Re: [TOMOYO #16 17/25] TOMOYO: Add capability support.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [TOMOYO #16 17/25] TOMOYO: Add capability support.
Date: Thu, 29 Oct 2009 00:23:01 -0500	[thread overview]
Message-ID: <20091029052301.GC11558@us.ibm.com> (raw)
In-Reply-To: <20091004125332.899378759@I-love.SAKURA.ne.jp>

Quoting Tetsuo Handa (penguin-kernel@I-love.SAKURA.ne.jp):
> This patch contains code for checking non-posix capability.
> 
> TOMOYO is ready to support 65536 types of non-posix capabilities.
> But I can't utilize TOMOYO's ability because
> 
>  (1) Hooks are missing.

please send patches.

>    or
>  (2) Posix's capability and functionality are not one to one mapping.
>      Therefore I can't derive functionality the caller wants to use from
>      posix's capability number (e.g. CAP_SYS_ADMIN).

Hmm, it should be possible to address this in a back-compatible way.  I.e.,

#define CAP_CHOWN 0
...
#define CAP_SYS_ADMIN 21
...
#define CAP_MAC_ADMIN 33

/* start enhanced capabilities */
#ifdef CONFIG_CAPABILITIES_ENHANCED
#define CAP_SAK_CONFIG 200
#define CAP_RND_ADMIN 201
#define CAP_SYS_HOSTNAME 202
...
#else
#define CAP_SAK_CONFIG CAP_SYS_ADMIN
#define CAP_RND_ADMIN CAP_SYS_ADMIN
#define CAP_SYS_HOSTNAME CAP_SYS_ADMIN
#endif

Plus of course all that is needed (if CONFIG_CAPABILITIES_ENHANCED=y)
to support all those caps.

>    or
>  (3) Hooks are provided but it is not permitted to sleep (e.g. CAP_SYS_NICE)
>      while TOMOYO needs hooks where it is permitted to sleep.
>    or
>  (4) System calls and device drivers use the same posix's capability number.
>      Thus whether MAC's policy suits or not depends on hardware the system
>      is running. TOMOYO wants to distinguish requests from userland
>      applications and requests from kernel drivers, but I can't distinguish
>      it from posix's capability number.

Same thing?

> Therefore, LSM version of TOMOYO has very poor support compared to non-LSM
> version of TOMOYO. I hope this problem is solved in the future.
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  security/tomoyo/capability.c |  141 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 141 insertions(+)
> 
> --- /dev/null
> +++ security-testing-2.6/security/tomoyo/capability.c
> @@ -0,0 +1,141 @@
> +/*
> + * security/tomoyo/capability.c
> + *
> + * Copyright (C) 2005-2009  NTT DATA CORPORATION
> + */
> +#include "internal.h"
> +
> +/**
> + * tomoyo_audit_capability_log - Audit capability log.
> + *
> + * @r:          Pointer to "struct tomoyo_request_info".
> + * @operation:  Type of operation.
> + * @is_granted: True if this is a granted log.
> + *
> + * Returns 0 on success, negative value otherwise.
> + */
> +static int tomoyo_audit_capability_log(struct tomoyo_request_info *r,
> +				       const u8 operation,
> +				       const bool is_granted)
> +{
> +	if (!is_granted)
> +		tomoyo_warn_log(r, "capability %s",
> +				tomoyo_cap2keyword(operation));
> +	return tomoyo_write_audit_log(is_granted, r,
> +				      TOMOYO_KEYWORD_ALLOW_CAPABILITY "%s\n",
> +				      tomoyo_cap2keyword(operation));
> +}
> +
> +/**
> + * tomoyo_capable - Check permission for capability.
> + *
> + * @operation: Type of operation.
> + *
> + * Returns true on success, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
> + */
> +static bool tomoyo_capable2(const u8 operation)
> +{
> +	struct tomoyo_request_info r;
> +	struct tomoyo_acl_info *ptr;
> +	int error;
> +	if (tomoyo_init_request_info(&r, NULL, TOMOYO_MAX_MAC_INDEX +
> +				     operation) == TOMOYO_CONFIG_DISABLED)
> +		return true;
> +	do {
> +		error = -EPERM;
> +		list_for_each_entry_rcu(ptr, &r.domain->acl_info_list, list) {
> +			struct tomoyo_capability_acl *acl;
> +			if (ptr->is_deleted ||
> +			    ptr->type != TOMOYO_TYPE_CAPABILITY_ACL)
> +				continue;
> +			acl = container_of(ptr, struct tomoyo_capability_acl,
> +					   head);
> +			if (acl->operation != operation ||
> +			    !tomoyo_condition(&r, ptr))
> +				continue;
> +			r.cond = ptr->cond;
> +			error = 0;
> +			break;
> +		}
> +		tomoyo_audit_capability_log(&r, operation, !error);
> +		if (!error)
> +			break;
> +		error = tomoyo_supervisor(&r, TOMOYO_KEYWORD_ALLOW_CAPABILITY
> +					  "%s\n",
> +					  tomoyo_cap2keyword(operation));
> +	} while (error == 1);
> +	return !error;
> +}
> +
> +/**
> + * tomoyo_capable - Check permission for capability.
> + *
> + * @operation: Type of operation.
> + *
> + * Returns true on success, false otherwise.
> + */
> +bool tomoyo_capable(const u8 operation)
> +{
> +	const int idx = tomoyo_read_lock();
> +	const int error = tomoyo_capable2(operation);
> +	tomoyo_read_unlock(idx);
> +	return error;
> +}
> +
> +/**
> + * tomoyo_write_capability_policy - Write "struct tomoyo_capability_acl" list.
> + *
> + * @data:      String to parse.
> + * @domain:    Pointer to "struct tomoyo_domain_info".
> + * @condition: Pointer to "struct tomoyo_condition". May be NULL.
> + * @is_delete: True if it is a delete request.
> + *
> + * Returns 0 on success, negative value otherwise.
> + */
> +int tomoyo_write_capability_policy(char *data,
> +				   struct tomoyo_domain_info *domain,
> +				   struct tomoyo_condition *condition,
> +				   const bool is_delete)
> +{
> +	struct tomoyo_capability_acl e = {
> +		.head.type = TOMOYO_TYPE_CAPABILITY_ACL,
> +		.head.cond = condition,
> +	};
> +	struct tomoyo_capability_acl *entry = NULL;
> +	struct tomoyo_acl_info *ptr;
> +	int error = is_delete ? -ENOENT : -ENOMEM;
> +	u8 capability;
> +	for (capability = 0; capability < TOMOYO_MAX_CAPABILITY_INDEX;
> +	     capability++) {
> +		if (strcmp(data, tomoyo_cap2keyword(capability)))
> +			continue;
> +		break;
> +	}
> +	if (capability == TOMOYO_MAX_CAPABILITY_INDEX)
> +		return -EINVAL;
> +	e.operation = capability;
> +	if (!is_delete)
> +		entry = kmalloc(sizeof(e), GFP_KERNEL);
> +	mutex_lock(&tomoyo_policy_lock);
> +	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
> +		struct tomoyo_capability_acl *acl =
> +			container_of(ptr, struct tomoyo_capability_acl,
> +				     head);
> +		if (ptr->type != TOMOYO_TYPE_CAPABILITY_