int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
>> {
>> struct aa_label *label;
>> diff --git a/security/security.c b/security/security.c
>> index 64a6d6bbd1f4..bb541a3be410 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -4192,6 +4192,36 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>> }
>> EXPORT_SYMBOL(security_secid_to_secctx);
>>
>> +/**
>> + * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx
>> + * @blob: lsm specific information
>> + * @secdata: secctx
>> + * @seclen: secctx length
>> + *
>> + * Convert a @blob entry to security context. If @secdata is NULL the
>> + * length of the result will be returned in @seclen, but no @secdata
>> + * will be returned. This does mean that the length could change between
>> + * calls to check the length and the next call which actually allocates
>> + * and returns the @secdata.
>> + *
>> + * Return: Return 0 on success, error on failure.
>> + */
>> +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
>> + u32 *seclen)
>> +{
>> + struct security_hook_list *hp;
>> + int rc;
>> +
>> + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
>> + rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen);
>> + if (rc != LSM_RET_DEFAULT(secid_to_secctx))
>> + return rc;
>> + }
>> +
>> + return LSM_RET_DEFAULT(secid_to_secctx);
>> +}
>> +EXPORT_SYMBOL(security_lsmblob_to_secctx);
>> +
>> /**
>> * security_secctx_to_secid() - Convert a secctx to a secid
>> * @secdata: secctx
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 55c78c318ccd..102489e6d579 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -6610,8 +6610,19 @@ static int selinux_ismaclabel(const char *name)
>>
>> static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>> {
>> - return security_sid_to_context(secid,
>> - secdata, seclen);
>> + return security_sid_to_context(secid, secdata, seclen);
>> +}
>> +
>> +static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
>> + u32 *seclen)
>> +{
>> + u32 secid = blob->selinux.secid;
>> +
>> + /* scaffolding */
>> + if (!secid)
>> + secid = blob->scaffold.secid;
>> +
>> + return security_sid_to_context(secid, secdata, seclen);
>> }
>>
>> static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
>> @@ -7388,6 +7399,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
>> LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
>> LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
>> LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
>> + LSM_HOOK_INIT(lsmblob_to_secctx, selinux_lsmblob_to_secctx),
>> LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
>> LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
>> LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index 52d5ef986db8..5d74d8590862 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -4787,7 +4787,7 @@ static int smack_audit_rule_known(struct audit_krule *krule)
>> static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
>> void *vrule)
>> {
>> - struct smack_known *skp;
>> + struct smack_known *skp = blob->smack.skp;
>> char *rule = vrule;
>>
>> if (unlikely(!rule)) {
>> @@ -4799,10 +4799,8 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
>> return 0;
>>
>> /* scaffolding */
>> - if (!blob->smack.skp && blob->scaffold.secid)
>> + if (!skp && blob->scaffold.secid)
>> skp = smack_from_secid(blob->scaffold.secid);
>> - else
>> - skp = blob->smack.skp;
>>
>> /*
>> * No need to do string comparisons. If a match occurs,
>> @@ -4833,7 +4831,6 @@ static int smack_ismaclabel(const char *name)
>> return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
>> }
>>
>> -
>> /**
>> * smack_secid_to_secctx - return the smack label for a secid
>> * @secid: incoming integer
>> @@ -4852,6 +4849,29 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>> return 0;
>> }
>>
>> +/**
>> + * smack_lsmblob_to_secctx - return the smack label
>> + * @blob: includes incoming Smack data
>> + * @secdata: destination
>> + * @seclen: how long it is
>> + *
>> + * Exists for audit code.
>> + */
>> +static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
>> + u32 *seclen)
>> +{
>> + struct smack_known *skp = blob->smack.skp;
>> +
>> + /* scaffolding */
>> + if (!skp && blob->scaffold.secid)
>> + skp = smack_from_secid(blob->scaffold.secid);
>> +
>> + if (secdata)
>> + *secdata = skp->smk_known;
>> + *seclen = strlen(skp->smk_known);
>> + return 0;
>> +}
>> +
>> /**
>> * smack_secctx_to_secid - return the secid for a smack label
>> * @secdata: smack label
>> @@ -5208,6 +5228,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
>>
>> LSM_HOOK_INIT(ismaclabel, smack_ismaclabel),
>> LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx),
>> + LSM_HOOK_INIT(lsmblob_to_secctx, smack_lsmblob_to_secctx),
>> LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid),
>> LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
>> LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 03/13] LSM: Add lsmblob_to_secctx hook
2024-08-26 18:45 ` Casey Schaufler
@ 2024-08-27 14:45 ` Georgia Garcia
0 siblings, 0 replies; 24+ messages in thread
From: Georgia Garcia @ 2024-08-27 14:45 UTC (permalink / raw)
To: Casey Schaufler, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
On Mon, 2024-08-26 at 11:45 -0700, Casey Schaufler wrote:
> On 8/26/2024 10:43 AM, Georgia Garcia wrote:
> > Hi Casey
> >
> > On Sun, 2024-08-25 at 12:00 -0700, Casey Schaufler wrote:
> > > Add a new hook security_lsmblob_to_secctx() and its LSM specific
> > > implementations. The LSM specific code will use the lsmblob element
> > > allocated for that module. This allows for the possibility that more
> > > than one module may be called upon to translate a secid to a string,
> > > as can occur in the audit code.
> > >
> > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > > ---
> > > include/linux/lsm_hook_defs.h | 2 ++
> > > include/linux/security.h | 11 +++++++++-
> > > security/apparmor/include/secid.h | 2 ++
> > > security/apparmor/lsm.c | 1 +
> > > security/apparmor/secid.c | 36 +++++++++++++++++++++++++++++++
> > > security/security.c | 30 ++++++++++++++++++++++++++
> > > security/selinux/hooks.c | 16 ++++++++++++--
> > > security/smack/smack_lsm.c | 31 +++++++++++++++++++++-----
> > > 8 files changed, 121 insertions(+), 8 deletions(-)
> > >
> > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> > > index 1d3bdf71109e..3e5f6baa7b9f 100644
> > > --- a/include/linux/lsm_hook_defs.h
> > > +++ b/include/linux/lsm_hook_defs.h
> > > @@ -291,6 +291,8 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)
> > > LSM_HOOK(int, 0, ismaclabel, const char *name)
> > > LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
> > > u32 *seclen)
> > > +LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob,
> > > + char **secdata, u32 *seclen)
> > > LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
> > > LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen)
> > > LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
> > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > index c0ed2119a622..457fafc32fb0 100644
> > > --- a/include/linux/security.h
> > > +++ b/include/linux/security.h
> > > @@ -520,6 +520,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
> > > int security_netlink_send(struct sock *sk, struct sk_buff *skb);
> > > int security_ismaclabel(const char *name);
> > > int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> > > +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> > > + u32 *seclen);
> > > int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
> > > void security_release_secctx(char *secdata, u32 seclen);
> > > void security_inode_invalidate_secctx(struct inode *inode);
> > > @@ -1461,7 +1463,14 @@ static inline int security_ismaclabel(const char *name)
> > > return 0;
> > > }
> > >
> > > -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> > > +static inline int security_secid_to_secctx(u32 secid, char **secdata,
> > > + u32 *seclen)
> > > +{
> > > + return -EOPNOTSUPP;
> > > +}
> > > +
> > > +static inline int security_lsmblob_to_secctx(struct lsmblob *blob,
> > > + char **secdata, u32 *seclen)
> > > {
> > > return -EOPNOTSUPP;
> > > }
> > > diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
> > > index a912a5d5d04f..816a425e2023 100644
> > > --- a/security/apparmor/include/secid.h
> > > +++ b/security/apparmor/include/secid.h
> > > @@ -26,6 +26,8 @@ extern int apparmor_display_secid_mode;
> > >
> > > struct aa_label *aa_secid_to_label(u32 secid);
> > > int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> > > +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> > > + u32 *seclen);
> > > int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
> > > void apparmor_release_secctx(char *secdata, u32 seclen);
> > >
> > > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> > > index 808060f9effb..050d103f5ca5 100644
> > > --- a/security/apparmor/lsm.c
> > > +++ b/security/apparmor/lsm.c
> > > @@ -1532,6 +1532,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
> > > #endif
> > >
> > > LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
> > > + LSM_HOOK_INIT(lsmblob_to_secctx, apparmor_lsmblob_to_secctx),
> > > LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
> > > LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
> > >
> > > diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
> > > index 83d3d1e6d9dc..3c389e5810cd 100644
> > > --- a/security/apparmor/secid.c
> > > +++ b/security/apparmor/secid.c
> > > @@ -90,6 +90,42 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> > > return 0;
> > > }
> > >
> > > +int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> > > + u32 *seclen)
> > > +{
> > > + /* TODO: cache secctx and ref count so we don't have to recreate */
> > > + struct aa_label *label;
> > > + int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT;
> > > + int len;
> > > +
> > > + AA_BUG(!seclen);
> > > +
> > > + /* scaffolding */
> > > + if (!blob->apparmor.label && blob->scaffold.secid)
> > > + label = aa_secid_to_label(blob->scaffold.secid);
> > > + else
> > > + label = blob->apparmor.label;
> > > +
> > It would improve maintainability if the rest of the function was
> > refactored into label_to_secctx(...), for example, so it could be
> > shared by apparmor_secid_to_secctx and apparmor_lsmblob_to_secctx.
>
> All uses of scaffold.secid disappear by patch 13/13 of this set.
> This code, being temporary and short lived, would not benefit much
> from being maintainable.
I was referring to the rest of the function which does not include the
scaffolding and remains duplicated by the end of the patch set.
From this section:
> >
> > > + if (!label)
> > > + return -EINVAL;
> > > +
> > > + if (apparmor_display_secid_mode)
> > > + flags |= FLAG_SHOW_MODE;
> > > +
> > > + if (secdata)
> > > + len = aa_label_asxprint(secdata, root_ns, label,
> > > + flags, GFP_ATOMIC);
> > > + else
> > > + len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
> > > +
> > > + if (len < 0)
> > > + return -ENOMEM;
> > > +
> > > + *seclen = len;
> > > +
> > > + return 0;
> > > +}
To here.
> > > +
> > > int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
> > > {
> > > struct aa_label *label;
> > > diff --git a/security/security.c b/security/security.c
> > > index 64a6d6bbd1f4..bb541a3be410 100644
> > > --- a/security/security.c
> > > +++ b/security/security.c
> > > @@ -4192,6 +4192,36 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> > > }
> > > EXPORT_SYMBOL(security_secid_to_secctx);
> > >
> > > +/**
> > > + * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx
> > > + * @blob: lsm specific information
> > > + * @secdata: secctx
> > > + * @seclen: secctx length
> > > + *
> > > + * Convert a @blob entry to security context. If @secdata is NULL the
> > > + * length of the result will be returned in @seclen, but no @secdata
> > > + * will be returned. This does mean that the length could change between
> > > + * calls to check the length and the next call which actually allocates
> > > + * and returns the @secdata.
> > > + *
> > > + * Return: Return 0 on success, error on failure.
> > > + */
> > > +int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> > > + u32 *seclen)
> > > +{
> > > + struct security_hook_list *hp;
> > > + int rc;
> > > +
> > > + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
> > > + rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen);
> > > + if (rc != LSM_RET_DEFAULT(secid_to_secctx))
> > > + return rc;
> > > + }
> > > +
> > > + return LSM_RET_DEFAULT(secid_to_secctx);
> > > +}
> > > +EXPORT_SYMBOL(security_lsmblob_to_secctx);
> > > +
> > > /**
> > > * security_secctx_to_secid() - Convert a secctx to a secid
> > > * @secdata: secctx
> > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > > index 55c78c318ccd..102489e6d579 100644
> > > --- a/security/selinux/hooks.c
> > > +++ b/security/selinux/hooks.c
> > > @@ -6610,8 +6610,19 @@ static int selinux_ismaclabel(const char *name)
> > >
> > > static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> > > {
> > > - return security_sid_to_context(secid,
> > > - secdata, seclen);
> > > + return security_sid_to_context(secid, secdata, seclen);
> > > +}
> > > +
> > > +static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> > > + u32 *seclen)
> > > +{
> > > + u32 secid = blob->selinux.secid;
> > > +
> > > + /* scaffolding */
> > > + if (!secid)
> > > + secid = blob->scaffold.secid;
> > > +
> > > + return security_sid_to_context(secid, secdata, seclen);
> > > }
> > >
> > > static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
> > > @@ -7388,6 +7399,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
> > > LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
> > > LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
> > > LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
> > > + LSM_HOOK_INIT(lsmblob_to_secctx, selinux_lsmblob_to_secctx),
> > > LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
> > > LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
> > > LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
> > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> > > index 52d5ef986db8..5d74d8590862 100644
> > > --- a/security/smack/smack_lsm.c
> > > +++ b/security/smack/smack_lsm.c
> > > @@ -4787,7 +4787,7 @@ static int smack_audit_rule_known(struct audit_krule *krule)
> > > static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
> > > void *vrule)
> > > {
> > > - struct smack_known *skp;
> > > + struct smack_known *skp = blob->smack.skp;
> > > char *rule = vrule;
> > >
> > > if (unlikely(!rule)) {
> > > @@ -4799,10 +4799,8 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
> > > return 0;
> > >
> > > /* scaffolding */
> > > - if (!blob->smack.skp && blob->scaffold.secid)
> > > + if (!skp && blob->scaffold.secid)
> > > skp = smack_from_secid(blob->scaffold.secid);
> > > - else
> > > - skp = blob->smack.skp;
> > >
> > > /*
> > > * No need to do string comparisons. If a match occurs,
> > > @@ -4833,7 +4831,6 @@ static int smack_ismaclabel(const char *name)
> > > return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
> > > }
> > >
> > > -
> > > /**
> > > * smack_secid_to_secctx - return the smack label for a secid
> > > * @secid: incoming integer
> > > @@ -4852,6 +4849,29 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
> > > return 0;
> > > }
> > >
> > > +/**
> > > + * smack_lsmblob_to_secctx - return the smack label
> > > + * @blob: includes incoming Smack data
> > > + * @secdata: destination
> > > + * @seclen: how long it is
> > > + *
> > > + * Exists for audit code.
> > > + */
> > > +static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
> > > + u32 *seclen)
> > > +{
> > > + struct smack_known *skp = blob->smack.skp;
> > > +
> > > + /* scaffolding */
> > > + if (!skp && blob->scaffold.secid)
> > > + skp = smack_from_secid(blob->scaffold.secid);
> > > +
> > > + if (secdata)
> > > + *secdata = skp->smk_known;
> > > + *seclen = strlen(skp->smk_known);
> > > + return 0;
> > > +}
> > > +
> > > /**
> > > * smack_secctx_to_secid - return the secid for a smack label
> > > * @secdata: smack label
> > > @@ -5208,6 +5228,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
> > >
> > > LSM_HOOK_INIT(ismaclabel, smack_ismaclabel),
> > > LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx),
> > > + LSM_HOOK_INIT(lsmblob_to_secctx, smack_lsmblob_to_secctx),
> > > LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid),
> > > LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
> > > LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 04/13] Audit: maintain an lsmblob in audit_context
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (2 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 03/13] LSM: Add lsmblob_to_secctx hook Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-27 15:01 ` Georgia Garcia
2024-08-25 19:00 ` [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
` (8 subsequent siblings)
12 siblings, 1 reply; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
Replace the secid value stored in struct audit_context with a struct
lsmblob. Change the code that uses this value to accommodate the
change. security_audit_rule_match() expects a lsmblob, so existing
scaffolding can be removed. A call to security_secid_to_secctx()
is changed to security_lsmblob_to_secctx(). The call to
security_ipc_getsecid() is scaffolded.
A new function lsmblob_is_set() is introduced to identify whether
an lsmblob contains a non-zero value.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 13 +++++++++++++
kernel/audit.h | 3 ++-
kernel/auditsc.c | 19 ++++++++-----------
3 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 457fafc32fb0..a0b23b6e8734 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -277,6 +277,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
return kernel_load_data_str[id];
}
+/**
+ * lsmblob_is_set - report if there is a value in the lsmblob
+ * @blob: Pointer to the exported LSM data
+ *
+ * Returns true if there is a value set, false otherwise
+ */
+static inline bool lsmblob_is_set(struct lsmblob *blob)
+{
+ const struct lsmblob empty = {};
+
+ return !!memcmp(blob, &empty, sizeof(*blob));
+}
+
#ifdef CONFIG_SECURITY
int call_blocking_lsm_notifier(enum lsm_event event, void *data);
diff --git a/kernel/audit.h b/kernel/audit.h
index a60d2840559e..b1f2de4d4f1e 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -11,6 +11,7 @@
#include <linux/fs.h>
#include <linux/audit.h>
+#include <linux/security.h>
#include <linux/skbuff.h>
#include <uapi/linux/mqueue.h>
#include <linux/tty.h>
@@ -160,7 +161,7 @@ struct audit_context {
kuid_t uid;
kgid_t gid;
umode_t mode;
- u32 osid;
+ struct lsmblob oblob;
int has_perm;
uid_t perm_uid;
gid_t perm_gid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 23adb15cae43..84f6e9356b8f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk,
/* Find ipc objects that match */
if (!ctx || ctx->type != AUDIT_IPC)
break;
- /* scaffolding */
- blob.scaffold.secid = ctx->ipc.osid;
- if (security_audit_rule_match(&blob,
+ if (security_audit_rule_match(&ctx->ipc.oblob,
f->type, f->op,
f->lsm_rule))
++result;
@@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic)
audit_log_format(ab, " a%d=%lx", i,
context->socketcall.args[i]);
break; }
- case AUDIT_IPC: {
- u32 osid = context->ipc.osid;
-
+ case AUDIT_IPC:
audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
from_kuid(&init_user_ns, context->ipc.uid),
from_kgid(&init_user_ns, context->ipc.gid),
context->ipc.mode);
- if (osid) {
+ if (lsmblob_is_set(&context->ipc.oblob)) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(osid, &ctx, &len)) {
- audit_log_format(ab, " osid=%u", osid);
+ if (security_lsmblob_to_secctx(&context->ipc.oblob,
+ &ctx, &len)) {
*call_panic = 1;
} else {
audit_log_format(ab, " obj=%s", ctx);
@@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic)
context->ipc.perm_gid,
context->ipc.perm_mode);
}
- break; }
+ break;
case AUDIT_MQ_OPEN:
audit_log_format(ab,
"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
@@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
context->ipc.gid = ipcp->gid;
context->ipc.mode = ipcp->mode;
context->ipc.has_perm = 0;
- security_ipc_getsecid(ipcp, &context->ipc.osid);
+ /* scaffolding */
+ security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
context->type = AUDIT_IPC;
}
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* Re: [PATCH 04/13] Audit: maintain an lsmblob in audit_context
2024-08-25 19:00 ` [PATCH 04/13] Audit: maintain an lsmblob in audit_context Casey Schaufler
@ 2024-08-27 15:01 ` Georgia Garcia
2024-08-27 15:08 ` Georgia Garcia
0 siblings, 1 reply; 24+ messages in thread
From: Georgia Garcia @ 2024-08-27 15:01 UTC (permalink / raw)
To: Casey Schaufler, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
On Sun, 2024-08-25 at 12:00 -0700, Casey Schaufler wrote:
> Replace the secid value stored in struct audit_context with a struct
> lsmblob. Change the code that uses this value to accommodate the
> change. security_audit_rule_match() expects a lsmblob, so existing
> scaffolding can be removed. A call to security_secid_to_secctx()
> is changed to security_lsmblob_to_secctx(). The call to
> security_ipc_getsecid() is scaffolded.
>
> A new function lsmblob_is_set() is introduced to identify whether
> an lsmblob contains a non-zero value.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> include/linux/security.h | 13 +++++++++++++
> kernel/audit.h | 3 ++-
> kernel/auditsc.c | 19 ++++++++-----------
> 3 files changed, 23 insertions(+), 12 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 457fafc32fb0..a0b23b6e8734 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -277,6 +277,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
> return kernel_load_data_str[id];
> }
>
> +/**
> + * lsmblob_is_set - report if there is a value in the lsmblob
> + * @blob: Pointer to the exported LSM data
> + *
> + * Returns true if there is a value set, false otherwise
> + */
> +static inline bool lsmblob_is_set(struct lsmblob *blob)
> +{
> + const struct lsmblob empty = {};
> +
> + return !!memcmp(blob, &empty, sizeof(*blob));
> +}
> +
> #ifdef CONFIG_SECURITY
>
> int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> diff --git a/kernel/audit.h b/kernel/audit.h
> index a60d2840559e..b1f2de4d4f1e 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -11,6 +11,7 @@
>
> #include <linux/fs.h>
> #include <linux/audit.h>
> +#include <linux/security.h>
> #include <linux/skbuff.h>
> #include <uapi/linux/mqueue.h>
> #include <linux/tty.h>
> @@ -160,7 +161,7 @@ struct audit_context {
> kuid_t uid;
> kgid_t gid;
> umode_t mode;
> - u32 osid;
> + struct lsmblob oblob;
> int has_perm;
> uid_t perm_uid;
> gid_t perm_gid;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 23adb15cae43..84f6e9356b8f 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk,
> /* Find ipc objects that match */
> if (!ctx || ctx->type != AUDIT_IPC)
> break;
> - /* scaffolding */
> - blob.scaffold.secid = ctx->ipc.osid;
> - if (security_audit_rule_match(&blob,
> + if (security_audit_rule_match(&ctx->ipc.oblob,
> f->type, f->op,
> f->lsm_rule))
> ++result;
> @@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic)
> audit_log_format(ab, " a%d=%lx", i,
> context->socketcall.args[i]);
> break; }
> - case AUDIT_IPC: {
> - u32 osid = context->ipc.osid;
> -
> + case AUDIT_IPC:
> audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
> from_kuid(&init_user_ns, context->ipc.uid),
> from_kgid(&init_user_ns, context->ipc.gid),
> context->ipc.mode);
> - if (osid) {
> + if (lsmblob_is_set(&context->ipc.oblob)) {
> char *ctx = NULL;
> u32 len;
>
> - if (security_secid_to_secctx(osid, &ctx, &len)) {
> - audit_log_format(ab, " osid=%u", osid);
> + if (security_lsmblob_to_secctx(&context->ipc.oblob,
> + &ctx, &len)) {
Is there any reason to stop auditing secid when we fail to get the
security context?
> *call_panic = 1;
> } else {
> audit_log_format(ab, " obj=%s", ctx);
> @@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic)
> context->ipc.perm_gid,
> context->ipc.perm_mode);
> }
> - break; }
> + break;
> case AUDIT_MQ_OPEN:
> audit_log_format(ab,
> "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
> @@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
> context->ipc.gid = ipcp->gid;
> context->ipc.mode = ipcp->mode;
> context->ipc.has_perm = 0;
> - security_ipc_getsecid(ipcp, &context->ipc.osid);
> + /* scaffolding */
> + security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
> context->type = AUDIT_IPC;
> }
>
^ permalink raw reply [flat|nested] 24+ messages in thread* Re: [PATCH 04/13] Audit: maintain an lsmblob in audit_context
2024-08-27 15:01 ` Georgia Garcia
@ 2024-08-27 15:08 ` Georgia Garcia
0 siblings, 0 replies; 24+ messages in thread
From: Georgia Garcia @ 2024-08-27 15:08 UTC (permalink / raw)
To: Casey Schaufler, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
On Tue, 2024-08-27 at 12:01 -0300, Georgia Garcia wrote:
> On Sun, 2024-08-25 at 12:00 -0700, Casey Schaufler wrote:
> > Replace the secid value stored in struct audit_context with a struct
> > lsmblob. Change the code that uses this value to accommodate the
> > change. security_audit_rule_match() expects a lsmblob, so existing
> > scaffolding can be removed. A call to security_secid_to_secctx()
> > is changed to security_lsmblob_to_secctx(). The call to
> > security_ipc_getsecid() is scaffolded.
> >
> > A new function lsmblob_is_set() is introduced to identify whether
> > an lsmblob contains a non-zero value.
> >
> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > ---
> > include/linux/security.h | 13 +++++++++++++
> > kernel/audit.h | 3 ++-
> > kernel/auditsc.c | 19 ++++++++-----------
> > 3 files changed, 23 insertions(+), 12 deletions(-)
> >
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index 457fafc32fb0..a0b23b6e8734 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -277,6 +277,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
> > return kernel_load_data_str[id];
> > }
> >
> > +/**
> > + * lsmblob_is_set - report if there is a value in the lsmblob
> > + * @blob: Pointer to the exported LSM data
> > + *
> > + * Returns true if there is a value set, false otherwise
> > + */
> > +static inline bool lsmblob_is_set(struct lsmblob *blob)
> > +{
> > + const struct lsmblob empty = {};
> > +
> > + return !!memcmp(blob, &empty, sizeof(*blob));
> > +}
> > +
> > #ifdef CONFIG_SECURITY
> >
> > int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> > diff --git a/kernel/audit.h b/kernel/audit.h
> > index a60d2840559e..b1f2de4d4f1e 100644
> > --- a/kernel/audit.h
> > +++ b/kernel/audit.h
> > @@ -11,6 +11,7 @@
> >
> > #include <linux/fs.h>
> > #include <linux/audit.h>
> > +#include <linux/security.h>
> > #include <linux/skbuff.h>
> > #include <uapi/linux/mqueue.h>
> > #include <linux/tty.h>
> > @@ -160,7 +161,7 @@ struct audit_context {
> > kuid_t uid;
> > kgid_t gid;
> > umode_t mode;
> > - u32 osid;
> > + struct lsmblob oblob;
> > int has_perm;
> > uid_t perm_uid;
> > gid_t perm_gid;
> > diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> > index 23adb15cae43..84f6e9356b8f 100644
> > --- a/kernel/auditsc.c
> > +++ b/kernel/auditsc.c
> > @@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk,
> > /* Find ipc objects that match */
> > if (!ctx || ctx->type != AUDIT_IPC)
> > break;
> > - /* scaffolding */
> > - blob.scaffold.secid = ctx->ipc.osid;
> > - if (security_audit_rule_match(&blob,
> > + if (security_audit_rule_match(&ctx->ipc.oblob,
> > f->type, f->op,
> > f->lsm_rule))
> > ++result;
> > @@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic)
> > audit_log_format(ab, " a%d=%lx", i,
> > context->socketcall.args[i]);
> > break; }
> > - case AUDIT_IPC: {
> > - u32 osid = context->ipc.osid;
> > -
> > + case AUDIT_IPC:
> > audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
> > from_kuid(&init_user_ns, context->ipc.uid),
> > from_kgid(&init_user_ns, context->ipc.gid),
> > context->ipc.mode);
> > - if (osid) {
> > + if (lsmblob_is_set(&context->ipc.oblob)) {
> > char *ctx = NULL;
> > u32 len;
> >
> > - if (security_secid_to_secctx(osid, &ctx, &len)) {
> > - audit_log_format(ab, " osid=%u", osid);
> > + if (security_lsmblob_to_secctx(&context->ipc.oblob,
> > + &ctx, &len)) {
>
> Is there any reason to stop auditing secid when we fail to get the
> security context?
Well, yes, if we're moving away from using secid for all LSMs, then it
doesn't make sense to audit it here anymore, so nevermind :)
>
> > *call_panic = 1;
> > } else {
> > audit_log_format(ab, " obj=%s", ctx);
> > @@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic)
> > context->ipc.perm_gid,
> > context->ipc.perm_mode);
> > }
> > - break; }
> > + break;
> > case AUDIT_MQ_OPEN:
> > audit_log_format(ab,
> > "oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
> > @@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
> > context->ipc.gid = ipcp->gid;
> > context->ipc.mode = ipcp->mode;
> > context->ipc.has_perm = 0;
> > - security_ipc_getsecid(ipcp, &context->ipc.osid);
> > + /* scaffolding */
> > + security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
> > context->type = AUDIT_IPC;
> > }
> >
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (3 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 04/13] Audit: maintain an lsmblob in audit_context Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-27 12:23 ` Stephen Smalley
2024-08-25 19:00 ` [PATCH 06/13] Audit: Update shutdown LSM data Casey Schaufler
` (7 subsequent siblings)
12 siblings, 1 reply; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic, linux-audit, audit
There may be more than one LSM that provides IPC data for auditing.
Change security_ipc_getsecid() to fill in a lsmblob structure instead
of the u32 secid. Change the name to security_ipc_getlsmblob() to
reflect the change. The audit data structure containing the secid
will be updated later, so there is a bit of scaffolding here.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-audit@redhat.com
Cc: audit@vger.kernel.org
---
include/linux/lsm_hook_defs.h | 4 ++--
include/linux/security.h | 18 +++++++++++++++---
kernel/auditsc.c | 3 +--
security/security.c | 14 +++++++-------
security/selinux/hooks.c | 9 ++++++---
security/smack/smack_lsm.c | 17 ++++++++++-------
6 files changed, 41 insertions(+), 24 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 3e5f6baa7b9f..c3ffc3f98343 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -253,8 +253,8 @@ LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p,
struct inode *inode)
LSM_HOOK(int, 0, userns_create, const struct cred *cred)
LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag)
-LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp,
- u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmblob, struct kern_ipc_perm *ipcp,
+ struct lsmblob *blob)
LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg)
LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg)
LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm)
diff --git a/include/linux/security.h b/include/linux/security.h
index a0b23b6e8734..ebe8edaae953 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -290,6 +290,17 @@ static inline bool lsmblob_is_set(struct lsmblob *blob)
return !!memcmp(blob, &empty, sizeof(*blob));
}
+/**
+ * lsmblob_init - initialize a lsmblob structure
+ * @blob: Pointer to the data to initialize
+ *
+ * Set all secid for all modules to the specified value.
+ */
+static inline void lsmblob_init(struct lsmblob *blob)
+{
+ memset(blob, 0, sizeof(*blob));
+}
+
#ifdef CONFIG_SECURITY
int call_blocking_lsm_notifier(enum lsm_event event, void *data);
@@ -500,7 +511,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
void security_task_to_inode(struct task_struct *p, struct inode *inode);
int security_create_user_ns(const struct cred *cred);
int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
+void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob);
int security_msg_msg_alloc(struct msg_msg *msg);
void security_msg_msg_free(struct msg_msg *msg);
int security_msg_queue_alloc(struct kern_ipc_perm *msq);
@@ -1340,9 +1351,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp,
return 0;
}
-static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static inline void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
+ struct lsmblob *blob)
{
- *secid = 0;
+ lsmblob_init(blob);
}
static inline int security_msg_msg_alloc(struct msg_msg *msg)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 84f6e9356b8f..94b7ef89da2e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2638,8 +2638,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
context->ipc.gid = ipcp->gid;
context->ipc.mode = ipcp->mode;
context->ipc.has_perm = 0;
- /* scaffolding */
- security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
+ security_ipc_getlsmblob(ipcp, &context->ipc.oblob);
context->type = AUDIT_IPC;
}
diff --git a/security/security.c b/security/security.c
index bb541a3be410..6e72e678b5b4 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3611,17 +3611,17 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
}
/**
- * security_ipc_getsecid() - Get the sysv ipc object's secid
+ * security_ipc_getlsmblob() - Get the sysv ipc object LSM data
* @ipcp: ipc permission structure
- * @secid: secid pointer
+ * @blob: pointer to lsm information
*
- * Get the secid associated with the ipc object. In case of failure, @secid
- * will be set to zero.
+ * Get the lsm information associated with the ipc object.
*/
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+
+void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob)
{
- *secid = 0;
- call_void_hook(ipc_getsecid, ipcp, secid);
+ lsmblob_init(blob);
+ call_void_hook(ipc_getlsmblob, ipcp, blob);
}
/**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 102489e6d579..1b34b86426e8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6328,10 +6328,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
return ipc_has_perm(ipcp, av);
}
-static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
+ struct lsmblob *blob)
{
struct ipc_security_struct *isec = selinux_ipc(ipcp);
- *secid = isec->sid;
+ blob->selinux.secid = isec->sid;
+ /* scaffolding */
+ blob->scaffold.secid = isec->sid;
}
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
@@ -7252,7 +7255,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(userns_create, selinux_userns_create),
LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
- LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
+ LSM_HOOK_INIT(ipc_getlsmblob, selinux_ipc_getlsmblob),
LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 5d74d8590862..370ca7fb1843 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3442,16 +3442,19 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
}
/**
- * smack_ipc_getsecid - Extract smack security id
+ * smack_ipc_getlsmblob - Extract smack security data
* @ipp: the object permissions
- * @secid: where result will be saved
+ * @blob: where result will be saved
*/
-static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
+static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp,
+ struct lsmblob *blob)
{
- struct smack_known **blob = smack_ipc(ipp);
- struct smack_known *iskp = *blob;
+ struct smack_known **iskpp = smack_ipc(ipp);
+ struct smack_known *iskp = *iskpp;
- *secid = iskp->smk_secid;
+ blob->smack.skp = iskp;
+ /* scaffolding */
+ blob->scaffold.secid = iskp->smk_secid;
}
/**
@@ -5157,7 +5160,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(task_to_inode, smack_task_to_inode),
LSM_HOOK_INIT(ipc_permission, smack_ipc_permission),
- LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
+ LSM_HOOK_INIT(ipc_getlsmblob, smack_ipc_getlsmblob),
LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* Re: [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid
2024-08-25 19:00 ` [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
@ 2024-08-27 12:23 ` Stephen Smalley
0 siblings, 0 replies; 24+ messages in thread
From: Stephen Smalley @ 2024-08-27 12:23 UTC (permalink / raw)
To: Casey Schaufler
Cc: paul, linux-security-module, jmorris, serge, keescook,
john.johansen, penguin-kernel, linux-kernel, mic, linux-audit,
audit
On Sun, Aug 25, 2024 at 3:02 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> There may be more than one LSM that provides IPC data for auditing.
> Change security_ipc_getsecid() to fill in a lsmblob structure instead
> of the u32 secid. Change the name to security_ipc_getlsmblob() to
> reflect the change. The audit data structure containing the secid
> will be updated later, so there is a bit of scaffolding here.
>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Reviewed-by: John Johansen <john.johansen@canonical.com>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Acked-by: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Cc: linux-audit@redhat.com
> Cc: audit@vger.kernel.org
1. Need to cc selinux list on patches that modify it.
2. Can't retain Acked-by or Reviewed-by lines if the patch has changed
since the review.
> ---
> include/linux/lsm_hook_defs.h | 4 ++--
> include/linux/security.h | 18 +++++++++++++++---
> kernel/auditsc.c | 3 +--
> security/security.c | 14 +++++++-------
> security/selinux/hooks.c | 9 ++++++---
> security/smack/smack_lsm.c | 17 ++++++++++-------
> 6 files changed, 41 insertions(+), 24 deletions(-)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 3e5f6baa7b9f..c3ffc3f98343 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -253,8 +253,8 @@ LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p,
> struct inode *inode)
> LSM_HOOK(int, 0, userns_create, const struct cred *cred)
> LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag)
> -LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp,
> - u32 *secid)
> +LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmblob, struct kern_ipc_perm *ipcp,
> + struct lsmblob *blob)
> LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg)
> LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg)
> LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index a0b23b6e8734..ebe8edaae953 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -290,6 +290,17 @@ static inline bool lsmblob_is_set(struct lsmblob *blob)
> return !!memcmp(blob, &empty, sizeof(*blob));
> }
>
> +/**
> + * lsmblob_init - initialize a lsmblob structure
> + * @blob: Pointer to the data to initialize
> + *
> + * Set all secid for all modules to the specified value.
> + */
> +static inline void lsmblob_init(struct lsmblob *blob)
> +{
> + memset(blob, 0, sizeof(*blob));
> +}
> +
> #ifdef CONFIG_SECURITY
>
> int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> @@ -500,7 +511,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
> void security_task_to_inode(struct task_struct *p, struct inode *inode);
> int security_create_user_ns(const struct cred *cred);
> int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
> -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
> +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob);
> int security_msg_msg_alloc(struct msg_msg *msg);
> void security_msg_msg_free(struct msg_msg *msg);
> int security_msg_queue_alloc(struct kern_ipc_perm *msq);
> @@ -1340,9 +1351,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp,
> return 0;
> }
>
> -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
> +static inline void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
> + struct lsmblob *blob)
> {
> - *secid = 0;
> + lsmblob_init(blob);
> }
>
> static inline int security_msg_msg_alloc(struct msg_msg *msg)
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 84f6e9356b8f..94b7ef89da2e 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2638,8 +2638,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
> context->ipc.gid = ipcp->gid;
> context->ipc.mode = ipcp->mode;
> context->ipc.has_perm = 0;
> - /* scaffolding */
> - security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
> + security_ipc_getlsmblob(ipcp, &context->ipc.oblob);
> context->type = AUDIT_IPC;
> }
>
> diff --git a/security/security.c b/security/security.c
> index bb541a3be410..6e72e678b5b4 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -3611,17 +3611,17 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
> }
>
> /**
> - * security_ipc_getsecid() - Get the sysv ipc object's secid
> + * security_ipc_getlsmblob() - Get the sysv ipc object LSM data
> * @ipcp: ipc permission structure
> - * @secid: secid pointer
> + * @blob: pointer to lsm information
> *
> - * Get the secid associated with the ipc object. In case of failure, @secid
> - * will be set to zero.
> + * Get the lsm information associated with the ipc object.
> */
> -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
> +
> +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob)
> {
> - *secid = 0;
> - call_void_hook(ipc_getsecid, ipcp, secid);
> + lsmblob_init(blob);
> + call_void_hook(ipc_getlsmblob, ipcp, blob);
> }
>
> /**
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 102489e6d579..1b34b86426e8 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6328,10 +6328,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
> return ipc_has_perm(ipcp, av);
> }
>
> -static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
> +static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
> + struct lsmblob *blob)
> {
> struct ipc_security_struct *isec = selinux_ipc(ipcp);
> - *secid = isec->sid;
> + blob->selinux.secid = isec->sid;
> + /* scaffolding */
> + blob->scaffold.secid = isec->sid;
> }
>
> static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
> @@ -7252,7 +7255,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(userns_create, selinux_userns_create),
>
> LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
> - LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
> + LSM_HOOK_INIT(ipc_getlsmblob, selinux_ipc_getlsmblob),
>
> LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
> LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 5d74d8590862..370ca7fb1843 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -3442,16 +3442,19 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
> }
>
> /**
> - * smack_ipc_getsecid - Extract smack security id
> + * smack_ipc_getlsmblob - Extract smack security data
> * @ipp: the object permissions
> - * @secid: where result will be saved
> + * @blob: where result will be saved
> */
> -static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
> +static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp,
> + struct lsmblob *blob)
> {
> - struct smack_known **blob = smack_ipc(ipp);
> - struct smack_known *iskp = *blob;
> + struct smack_known **iskpp = smack_ipc(ipp);
> + struct smack_known *iskp = *iskpp;
>
> - *secid = iskp->smk_secid;
> + blob->smack.skp = iskp;
> + /* scaffolding */
> + blob->scaffold.secid = iskp->smk_secid;
> }
>
> /**
> @@ -5157,7 +5160,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(task_to_inode, smack_task_to_inode),
>
> LSM_HOOK_INIT(ipc_permission, smack_ipc_permission),
> - LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
> + LSM_HOOK_INIT(ipc_getlsmblob, smack_ipc_getlsmblob),
>
> LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
>
> --
> 2.41.0
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 06/13] Audit: Update shutdown LSM data
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (4 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-25 19:00 ` [PATCH 07/13] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
` (6 subsequent siblings)
12 siblings, 0 replies; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
The audit process LSM information is changed from a secid audit_sig_sid
to an lsmblob in audit_sig_lsm. Update the users of this data
appropriately. Calls to security_secid_to_secctx() are changed to use
security_lsmblob_to_secctx() instead. security_current_getsecid_subj()
is scaffolded. It will be updated in a subsequent patch.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
kernel/audit.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index e7a62ebbf4d1..9dac776b60a7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -123,7 +123,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
/* The identity of the user shutting down the audit system. */
static kuid_t audit_sig_uid = INVALID_UID;
static pid_t audit_sig_pid = -1;
-static u32 audit_sig_sid;
+static struct lsmblob audit_sig_lsm;
/* Records can be lost in several ways:
0) [suppressed in audit_alloc]
@@ -1473,20 +1473,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
}
case AUDIT_SIGNAL_INFO:
len = 0;
- if (audit_sig_sid) {
- err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
+ if (lsmblob_is_set(&audit_sig_lsm)) {
+ err = security_lsmblob_to_secctx(&audit_sig_lsm, &ctx,
+ &len);
if (err)
return err;
}
sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL);
if (!sig_data) {
- if (audit_sig_sid)
+ if (lsmblob_is_set(&audit_sig_lsm))
security_release_secctx(ctx, len);
return -ENOMEM;
}
sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
sig_data->pid = audit_sig_pid;
- if (audit_sig_sid) {
+ if (lsmblob_is_set(&audit_sig_lsm)) {
memcpy(sig_data->ctx, ctx, len);
security_release_secctx(ctx, len);
}
@@ -2404,7 +2405,8 @@ int audit_signal_info(int sig, struct task_struct *t)
audit_sig_uid = auid;
else
audit_sig_uid = uid;
- security_current_getsecid_subj(&audit_sig_sid);
+ /* scaffolding */
+ security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid);
}
return audit_signal_info_syscall(t);
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [PATCH 07/13] LSM: Use lsmblob in security_current_getsecid
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (5 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 06/13] Audit: Update shutdown LSM data Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-26 21:24 ` kernel test robot
2024-08-25 19:00 ` [PATCH 08/13] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
` (5 subsequent siblings)
12 siblings, 1 reply; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic, linux-integrity,
linux-audit, netdev
Change the security_current_getsecid_subj() and
security_task_getsecid_obj() interfaces to fill in
a lsmblob structure instead of a u32 secid.
Audit interfaces will need to collect all
possible security data for possible reporting.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: linux-audit@redhat.com
Cc: netdev@vger.kernel.org
---
include/linux/lsm_hook_defs.h | 6 +--
include/linux/security.h | 13 +++---
kernel/audit.c | 11 +++--
kernel/auditfilter.c | 3 +-
kernel/auditsc.c | 22 ++++++----
net/netlabel/netlabel_unlabeled.c | 5 ++-
net/netlabel/netlabel_user.h | 6 ++-
security/apparmor/lsm.c | 20 ++++++---
security/integrity/ima/ima.h | 6 +--
security/integrity/ima/ima_api.c | 6 +--
security/integrity/ima/ima_appraise.c | 6 +--
security/integrity/ima/ima_main.c | 59 ++++++++++++++-------------
security/integrity/ima/ima_policy.c | 14 +++----
security/security.c | 28 ++++++-------
security/selinux/hooks.c | 17 +++++---
security/smack/smack_lsm.c | 23 +++++++----
16 files changed, 138 insertions(+), 107 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index c3ffc3f98343..06c60f1aefa7 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -232,9 +232,9 @@ LSM_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred * old)
LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid)
LSM_HOOK(int, 0, task_getpgid, struct task_struct *p)
LSM_HOOK(int, 0, task_getsid, struct task_struct *p)
-LSM_HOOK(void, LSM_RET_VOID, current_getsecid_subj, u32 *secid)
-LSM_HOOK(void, LSM_RET_VOID, task_getsecid_obj,
- struct task_struct *p, u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, current_getlsmblob_subj, struct lsmblob *blob)
+LSM_HOOK(void, LSM_RET_VOID, task_getlsmblob_obj,
+ struct task_struct *p, struct lsmblob *blob)
LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice)
LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio)
LSM_HOOK(int, 0, task_getioprio, struct task_struct *p)
diff --git a/include/linux/security.h b/include/linux/security.h
index ebe8edaae953..b28f2f7fe4ef 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -492,8 +492,8 @@ int security_task_fix_setgroups(struct cred *new, const struct cred *old);
int security_task_setpgid(struct task_struct *p, pid_t pgid);
int security_task_getpgid(struct task_struct *p);
int security_task_getsid(struct task_struct *p);
-void security_current_getsecid_subj(u32 *secid);
-void security_task_getsecid_obj(struct task_struct *p, u32 *secid);
+void security_current_getlsmblob_subj(struct lsmblob *blob);
+void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob);
int security_task_setnice(struct task_struct *p, int nice);
int security_task_setioprio(struct task_struct *p, int ioprio);
int security_task_getioprio(struct task_struct *p);
@@ -1268,14 +1268,15 @@ static inline int security_task_getsid(struct task_struct *p)
return 0;
}
-static inline void security_current_getsecid_subj(u32 *secid)
+static inline void security_current_getlsmblob_subj(struct lsmblob *blob)
{
- *secid = 0;
+ lsmblob_init(blob);
}
-static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid)
+static inline void security_task_getlsmblob_obj(struct task_struct *p,
+ struct lsmblob *blob)
{
- *secid = 0;
+ lsmblob_init(blob);
}
static inline int security_task_setnice(struct task_struct *p, int nice)
diff --git a/kernel/audit.c b/kernel/audit.c
index 9dac776b60a7..97c0dea0e3a1 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2179,16 +2179,16 @@ void audit_log_key(struct audit_buffer *ab, char *key)
int audit_log_task_context(struct audit_buffer *ab)
{
+ struct lsmblob blob;
char *ctx = NULL;
unsigned len;
int error;
- u32 sid;
- security_current_getsecid_subj(&sid);
- if (!sid)
+ security_current_getlsmblob_subj(&blob);
+ if (!lsmblob_is_set(&blob))
return 0;
- error = security_secid_to_secctx(sid, &ctx, &len);
+ error = security_lsmblob_to_secctx(&blob, &ctx, &len);
if (error) {
if (error != -EINVAL)
goto error_path;
@@ -2405,8 +2405,7 @@ int audit_signal_info(int sig, struct task_struct *t)
audit_sig_uid = auid;
else
audit_sig_uid = uid;
- /* scaffolding */
- security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid);
+ security_current_getlsmblob_subj(&audit_sig_lsm);
}
return audit_signal_info_syscall(t);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index c4c7cda3b846..06309227a0eb 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1371,8 +1371,7 @@ int audit_filter(int msgtype, unsigned int listtype)
case AUDIT_SUBJ_CLR:
if (f->lsm_rule) {
/* scaffolding */
- security_current_getsecid_subj(
- &blob.scaffold.secid);
+ security_current_getlsmblob_subj(&blob);
result = security_audit_rule_match(
&blob, f->type, f->op,
f->lsm_rule);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 94b7ef89da2e..1f05445978f9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -470,7 +470,6 @@ static int audit_filter_rules(struct task_struct *tsk,
{
const struct cred *cred;
int i, need_sid = 1;
- u32 sid;
struct lsmblob blob = { };
unsigned int sessionid;
@@ -675,15 +674,14 @@ static int audit_filter_rules(struct task_struct *tsk,
* fork()/copy_process() in which case
* the new @tsk creds are still a dup
* of @current's creds so we can still
- * use security_current_getsecid_subj()
+ * use
+ * security_current_getlsmblob_subj()
* here even though it always refs
* @current's creds
*/
- security_current_getsecid_subj(&sid);
+ security_current_getlsmblob_subj(&blob);
need_sid = 0;
}
- /* scaffolding */
- blob.scaffold.secid = sid;
result = security_audit_rule_match(&blob,
f->type,
f->op,
@@ -2730,12 +2728,15 @@ int __audit_sockaddr(int len, void *a)
void __audit_ptrace(struct task_struct *t)
{
struct audit_context *context = audit_context();
+ struct lsmblob blob;
context->target_pid = task_tgid_nr(t);
context->target_auid = audit_get_loginuid(t);
context->target_uid = task_uid(t);
context->target_sessionid = audit_get_sessionid(t);
- security_task_getsecid_obj(t, &context->target_sid);
+ security_task_getlsmblob_obj(t, &blob);
+ /* scaffolding */
+ context->target_sid = blob.scaffold.secid;
memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
}
@@ -2751,6 +2752,7 @@ int audit_signal_info_syscall(struct task_struct *t)
struct audit_aux_data_pids *axp;
struct audit_context *ctx = audit_context();
kuid_t t_uid = task_uid(t);
+ struct lsmblob blob;
if (!audit_signals || audit_dummy_context())
return 0;
@@ -2762,7 +2764,9 @@ int audit_signal_info_syscall(struct task_struct *t)
ctx->target_auid = audit_get_loginuid(t);
ctx->target_uid = t_uid;
ctx->target_sessionid = audit_get_sessionid(t);
- security_task_getsecid_obj(t, &ctx->target_sid);
+ security_task_getlsmblob_obj(t, &blob);
+ /* scaffolding */
+ ctx->target_sid = blob.scaffold.secid;
memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
return 0;
}
@@ -2783,7 +2787,9 @@ int audit_signal_info_syscall(struct task_struct *t)
axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
axp->target_uid[axp->pid_count] = t_uid;
axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
- security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]);
+ security_task_getlsmblob_obj(t, &blob);
+ /* scaffolding */
+ axp->target_sid[axp->pid_count] = blob.scaffold.secid;
memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
axp->pid_count++;
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 9996883bf2b7..7f38dc9b6b57 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1534,11 +1534,14 @@ int __init netlbl_unlabel_defconf(void)
int ret_val;
struct netlbl_dom_map *entry;
struct netlbl_audit audit_info;
+ struct lsmblob blob;
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
- security_current_getsecid_subj(&audit_info.secid);
+ security_current_getlsmblob_subj(&blob);
+ /* scaffolding */
+ audit_info.secid = blob.scaffold.secid;
audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0;
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index d6c5b31eb4eb..40841d7af1d8 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -32,7 +32,11 @@
*/
static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info)
{
- security_current_getsecid_subj(&audit_info->secid);
+ struct lsmblob blob;
+
+ security_current_getlsmblob_subj(&blob);
+ /* scaffolding */
+ audit_info->secid = blob.scaffold.secid;
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 050d103f5ca5..877c4e809ae8 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -982,17 +982,24 @@ static void apparmor_bprm_committed_creds(const struct linux_binprm *bprm)
return;
}
-static void apparmor_current_getsecid_subj(u32 *secid)
+static void apparmor_current_getlsmblob_subj(struct lsmblob *blob)
{
struct aa_label *label = __begin_current_label_crit_section();
- *secid = label->secid;
+
+ blob->apparmor.label = label;
+ /* scaffolding */
+ blob->scaffold.secid = label->secid;
__end_current_label_crit_section(label);
}
-static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid)
+static void apparmor_task_getlsmblob_obj(struct task_struct *p,
+ struct lsmblob *blob)
{
struct aa_label *label = aa_get_task_label(p);
- *secid = label->secid;
+
+ blob->apparmor.label = label;
+ /* scaffolding */
+ blob->scaffold.secid = label->secid;
aa_put_label(label);
}
@@ -1518,8 +1525,9 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
LSM_HOOK_INIT(task_free, apparmor_task_free),
LSM_HOOK_INIT(task_alloc, apparmor_task_alloc),
- LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj),
- LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj),
+ LSM_HOOK_INIT(current_getlsmblob_subj,
+ apparmor_current_getlsmblob_subj),
+ LSM_HOOK_INIT(task_getlsmblob_obj, apparmor_task_getlsmblob_obj),
LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
LSM_HOOK_INIT(task_kill, apparmor_task_kill),
LSM_HOOK_INIT(userns_create, apparmor_userns_create),
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index c51e24d24d1e..64bd77aa28e9 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -369,7 +369,7 @@ static inline void ima_process_queued_keys(void) {}
/* LIM API function definitions */
int ima_get_action(struct mnt_idmap *idmap, struct inode *inode,
- const struct cred *cred, u32 secid, int mask,
+ const struct cred *cred, struct lsmblob *blob, int mask,
enum ima_hooks func, int *pcr,
struct ima_template_desc **template_desc,
const char *func_data, unsigned int *allowed_algos);
@@ -400,8 +400,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
/* IMA policy related functions */
int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
- const struct cred *cred, u32 secid, enum ima_hooks func,
- int mask, int flags, int *pcr,
+ const struct cred *cred, struct lsmblob *blob,
+ enum ima_hooks func, int mask, int flags, int *pcr,
struct ima_template_desc **template_desc,
const char *func_data, unsigned int *allowed_algos);
void ima_init_policy(void);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 984e861f6e33..896cf716dd6d 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -165,7 +165,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
* @idmap: idmap of the mount the inode was found from
* @inode: pointer to the inode associated with the object being validated
* @cred: pointer to credentials structure to validate
- * @secid: secid of the task being validated
+ * @blob: secid(s) of the task being validated
* @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
* MAY_APPEND)
* @func: caller identifier
@@ -187,7 +187,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
*
*/
int ima_get_action(struct mnt_idmap *idmap, struct inode *inode,
- const struct cred *cred, u32 secid, int mask,
+ const struct cred *cred, struct lsmblob *blob, int mask,
enum ima_hooks func, int *pcr,
struct ima_template_desc **template_desc,
const char *func_data, unsigned int *allowed_algos)
@@ -196,7 +196,7 @@ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode,
flags &= ima_policy_flag;
- return ima_match_policy(idmap, inode, cred, secid, func, mask,
+ return ima_match_policy(idmap, inode, cred, blob, func, mask,
flags, pcr, template_desc, func_data,
allowed_algos);
}
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 656c709b974f..b0db2f38efc6 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -73,13 +73,13 @@ bool is_ima_appraise_enabled(void)
int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
int mask, enum ima_hooks func)
{
- u32 secid;
+ struct lsmblob blob;
if (!ima_appraise)
return 0;
- security_current_getsecid_subj(&secid);
- return ima_match_policy(idmap, inode, current_cred(), secid,
+ security_current_getlsmblob_subj(&blob);
+ return ima_match_policy(idmap, inode, current_cred(), &blob,
func, mask, IMA_APPRAISE | IMA_HASH, NULL,
NULL, NULL, NULL);
}
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f04f43af651c..d408a700fe6f 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -206,8 +206,8 @@ static void ima_file_free(struct file *file)
}
static int process_measurement(struct file *file, const struct cred *cred,
- u32 secid, char *buf, loff_t size, int mask,
- enum ima_hooks func)
+ struct lsmblob *blob, char *buf, loff_t size,
+ int mask, enum ima_hooks func)
{
struct inode *real_inode, *inode = file_inode(file);
struct ima_iint_cache *iint = NULL;
@@ -232,7 +232,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
* bitmask based on the appraise/audit/measurement policy.
* Included is the appraise submask.
*/
- action = ima_get_action(file_mnt_idmap(file), inode, cred, secid,
+ action = ima_get_action(file_mnt_idmap(file), inode, cred, blob,
mask, func, &pcr, &template_desc, NULL,
&allowed_algos);
violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
@@ -443,23 +443,23 @@ static int process_measurement(struct file *file, const struct cred *cred,
static int ima_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags)
{
- u32 secid;
+ struct lsmblob blob;
int ret;
if (!file)
return 0;
- security_current_getsecid_subj(&secid);
+ security_current_getlsmblob_subj(&blob);
if (reqprot & PROT_EXEC) {
- ret = process_measurement(file, current_cred(), secid, NULL,
+ ret = process_measurement(file, current_cred(), &blob, NULL,
0, MAY_EXEC, MMAP_CHECK_REQPROT);
if (ret)
return ret;
}
if (prot & PROT_EXEC)
- return process_measurement(file, current_cred(), secid, NULL,
+ return process_measurement(file, current_cred(), &blob, NULL,
0, MAY_EXEC, MMAP_CHECK);
return 0;
@@ -488,9 +488,9 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
char *pathbuf = NULL;
const char *pathname = NULL;
struct inode *inode;
+ struct lsmblob blob;
int result = 0;
int action;
- u32 secid;
int pcr;
/* Is mprotect making an mmap'ed file executable? */
@@ -498,13 +498,13 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
!(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
return 0;
- security_current_getsecid_subj(&secid);
+ security_current_getlsmblob_subj(&blob);
inode = file_inode(vma->vm_file);
action = ima_get_action(file_mnt_idmap(vma->vm_file), inode,
- current_cred(), secid, MAY_EXEC, MMAP_CHECK,
+ current_cred(), &blob, MAY_EXEC, MMAP_CHECK,
&pcr, &template, NULL, NULL);
action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode,
- current_cred(), secid, MAY_EXEC,
+ current_cred(), &blob, MAY_EXEC,
MMAP_CHECK_REQPROT, &pcr, &template, NULL,
NULL);
@@ -542,15 +542,18 @@ static int ima_bprm_check(struct linux_binprm *bprm)
{
int ret;
u32 secid;
+ struct lsmblob blob = { };
- security_current_getsecid_subj(&secid);
- ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
- MAY_EXEC, BPRM_CHECK);
+ security_current_getlsmblob_subj(&blob);
+ ret = process_measurement(bprm->file, current_cred(),
+ &blob, NULL, 0, MAY_EXEC, BPRM_CHECK);
if (ret)
return ret;
security_cred_getsecid(bprm->cred, &secid);
- return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
+ /* scaffolding */
+ blob.scaffold.secid = secid;
+ return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0,
MAY_EXEC, CREDS_CHECK);
}
@@ -566,10 +569,10 @@ static int ima_bprm_check(struct linux_binprm *bprm)
*/
static int ima_file_check(struct file *file, int mask)
{
- u32 secid;
+ struct lsmblob blob;
- security_current_getsecid_subj(&secid);
- return process_measurement(file, current_cred(), secid, NULL, 0,
+ security_current_getlsmblob_subj(&blob);
+ return process_measurement(file, current_cred(), &blob, NULL, 0,
mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
MAY_APPEND), FILE_CHECK);
}
@@ -768,7 +771,7 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
bool contents)
{
enum ima_hooks func;
- u32 secid;
+ struct lsmblob blob;
/*
* Do devices using pre-allocated memory run the risk of the
@@ -788,9 +791,9 @@ static int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
/* Read entire file for all partial reads. */
func = read_idmap[read_id] ?: FILE_CHECK;
- security_current_getsecid_subj(&secid);
- return process_measurement(file, current_cred(), secid, NULL,
- 0, MAY_READ, func);
+ security_current_getlsmblob_subj(&blob);
+ return process_measurement(file, current_cred(), &blob, NULL, 0,
+ MAY_READ, func);
}
const int read_idmap[READING_MAX_ID] = {
@@ -818,7 +821,7 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size,
enum kernel_read_file_id read_id)
{
enum ima_hooks func;
- u32 secid;
+ struct lsmblob blob;
/* permit signed certs */
if (!file && read_id == READING_X509_CERTIFICATE)
@@ -831,8 +834,8 @@ static int ima_post_read_file(struct file *file, char *buf, loff_t size,
}
func = read_idmap[read_id] ?: FILE_CHECK;
- security_current_getsecid_subj(&secid);
- return process_measurement(file, current_cred(), secid, buf, size,
+ security_current_getlsmblob_subj(&blob);
+ return process_measurement(file, current_cred(), &blob, buf, size,
MAY_READ, func);
}
@@ -967,7 +970,7 @@ int process_buffer_measurement(struct mnt_idmap *idmap,
int digest_hash_len = hash_digest_size[ima_hash_algo];
int violation = 0;
int action = 0;
- u32 secid;
+ struct lsmblob blob;
if (digest && digest_len < digest_hash_len)
return -EINVAL;
@@ -990,9 +993,9 @@ int process_buffer_measurement(struct mnt_idmap *idmap,
* buffer measurements.
*/
if (func) {
- security_current_getsecid_subj(&secid);
+ security_current_getlsmblob_subj(&blob);
action = ima_get_action(idmap, inode, current_cred(),
- secid, 0, func, &pcr, &template,
+ &blob, 0, func, &pcr, &template,
func_data, NULL);
if (!(action & IMA_MEASURE) && !digest)
return -ENOENT;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 40119816b848..33bdbd031673 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -557,7 +557,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
* @idmap: idmap of the mount the inode was found from
* @inode: a pointer to an inode
* @cred: a pointer to a credentials structure for user validation
- * @secid: the secid of the task to be validated
+ * @blob: the secid(s) of the task to be validated
* @func: LIM hook identifier
* @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
* @func_data: func specific data, may be NULL
@@ -567,7 +567,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
static bool ima_match_rules(struct ima_rule_entry *rule,
struct mnt_idmap *idmap,
struct inode *inode, const struct cred *cred,
- u32 secid, enum ima_hooks func, int mask,
+ struct lsmblob *blob, enum ima_hooks func, int mask,
const char *func_data)
{
int i;
@@ -658,8 +658,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
case LSM_SUBJ_USER:
case LSM_SUBJ_ROLE:
case LSM_SUBJ_TYPE:
- /* scaffolding */
- blob.scaffold.secid = secid;
rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
Audit_equal,
lsm_rule->lsm[i].rule);
@@ -723,7 +721,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
* @inode: pointer to an inode for which the policy decision is being made
* @cred: pointer to a credentials structure for which the policy decision is
* being made
- * @secid: LSM secid of the task to be validated
+ * @blob: LSM secid(s) of the task to be validated
* @func: IMA hook identifier
* @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
* @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE)
@@ -740,8 +738,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
* than writes so ima_match_policy() is classical RCU candidate.
*/
int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
- const struct cred *cred, u32 secid, enum ima_hooks func,
- int mask, int flags, int *pcr,
+ const struct cred *cred, struct lsmblob *blob,
+ enum ima_hooks func, int mask, int flags, int *pcr,
struct ima_template_desc **template_desc,
const char *func_data, unsigned int *allowed_algos)
{
@@ -759,7 +757,7 @@ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
if (!(entry->action & actmask))
continue;
- if (!ima_match_rules(entry, idmap, inode, cred, secid,
+ if (!ima_match_rules(entry, idmap, inode, cred, blob,
func, mask, func_data))
continue;
diff --git a/security/security.c b/security/security.c
index 6e72e678b5b4..b6e28e20ac51 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3373,33 +3373,33 @@ int security_task_getsid(struct task_struct *p)
}
/**
- * security_current_getsecid_subj() - Get the current task's subjective secid
- * @secid: secid value
+ * security_current_getlsmblob_subj() - Current task's subjective LSM data
+ * @blob: lsm specific information
*
* Retrieve the subjective security identifier of the current task and return
- * it in @secid. In case of failure, @secid will be set to zero.
+ * it in @blob.
*/
-void security_current_getsecid_subj(u32 *secid)
+void security_current_getlsmblob_subj(struct lsmblob *blob)
{
- *secid = 0;
- call_void_hook(current_getsecid_subj, secid);
+ lsmblob_init(blob);
+ call_void_hook(current_getlsmblob_subj, blob);
}
-EXPORT_SYMBOL(security_current_getsecid_subj);
+EXPORT_SYMBOL(security_current_getlsmblob_subj);
/**
- * security_task_getsecid_obj() - Get a task's objective secid
+ * security_task_getlsmblob_obj() - Get a task's objective LSM data
* @p: target task
- * @secid: secid value
+ * @blob: lsm specific information
*
* Retrieve the objective security identifier of the task_struct in @p and
- * return it in @secid. In case of failure, @secid will be set to zero.
+ * return it in @blob.
*/
-void security_task_getsecid_obj(struct task_struct *p, u32 *secid)
+void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob)
{
- *secid = 0;
- call_void_hook(task_getsecid_obj, p, secid);
+ lsmblob_init(blob);
+ call_void_hook(task_getlsmblob_obj, p, blob);
}
-EXPORT_SYMBOL(security_task_getsecid_obj);
+EXPORT_SYMBOL(security_task_getlsmblob_obj);
/**
* security_task_setnice() - Check if setting a task's nice value is allowed
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1b34b86426e8..af48b8f868b7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4161,14 +4161,19 @@ static int selinux_task_getsid(struct task_struct *p)
PROCESS__GETSESSION, NULL);
}
-static void selinux_current_getsecid_subj(u32 *secid)
+static void selinux_current_getlsmblob_subj(struct lsmblob *blob)
{
- *secid = current_sid();
+ blob->selinux.secid = current_sid();
+ /* scaffolding */
+ blob->scaffold.secid = blob->selinux.secid;
}
-static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
+static void selinux_task_getlsmblob_obj(struct task_struct *p,
+ struct lsmblob *blob)
{
- *secid = task_sid_obj(p);
+ blob->selinux.secid = task_sid_obj(p);
+ /* scaffolding */
+ blob->scaffold.secid = blob->selinux.secid;
}
static int selinux_task_setnice(struct task_struct *p, int nice)
@@ -7240,8 +7245,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
- LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
- LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
+ LSM_HOOK_INIT(current_getlsmblob_subj, selinux_current_getlsmblob_subj),
+ LSM_HOOK_INIT(task_getlsmblob_obj, selinux_task_getlsmblob_obj),
LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 370ca7fb1843..86a370ec54f9 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2239,30 +2239,35 @@ static int smack_task_getsid(struct task_struct *p)
}
/**
- * smack_current_getsecid_subj - get the subjective secid of the current task
- * @secid: where to put the result
+ * smack_current_getlsmblob_subj - get the subjective secid of the current task
+ * @blob: where to put the result
*
* Sets the secid to contain a u32 version of the task's subjective smack label.
*/
-static void smack_current_getsecid_subj(u32 *secid)
+static void smack_current_getlsmblob_subj(struct lsmblob *blob)
{
struct smack_known *skp = smk_of_current();
- *secid = skp->smk_secid;
+ blob->smack.skp = skp;
+ /* scaffolding */
+ blob->scaffold.secid = skp->smk_secid;
}
/**
- * smack_task_getsecid_obj - get the objective secid of the task
+ * smack_task_getlsmblob_obj - get the objective data of the task
* @p: the task
* @secid: where to put the result
*
* Sets the secid to contain a u32 version of the task's objective smack label.
*/
-static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid)
+static void smack_task_getlsmblob_obj(struct task_struct *p,
+ struct lsmblob *blob)
{
struct smack_known *skp = smk_of_task_struct_obj(p);
- *secid = skp->smk_secid;
+ blob->smack.skp = skp;
+ /* scaffolding */
+ blob->scaffold.secid = skp->smk_secid;
}
/**
@@ -5148,8 +5153,8 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),
LSM_HOOK_INIT(task_getpgid, smack_task_getpgid),
LSM_HOOK_INIT(task_getsid, smack_task_getsid),
- LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj),
- LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj),
+ LSM_HOOK_INIT(current_getlsmblob_subj, smack_current_getlsmblob_subj),
+ LSM_HOOK_INIT(task_getlsmblob_obj, smack_task_getlsmblob_obj),
LSM_HOOK_INIT(task_setnice, smack_task_setnice),
LSM_HOOK_INIT(task_setioprio, smack_task_setioprio),
LSM_HOOK_INIT(task_getioprio, smack_task_getioprio),
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* Re: [PATCH 07/13] LSM: Use lsmblob in security_current_getsecid
2024-08-25 19:00 ` [PATCH 07/13] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
@ 2024-08-26 21:24 ` kernel test robot
0 siblings, 0 replies; 24+ messages in thread
From: kernel test robot @ 2024-08-26 21:24 UTC (permalink / raw)
To: Casey Schaufler, paul, linux-security-module
Cc: oe-kbuild-all, jmorris, serge, keescook, john.johansen,
penguin-kernel, stephen.smalley.work, linux-kernel, mic,
linux-integrity, linux-audit, netdev
Hi Casey,
kernel test robot noticed the following build warnings:
[auto build test WARNING on pcmoore-selinux/next]
[also build test WARNING on zohar-integrity/next-integrity linus/master pcmoore-audit/next v6.11-rc5 next-20240826]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Add-the-lsmblob-data-structure/20240826-170520
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next
patch link: https://lore.kernel.org/r/20240825190048.13289-8-casey%40schaufler-ca.com
patch subject: [PATCH 07/13] LSM: Use lsmblob in security_current_getsecid
config: arc-randconfig-001-20240827 (https://download.01.org/0day-ci/archive/20240827/202408270512.9cZ78Eog-lkp@intel.com/config)
compiler: arc-elf-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240827/202408270512.9cZ78Eog-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202408270512.9cZ78Eog-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> security/smack/smack_lsm.c:2265: warning: Function parameter or struct member 'blob' not described in 'smack_task_getlsmblob_obj'
>> security/smack/smack_lsm.c:2265: warning: Excess function parameter 'secid' description in 'smack_task_getlsmblob_obj'
vim +2265 security/smack/smack_lsm.c
1fb057dcde11b35 Paul Moore 2021-02-19 2255
1fb057dcde11b35 Paul Moore 2021-02-19 2256 /**
fd64f9693f6c226 Casey Schaufler 2024-08-25 2257 * smack_task_getlsmblob_obj - get the objective data of the task
1fb057dcde11b35 Paul Moore 2021-02-19 2258 * @p: the task
1fb057dcde11b35 Paul Moore 2021-02-19 2259 * @secid: where to put the result
1fb057dcde11b35 Paul Moore 2021-02-19 2260 *
1fb057dcde11b35 Paul Moore 2021-02-19 2261 * Sets the secid to contain a u32 version of the task's objective smack label.
e114e473771c848 Casey Schaufler 2008-02-04 2262 */
fd64f9693f6c226 Casey Schaufler 2024-08-25 2263 static void smack_task_getlsmblob_obj(struct task_struct *p,
fd64f9693f6c226 Casey Schaufler 2024-08-25 2264 struct lsmblob *blob)
e114e473771c848 Casey Schaufler 2008-02-04 @2265 {
1fb057dcde11b35 Paul Moore 2021-02-19 2266 struct smack_known *skp = smk_of_task_struct_obj(p);
2f823ff8bec03a1 Casey Schaufler 2013-05-22 2267
fd64f9693f6c226 Casey Schaufler 2024-08-25 2268 blob->smack.skp = skp;
fd64f9693f6c226 Casey Schaufler 2024-08-25 2269 /* scaffolding */
fd64f9693f6c226 Casey Schaufler 2024-08-25 2270 blob->scaffold.secid = skp->smk_secid;
e114e473771c848 Casey Schaufler 2008-02-04 2271 }
e114e473771c848 Casey Schaufler 2008-02-04 2272
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 08/13] LSM: Use lsmblob in security_inode_getsecid
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (6 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 07/13] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-25 19:00 ` [PATCH 09/13] Audit: use an lsmblob in audit_names Casey Schaufler
` (4 subsequent siblings)
12 siblings, 0 replies; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic, linux-integrity
Change the security_inode_getsecid() interface to fill in a
lsmblob structure instead of a u32 secid. This allows for its
callers to gather data from all registered LSMs. Data is provided
for IMA and audit. Change the name to security_inode_getlsmblob().
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
---
include/linux/lsm_hook_defs.h | 3 ++-
include/linux/security.h | 7 ++++---
kernel/auditsc.c | 6 +++++-
security/integrity/ima/ima_policy.c | 3 +--
security/security.c | 11 +++++------
security/selinux/hooks.c | 15 +++++++++------
security/smack/smack_lsm.c | 12 +++++++-----
7 files changed, 33 insertions(+), 24 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 06c60f1aefa7..4fd508841a6e 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -175,7 +175,8 @@ LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode,
const char *name, const void *value, size_t size, int flags)
LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
size_t buffer_size)
-LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, inode_getlsmblob, struct inode *inode,
+ struct lsmblob *blob)
LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new)
LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, struct dentry *src,
const char *name)
diff --git a/include/linux/security.h b/include/linux/security.h
index b28f2f7fe4ef..4fe6f64cc3b4 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -440,7 +440,7 @@ int security_inode_getsecurity(struct mnt_idmap *idmap,
void **buffer, bool alloc);
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
-void security_inode_getsecid(struct inode *inode, u32 *secid);
+void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob);
int security_inode_copy_up(struct dentry *src, struct cred **new);
int security_inode_copy_up_xattr(struct dentry *src, const char *name);
int security_kernfs_init_security(struct kernfs_node *kn_dir,
@@ -1046,9 +1046,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer,
return 0;
}
-static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
+static inline void security_inode_getlsmblob(struct inode *inode,
+ struct lsmblob *blob)
{
- *secid = 0;
+ lsmblob_init(blob);
}
static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 1f05445978f9..eb1c64a2af31 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2276,13 +2276,17 @@ static void audit_copy_inode(struct audit_names *name,
const struct dentry *dentry,
struct inode *inode, unsigned int flags)
{
+ struct lsmblob blob;
+
name->ino = inode->i_ino;
name->dev = inode->i_sb->s_dev;
name->mode = inode->i_mode;
name->uid = inode->i_uid;
name->gid = inode->i_gid;
name->rdev = inode->i_rdev;
- security_inode_getsecid(inode, &name->osid);
+ security_inode_getlsmblob(inode, &blob);
+ /* scaffolding */
+ name->osid = blob.scaffold.secid;
if (flags & AUDIT_INODE_NOEVAL) {
name->fcap_ver = -1;
return;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 33bdbd031673..35a8d3435507 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -649,8 +649,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
case LSM_OBJ_USER:
case LSM_OBJ_ROLE:
case LSM_OBJ_TYPE:
- /* scaffolding */
- security_inode_getsecid(inode, &blob.scaffold.secid);
+ security_inode_getlsmblob(inode, &blob);
rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
Audit_equal,
lsm_rule->lsm[i].rule);
diff --git a/security/security.c b/security/security.c
index b6e28e20ac51..c2be9798c012 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2622,16 +2622,15 @@ int security_inode_listsecurity(struct inode *inode,
EXPORT_SYMBOL(security_inode_listsecurity);
/**
- * security_inode_getsecid() - Get an inode's secid
+ * security_inode_getlsmblob() - Get an inode's LSM data
* @inode: inode
- * @secid: secid to return
+ * @blob: lsm specific information to return
*
- * Get the secid associated with the node. In case of failure, @secid will be
- * set to zero.
+ * Get the lsm specific information associated with the node.
*/
-void security_inode_getsecid(struct inode *inode, u32 *secid)
+void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
{
- call_void_hook(inode_getsecid, inode, secid);
+ call_void_hook(inode_getlsmblob, inode, blob);
}
/**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index af48b8f868b7..f5d09beeef0f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3505,15 +3505,18 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
return len;
}
-static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
+static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
{
struct inode_security_struct *isec = inode_security_novalidate(inode);
- *secid = isec->sid;
+
+ blob->selinux.secid = isec->sid;
+ /* scaffolding */
+ blob->scaffold.secid = isec->sid;
}
static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
{
- u32 sid;
+ struct lsmblob blob;
struct task_security_struct *tsec;
struct cred *new_creds = *new;
@@ -3525,8 +3528,8 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
tsec = selinux_cred(new_creds);
/* Get label from overlay inode and set it in create_sid */
- selinux_inode_getsecid(d_inode(src), &sid);
- tsec->create_sid = sid;
+ selinux_inode_getlsmblob(d_inode(src), &blob);
+ tsec->create_sid = blob.selinux.secid;
*new = new_creds;
return 0;
}
@@ -7211,7 +7214,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
- LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
+ LSM_HOOK_INIT(inode_getlsmblob, selinux_inode_getlsmblob),
LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
LSM_HOOK_INIT(path_notify, selinux_path_notify),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 86a370ec54f9..8cda7dcf30e1 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1649,15 +1649,17 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
}
/**
- * smack_inode_getsecid - Extract inode's security id
+ * smack_inode_getlsmblob - Extract inode's security id
* @inode: inode to extract the info from
- * @secid: where result will be saved
+ * @blob: where result will be saved
*/
-static void smack_inode_getsecid(struct inode *inode, u32 *secid)
+static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
{
struct smack_known *skp = smk_of_inode(inode);
- *secid = skp->smk_secid;
+ blob->smack.skp = skp;
+ /* scaffolding */
+ blob->scaffold.secid = skp->smk_secid;
}
/*
@@ -5128,7 +5130,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity),
LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity),
LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity),
- LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
+ LSM_HOOK_INIT(inode_getlsmblob, smack_inode_getlsmblob),
LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [PATCH 09/13] Audit: use an lsmblob in audit_names
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (7 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 08/13] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-25 19:00 ` [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
` (3 subsequent siblings)
12 siblings, 0 replies; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
Replace the osid field in the audit_names structure with a
lsmblob structure. This accommodates the use of an lsmblob in
security_audit_rule_match() and security_inode_getsecid().
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
kernel/audit.h | 2 +-
kernel/auditsc.c | 20 +++++---------------
2 files changed, 6 insertions(+), 16 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index b1f2de4d4f1e..6c664aed8f89 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -82,7 +82,7 @@ struct audit_names {
kuid_t uid;
kgid_t gid;
dev_t rdev;
- u32 osid;
+ struct lsmblob oblob;
struct audit_cap_data fcap;
unsigned int fcap_ver;
unsigned char type; /* record type */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index eb1c64a2af31..886564532bbe 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -698,19 +698,15 @@ static int audit_filter_rules(struct task_struct *tsk,
if (f->lsm_rule) {
/* Find files that match */
if (name) {
- /* scaffolding */
- blob.scaffold.secid = name->osid;
result = security_audit_rule_match(
- &blob,
+ &name->oblob,
f->type,
f->op,
f->lsm_rule);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
- /* scaffolding */
- blob.scaffold.secid = n->osid;
if (security_audit_rule_match(
- &blob,
+ &n->oblob,
f->type,
f->op,
f->lsm_rule)) {
@@ -1562,13 +1558,11 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
from_kgid(&init_user_ns, n->gid),
MAJOR(n->rdev),
MINOR(n->rdev));
- if (n->osid != 0) {
+ if (lsmblob_is_set(&n->oblob)) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(
- n->osid, &ctx, &len)) {
- audit_log_format(ab, " osid=%u", n->osid);
+ if (security_lsmblob_to_secctx(&n->oblob, &ctx, &len)) {
if (call_panic)
*call_panic = 2;
} else {
@@ -2276,17 +2270,13 @@ static void audit_copy_inode(struct audit_names *name,
const struct dentry *dentry,
struct inode *inode, unsigned int flags)
{
- struct lsmblob blob;
-
name->ino = inode->i_ino;
name->dev = inode->i_sb->s_dev;
name->mode = inode->i_mode;
name->uid = inode->i_uid;
name->gid = inode->i_gid;
name->rdev = inode->i_rdev;
- security_inode_getlsmblob(inode, &blob);
- /* scaffolding */
- name->osid = blob.scaffold.secid;
+ security_inode_getlsmblob(inode, &name->oblob);
if (flags & AUDIT_INODE_NOEVAL) {
name->fcap_ver = -1;
return;
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (8 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 09/13] Audit: use an lsmblob in audit_names Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-27 5:00 ` kernel test robot
2024-08-25 19:00 ` [PATCH 11/13] Audit: Change context data from secid to lsmblob Casey Schaufler
` (2 subsequent siblings)
12 siblings, 1 reply; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic, linux-integrity, audit,
Todd Kjos
Create a new LSM hook security_cred_getlsmblob() which, like
security_cred_getsecid(), fetches LSM specific attributes from the
cred structure. The associated data elements in the audit sub-system
are changed from a secid to a lsmblob to accommodate multiple possible
LSM audit users.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
---
include/linux/lsm_hook_defs.h | 2 ++
include/linux/security.h | 7 +++++++
security/integrity/ima/ima_main.c | 7 ++-----
security/security.c | 15 +++++++++++++++
security/selinux/hooks.c | 8 ++++++++
security/smack/smack_lsm.c | 18 ++++++++++++++++++
6 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 4fd508841a6e..4bdd36626633 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -215,6 +215,8 @@ LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old,
LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new,
const struct cred *old)
LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, cred_getlsmblob, const struct cred *c,
+ struct lsmblob *blob)
LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid)
LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode)
LSM_HOOK(int, 0, kernel_module_request, char *kmod_name)
diff --git a/include/linux/security.h b/include/linux/security.h
index 4fe6f64cc3b4..111c1fc18f25 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -473,6 +473,7 @@ void security_cred_free(struct cred *cred);
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
void security_transfer_creds(struct cred *new, const struct cred *old);
void security_cred_getsecid(const struct cred *c, u32 *secid);
+void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob);
int security_kernel_act_as(struct cred *new, u32 secid);
int security_kernel_create_files_as(struct cred *new, struct inode *inode);
int security_kernel_module_request(char *kmod_name);
@@ -1192,6 +1193,12 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid)
*secid = 0;
}
+static inline void security_cred_getlsmblob(const struct cred *c,
+ struct lsmblob *blob)
+{
+ *secid = 0;
+}
+
static inline int security_kernel_act_as(struct cred *cred, u32 secid)
{
return 0;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index d408a700fe6f..8171da96a4a4 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -541,8 +541,7 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
static int ima_bprm_check(struct linux_binprm *bprm)
{
int ret;
- u32 secid;
- struct lsmblob blob = { };
+ struct lsmblob blob;
security_current_getlsmblob_subj(&blob);
ret = process_measurement(bprm->file, current_cred(),
@@ -550,9 +549,7 @@ static int ima_bprm_check(struct linux_binprm *bprm)
if (ret)
return ret;
- security_cred_getsecid(bprm->cred, &secid);
- /* scaffolding */
- blob.scaffold.secid = secid;
+ security_cred_getlsmblob(bprm->cred, &blob);
return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0,
MAY_EXEC, CREDS_CHECK);
}
diff --git a/security/security.c b/security/security.c
index c2be9798c012..325030bc7112 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3153,6 +3153,21 @@ void security_cred_getsecid(const struct cred *c, u32 *secid)
}
EXPORT_SYMBOL(security_cred_getsecid);
+/**
+ * security_cred_getlsmblob() - Get the LSM data from a set of credentials
+ * @c: credentials
+ * @blob: destination for the LSM data
+ *
+ * Retrieve the security data of the cred structure @c. In case of
+ * failure, @blob will be cleared.
+ */
+void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob)
+{
+ lsmblob_init(blob);
+ call_void_hook(cred_getlsmblob, c, blob);
+}
+EXPORT_SYMBOL(security_cred_getlsmblob);
+
/**
* security_kernel_act_as() - Set the kernel credentials to act as secid
* @new: credentials
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f5d09beeef0f..076511c446bd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4029,6 +4029,13 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
*secid = cred_sid(c);
}
+static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob)
+{
+ blob->selinux.secid = cred_sid(c);
+ /* scaffolding */
+ blob->scaffold.secid = blob->selinux.secid;
+}
+
/*
* set the security data for a kernel service
* - all the creation contexts are set to unlabelled
@@ -7240,6 +7247,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
+ LSM_HOOK_INIT(cred_getlsmblob, selinux_cred_getlsmblob),
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 8cda7dcf30e1..dbcf1c65da3c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2150,6 +2150,23 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid)
rcu_read_unlock();
}
+/**
+ * smack_cred_getlsmblob - get the Smack label for a creds structure
+ * @cred: the object creds
+ * @blob: where to put the data
+ *
+ * Sets the Smack part of the blob
+ */
+static void smack_cred_getlsmblob(const struct cred *cred,
+ struct lsmblob *blob)
+{
+ rcu_read_lock();
+ blob->smack.skp = smk_of_task(smack_cred(cred));
+ /* scaffolding */
+ blob->scaffold.secid = blob->smack.skp->smk_secid;
+ rcu_read_unlock();
+}
+
/**
* smack_kernel_act_as - Set the subjective context in a set of credentials
* @new: points to the set of credentials to be modified.
@@ -5150,6 +5167,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, smack_cred_prepare),
LSM_HOOK_INIT(cred_transfer, smack_cred_transfer),
LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid),
+ LSM_HOOK_INIT(cred_getlsmblob, smack_cred_getlsmblob),
LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as),
LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as),
LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* Re: [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook
2024-08-25 19:00 ` [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
@ 2024-08-27 5:00 ` kernel test robot
0 siblings, 0 replies; 24+ messages in thread
From: kernel test robot @ 2024-08-27 5:00 UTC (permalink / raw)
To: Casey Schaufler, paul, linux-security-module
Cc: llvm, oe-kbuild-all, jmorris, serge, keescook, john.johansen,
penguin-kernel, stephen.smalley.work, linux-kernel, mic,
linux-integrity, audit, Todd Kjos
Hi Casey,
kernel test robot noticed the following build errors:
[auto build test ERROR on pcmoore-selinux/next]
[also build test ERROR on zohar-integrity/next-integrity linus/master pcmoore-audit/next v6.11-rc5 next-20240826]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Add-the-lsmblob-data-structure/20240826-170520
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next
patch link: https://lore.kernel.org/r/20240825190048.13289-11-casey%40schaufler-ca.com
patch subject: [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook
config: s390-allnoconfig (https://download.01.org/0day-ci/archive/20240827/202408271124.LJcw8xus-lkp@intel.com/config)
compiler: clang version 20.0.0git (https://github.com/llvm/llvm-project 08e5a1de8227512d4774a534b91cb2353cef6284)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240827/202408271124.LJcw8xus-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202408271124.LJcw8xus-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from fs/open.c:9:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/open.c:14:
In file included from include/linux/tty.h:11:
In file included from include/linux/tty_port.h:5:
In file included from include/linux/kfifo.h:40:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:548:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
548 | val = __raw_readb(PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:561:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
561 | val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu'
37 | #define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x))
| ^
include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16'
102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
| ^
In file included from fs/open.c:14:
In file included from include/linux/tty.h:11:
In file included from include/linux/tty_port.h:5:
In file included from include/linux/kfifo.h:40:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:574:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
574 | val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu'
35 | #define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x))
| ^
include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32'
115 | #define __swab32(x) (__u32)__builtin_bswap32((__u32)(x))
| ^
In file included from fs/open.c:14:
In file included from include/linux/tty.h:11:
In file included from include/linux/tty_port.h:5:
In file included from include/linux/kfifo.h:40:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:585:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
585 | __raw_writeb(value, PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:595:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
595 | __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:605:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
605 | __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:693:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
693 | readsb(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:701:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
701 | readsw(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:709:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
709 | readsl(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:718:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
718 | writesb(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:727:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
727 | writesw(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:736:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
736 | writesl(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
In file included from fs/open.c:19:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
13 warnings and 1 error generated.
--
In file included from fs/read_write.c:14:
In file included from include/linux/fsnotify.h:16:
In file included from include/linux/audit.h:13:
In file included from include/linux/ptrace.h:10:
In file included from include/linux/pid_namespace.h:7:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/read_write.c:15:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
1 warning and 1 error generated.
--
In file included from fs/namei.c:25:
In file included from include/linux/pagemap.h:8:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/namei.c:29:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
In file included from fs/namei.c:41:
In file included from include/linux/init_task.h:18:
In file included from include/net/net_namespace.h:43:
In file included from include/linux/skbuff.h:28:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:548:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
548 | val = __raw_readb(PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:561:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
561 | val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu'
37 | #define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x))
| ^
include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16'
102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
| ^
In file included from fs/namei.c:41:
In file included from include/linux/init_task.h:18:
In file included from include/net/net_namespace.h:43:
In file included from include/linux/skbuff.h:28:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:574:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
574 | val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu'
35 | #define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x))
| ^
include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32'
115 | #define __swab32(x) (__u32)__builtin_bswap32((__u32)(x))
| ^
In file included from fs/namei.c:41:
In file included from include/linux/init_task.h:18:
In file included from include/net/net_namespace.h:43:
In file included from include/linux/skbuff.h:28:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:585:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
585 | __raw_writeb(value, PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:595:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
595 | __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:605:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
605 | __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:693:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
693 | readsb(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:701:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
701 | readsw(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:709:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
709 | readsl(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:718:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
718 | writesb(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:727:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
727 | writesw(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:736:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
736 | writesl(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
13 warnings and 1 error generated.
--
In file included from fs/splice.c:21:
In file included from include/linux/bvec.h:10:
In file included from include/linux/highmem.h:10:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/splice.c:27:
include/linux/mm_inline.h:47:41: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
47 | __mod_lruvec_state(lruvec, NR_LRU_BASE + lru, nr_pages);
| ~~~~~~~~~~~ ^ ~~~
include/linux/mm_inline.h:49:22: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
49 | NR_ZONE_LRU_BASE + lru, nr_pages);
| ~~~~~~~~~~~~~~~~ ^ ~~~
In file included from fs/splice.c:31:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:10:
In file included from include/linux/perf_event.h:62:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
3 warnings and 1 error generated.
--
In file included from fs/statfs.c:2:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:5:
In file included from include/linux/tracepoint.h:21:
In file included from include/linux/static_call.h:135:
In file included from include/linux/cpu.h:17:
In file included from include/linux/node.h:18:
In file included from include/linux/device.h:32:
In file included from include/linux/device/driver.h:21:
In file included from include/linux/module.h:19:
In file included from include/linux/elf.h:6:
In file included from arch/s390/include/asm/elf.h:181:
In file included from arch/s390/include/asm/mmu_context.h:11:
In file included from arch/s390/include/asm/pgalloc.h:18:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/statfs.c:2:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:10:
In file included from include/linux/perf_event.h:62:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
fs/statfs.c:131:3: warning: 'memcpy' will always overflow; destination buffer has size 88, but size argument is 120 [-Wfortify-source]
131 | memcpy(&buf, st, sizeof(*st));
| ^
fs/statfs.c:172:3: warning: 'memcpy' will always overflow; destination buffer has size 88, but size argument is 120 [-Wfortify-source]
172 | memcpy(&buf, st, sizeof(*st));
| ^
3 warnings and 1 error generated.
--
In file included from fs/aio.c:20:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:5:
In file included from include/linux/tracepoint.h:21:
In file included from include/linux/static_call.h:135:
In file included from include/linux/cpu.h:17:
In file included from include/linux/node.h:18:
In file included from include/linux/device.h:32:
In file included from include/linux/device/driver.h:21:
In file included from include/linux/module.h:19:
In file included from include/linux/elf.h:6:
In file included from arch/s390/include/asm/elf.h:181:
In file included from arch/s390/include/asm/mmu_context.h:11:
In file included from arch/s390/include/asm/pgalloc.h:18:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/aio.c:20:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:10:
In file included from include/linux/perf_event.h:62:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
In file included from fs/aio.c:29:
include/linux/mman.h:158:9: warning: division by zero is undefined [-Wdivision-by-zero]
158 | _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) |
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/mman.h:136:21: note: expanded from macro '_calc_vm_trans'
136 | : ((x) & (bit1)) / ((bit1) / (bit2))))
| ^ ~~~~~~~~~~~~~~~~~
include/linux/mman.h:159:9: warning: division by zero is undefined [-Wdivision-by-zero]
159 | _calc_vm_trans(flags, MAP_STACK, VM_NOHUGEPAGE) |
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/mman.h:136:21: note: expanded from macro '_calc_vm_trans'
136 | : ((x) & (bit1)) / ((bit1) / (bit2))))
| ^ ~~~~~~~~~~~~~~~~~
3 warnings and 1 error generated.
vim +/secid +1199 include/linux/security.h
1195
1196 static inline void security_cred_getlsmblob(const struct cred *c,
1197 struct lsmblob *blob)
1198 {
> 1199 *secid = 0;
1200 }
1201
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 24+ messages in thread
* [PATCH 11/13] Audit: Change context data from secid to lsmblob
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (9 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-25 19:00 ` [PATCH 12/13] Netlabel: Use lsmblob for audit data Casey Schaufler
2024-08-25 19:00 ` [PATCH 13/13] LSM: Remove lsmblob scaffolding Casey Schaufler
12 siblings, 0 replies; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
Change the LSM data stored in the audit transactions from a secid
to an LSM blob. This is done in struct audit_context and struct
audit_aux_data_pids. Several cases of scaffolding can be removed.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
kernel/audit.h | 2 +-
kernel/auditfilter.c | 1 -
kernel/auditsc.c | 31 ++++++++++++-------------------
3 files changed, 13 insertions(+), 21 deletions(-)
diff --git a/kernel/audit.h b/kernel/audit.h
index 6c664aed8f89..b413c0420c6f 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -144,7 +144,7 @@ struct audit_context {
kuid_t target_auid;
kuid_t target_uid;
unsigned int target_sessionid;
- u32 target_sid;
+ struct lsmblob target_blob;
char target_comm[TASK_COMM_LEN];
struct audit_tree_refs *trees, *first_trees;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 06309227a0eb..b3562e6ca081 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1370,7 +1370,6 @@ int audit_filter(int msgtype, unsigned int listtype)
case AUDIT_SUBJ_SEN:
case AUDIT_SUBJ_CLR:
if (f->lsm_rule) {
- /* scaffolding */
security_current_getlsmblob_subj(&blob);
result = security_audit_rule_match(
&blob, f->type, f->op,
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 886564532bbe..bfe2ee3ccbe6 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -100,7 +100,7 @@ struct audit_aux_data_pids {
kuid_t target_auid[AUDIT_AUX_PIDS];
kuid_t target_uid[AUDIT_AUX_PIDS];
unsigned int target_sessionid[AUDIT_AUX_PIDS];
- u32 target_sid[AUDIT_AUX_PIDS];
+ struct lsmblob target_blob[AUDIT_AUX_PIDS];
char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
int pid_count;
};
@@ -1019,7 +1019,7 @@ static void audit_reset_context(struct audit_context *ctx)
ctx->target_pid = 0;
ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);
ctx->target_sessionid = 0;
- ctx->target_sid = 0;
+ lsmblob_init(&ctx->target_blob);
ctx->target_comm[0] = '\0';
unroll_tree_refs(ctx, NULL, 0);
WARN_ON(!list_empty(&ctx->killed_trees));
@@ -1093,8 +1093,9 @@ static inline void audit_free_context(struct audit_context *context)
}
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
- kuid_t auid, kuid_t uid, unsigned int sessionid,
- u32 sid, char *comm)
+ kuid_t auid, kuid_t uid,
+ unsigned int sessionid, struct lsmblob *blob,
+ char *comm)
{
struct audit_buffer *ab;
char *ctx = NULL;
@@ -1108,8 +1109,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
- if (sid) {
- if (security_secid_to_secctx(sid, &ctx, &len)) {
+ if (lsmblob_is_set(blob)) {
+ if (security_lsmblob_to_secctx(blob, &ctx, &len)) {
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
@@ -1778,7 +1779,7 @@ static void audit_log_exit(void)
axs->target_auid[i],
axs->target_uid[i],
axs->target_sessionid[i],
- axs->target_sid[i],
+ &axs->target_blob[i],
axs->target_comm[i]))
call_panic = 1;
}
@@ -1787,7 +1788,7 @@ static void audit_log_exit(void)
audit_log_pid_context(context, context->target_pid,
context->target_auid, context->target_uid,
context->target_sessionid,
- context->target_sid, context->target_comm))
+ &context->target_blob, context->target_comm))
call_panic = 1;
if (context->pwd.dentry && context->pwd.mnt) {
@@ -2722,15 +2723,12 @@ int __audit_sockaddr(int len, void *a)
void __audit_ptrace(struct task_struct *t)
{
struct audit_context *context = audit_context();
- struct lsmblob blob;
context->target_pid = task_tgid_nr(t);
context->target_auid = audit_get_loginuid(t);
context->target_uid = task_uid(t);
context->target_sessionid = audit_get_sessionid(t);
- security_task_getlsmblob_obj(t, &blob);
- /* scaffolding */
- context->target_sid = blob.scaffold.secid;
+ security_task_getlsmblob_obj(t, &context->target_blob);
memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
}
@@ -2746,7 +2744,6 @@ int audit_signal_info_syscall(struct task_struct *t)
struct audit_aux_data_pids *axp;
struct audit_context *ctx = audit_context();
kuid_t t_uid = task_uid(t);
- struct lsmblob blob;
if (!audit_signals || audit_dummy_context())
return 0;
@@ -2758,9 +2755,7 @@ int audit_signal_info_syscall(struct task_struct *t)
ctx->target_auid = audit_get_loginuid(t);
ctx->target_uid = t_uid;
ctx->target_sessionid = audit_get_sessionid(t);
- security_task_getlsmblob_obj(t, &blob);
- /* scaffolding */
- ctx->target_sid = blob.scaffold.secid;
+ security_task_getlsmblob_obj(t, &ctx->target_blob);
memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
return 0;
}
@@ -2781,9 +2776,7 @@ int audit_signal_info_syscall(struct task_struct *t)
axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
axp->target_uid[axp->pid_count] = t_uid;
axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
- security_task_getlsmblob_obj(t, &blob);
- /* scaffolding */
- axp->target_sid[axp->pid_count] = blob.scaffold.secid;
+ security_task_getlsmblob_obj(t, &axp->target_blob[axp->pid_count]);
memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
axp->pid_count++;
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [PATCH 12/13] Netlabel: Use lsmblob for audit data
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (10 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 11/13] Audit: Change context data from secid to lsmblob Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-25 19:00 ` [PATCH 13/13] LSM: Remove lsmblob scaffolding Casey Schaufler
12 siblings, 0 replies; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
Replace the secid in the netlbl_audit structure with an lsmblob.
Remove scaffolding that was required when the value was a secid.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/net/netlabel.h | 2 +-
net/netlabel/netlabel_unlabeled.c | 5 +----
net/netlabel/netlabel_user.c | 7 +++----
net/netlabel/netlabel_user.h | 6 +-----
security/smack/smackfs.c | 4 +---
5 files changed, 7 insertions(+), 17 deletions(-)
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 654bc777d2a7..eb6b479c5c06 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -97,7 +97,7 @@ struct calipso_doi;
/* NetLabel audit information */
struct netlbl_audit {
- u32 secid;
+ struct lsmblob blob;
kuid_t loginuid;
unsigned int sessionid;
};
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 7f38dc9b6b57..7bac13ae07a3 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1534,14 +1534,11 @@ int __init netlbl_unlabel_defconf(void)
int ret_val;
struct netlbl_dom_map *entry;
struct netlbl_audit audit_info;
- struct lsmblob blob;
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
- security_current_getlsmblob_subj(&blob);
- /* scaffolding */
- audit_info.secid = blob.scaffold.secid;
+ security_current_getlsmblob_subj(&audit_info.blob);
audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 3ed4fea2a2de..6cd1fcb3902b 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -98,10 +98,9 @@ struct audit_buffer *netlbl_audit_start_common(int type,
from_kuid(&init_user_ns, audit_info->loginuid),
audit_info->sessionid);
- if (audit_info->secid != 0 &&
- security_secid_to_secctx(audit_info->secid,
- &secctx,
- &secctx_len) == 0) {
+ if (lsmblob_is_set(&audit_info->blob) &&
+ security_lsmblob_to_secctx(&audit_info->blob, &secctx,
+ &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
security_release_secctx(secctx, secctx_len);
}
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index 40841d7af1d8..1a9639005d09 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -32,11 +32,7 @@
*/
static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info)
{
- struct lsmblob blob;
-
- security_current_getlsmblob_subj(&blob);
- /* scaffolding */
- audit_info->secid = blob.scaffold.secid;
+ security_current_getlsmblob_subj(&audit_info->blob);
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index e22aad7604e8..878fe44b662d 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -182,11 +182,9 @@ static inline void smack_catset_bit(unsigned int cat, char *catsetp)
*/
static void smk_netlabel_audit_set(struct netlbl_audit *nap)
{
- struct smack_known *skp = smk_of_current();
-
nap->loginuid = audit_get_loginuid(current);
nap->sessionid = audit_get_sessionid(current);
- nap->secid = skp->smk_secid;
+ nap->blob.smack.skp = smk_of_current();
}
/*
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [PATCH 13/13] LSM: Remove lsmblob scaffolding
2024-08-25 19:00 ` [PATCH 00/13] LSM: Move away from secids Casey Schaufler
` (11 preceding siblings ...)
2024-08-25 19:00 ` [PATCH 12/13] Netlabel: Use lsmblob for audit data Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
12 siblings, 0 replies; 24+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic
Remove the scaffold member from the lsmblob. Remove the
remaining places it is being set.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 6 ------
security/apparmor/audit.c | 6 +-----
security/apparmor/lsm.c | 4 ----
security/apparmor/secid.c | 6 +-----
security/selinux/hooks.c | 18 +-----------------
security/selinux/ss/services.c | 4 ----
security/smack/smack_lsm.c | 33 ++++-----------------------------
7 files changed, 7 insertions(+), 70 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 111c1fc18f25..ca4f3b41f344 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -144,11 +144,6 @@ enum lockdown_reason {
LOCKDOWN_CONFIDENTIALITY_MAX,
};
-/* scaffolding */
-struct lsmblob_scaffold {
- u32 secid;
-};
-
/*
* Data exported by the security modules
*/
@@ -157,7 +152,6 @@ struct lsmblob {
struct lsmblob_smack smack;
struct lsmblob_apparmor apparmor;
struct lsmblob_bpf bpf;
- struct lsmblob_scaffold scaffold;
};
extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 758b75a9c1c5..120154a6d683 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -270,11 +270,7 @@ int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule)
struct aa_label *label;
int found = 0;
- /* scaffolding */
- if (!blob->apparmor.label && blob->scaffold.secid)
- label = aa_secid_to_label(blob->scaffold.secid);
- else
- label = blob->apparmor.label;
+ label = blob->apparmor.label;
if (!label)
return -ENOENT;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 877c4e809ae8..08fde302c9fe 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -987,8 +987,6 @@ static void apparmor_current_getlsmblob_subj(struct lsmblob *blob)
struct aa_label *label = __begin_current_label_crit_section();
blob->apparmor.label = label;
- /* scaffolding */
- blob->scaffold.secid = label->secid;
__end_current_label_crit_section(label);
}
@@ -998,8 +996,6 @@ static void apparmor_task_getlsmblob_obj(struct task_struct *p,
struct aa_label *label = aa_get_task_label(p);
blob->apparmor.label = label;
- /* scaffolding */
- blob->scaffold.secid = label->secid;
aa_put_label(label);
}
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 3c389e5810cd..2b48050f97a6 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -100,11 +100,7 @@ int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
AA_BUG(!seclen);
- /* scaffolding */
- if (!blob->apparmor.label && blob->scaffold.secid)
- label = aa_secid_to_label(blob->scaffold.secid);
- else
- label = blob->apparmor.label;
+ label = blob->apparmor.label;
if (!label)
return -EINVAL;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 076511c446bd..a81529c21517 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3510,8 +3510,6 @@ static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
struct inode_security_struct *isec = inode_security_novalidate(inode);
blob->selinux.secid = isec->sid;
- /* scaffolding */
- blob->scaffold.secid = isec->sid;
}
static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
@@ -4032,8 +4030,6 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob)
{
blob->selinux.secid = cred_sid(c);
- /* scaffolding */
- blob->scaffold.secid = blob->selinux.secid;
}
/*
@@ -4174,16 +4170,12 @@ static int selinux_task_getsid(struct task_struct *p)
static void selinux_current_getlsmblob_subj(struct lsmblob *blob)
{
blob->selinux.secid = current_sid();
- /* scaffolding */
- blob->scaffold.secid = blob->selinux.secid;
}
static void selinux_task_getlsmblob_obj(struct task_struct *p,
struct lsmblob *blob)
{
blob->selinux.secid = task_sid_obj(p);
- /* scaffolding */
- blob->scaffold.secid = blob->selinux.secid;
}
static int selinux_task_setnice(struct task_struct *p, int nice)
@@ -6348,8 +6340,6 @@ static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
{
struct ipc_security_struct *isec = selinux_ipc(ipcp);
blob->selinux.secid = isec->sid;
- /* scaffolding */
- blob->scaffold.secid = isec->sid;
}
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
@@ -6634,13 +6624,7 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
u32 *seclen)
{
- u32 secid = blob->selinux.secid;
-
- /* scaffolding */
- if (!secid)
- secid = blob->scaffold.secid;
-
- return security_sid_to_context(secid, secdata, seclen);
+ return security_sid_to_context(blob->selinux.secid, secdata, seclen);
}
static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 43eb1d46942c..002072912800 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3660,10 +3660,6 @@ int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
goto out;
}
- /* scaffolding */
- if (!blob->selinux.secid && blob->scaffold.secid)
- blob->selinux.secid = blob->scaffold.secid;
-
ctxt = sidtab_search(policy->sidtab, blob->selinux.secid);
if (unlikely(!ctxt)) {
WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index dbcf1c65da3c..670050f739da 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1655,11 +1655,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
*/
static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
{
- struct smack_known *skp = smk_of_inode(inode);
-
- blob->smack.skp = skp;
- /* scaffolding */
- blob->scaffold.secid = skp->smk_secid;
+ blob->smack.skp = smk_of_inode(inode);
}
/*
@@ -2162,8 +2158,6 @@ static void smack_cred_getlsmblob(const struct cred *cred,
{
rcu_read_lock();
blob->smack.skp = smk_of_task(smack_cred(cred));
- /* scaffolding */
- blob->scaffold.secid = blob->smack.skp->smk_secid;
rcu_read_unlock();
}
@@ -2265,11 +2259,7 @@ static int smack_task_getsid(struct task_struct *p)
*/
static void smack_current_getlsmblob_subj(struct lsmblob *blob)
{
- struct smack_known *skp = smk_of_current();
-
- blob->smack.skp = skp;
- /* scaffolding */
- blob->scaffold.secid = skp->smk_secid;
+ blob->smack.skp = smk_of_current();
}
/**
@@ -2282,11 +2272,7 @@ static void smack_current_getlsmblob_subj(struct lsmblob *blob)
static void smack_task_getlsmblob_obj(struct task_struct *p,
struct lsmblob *blob)
{
- struct smack_known *skp = smk_of_task_struct_obj(p);
-
- blob->smack.skp = skp;
- /* scaffolding */
- blob->scaffold.secid = skp->smk_secid;
+ blob->smack.skp = smk_of_task_struct_obj(p);
}
/**
@@ -3474,11 +3460,8 @@ static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp,
struct lsmblob *blob)
{
struct smack_known **iskpp = smack_ipc(ipp);
- struct smack_known *iskp = *iskpp;
- blob->smack.skp = iskp;
- /* scaffolding */
- blob->scaffold.secid = iskp->smk_secid;
+ blob->smack.skp = *iskpp;
}
/**
@@ -4825,10 +4808,6 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
return 0;
- /* scaffolding */
- if (!skp && blob->scaffold.secid)
- skp = smack_from_secid(blob->scaffold.secid);
-
/*
* No need to do string comparisons. If a match occurs,
* both pointers will point to the same smack_known
@@ -4889,10 +4868,6 @@ static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
{
struct smack_known *skp = blob->smack.skp;
- /* scaffolding */
- if (!skp && blob->scaffold.secid)
- skp = smack_from_secid(blob->scaffold.secid);
-
if (secdata)
*secdata = skp->smk_known;
*seclen = strlen(skp->smk_known);
--
2.41.0
^ permalink raw reply related [flat|nested] 24+ messages in thread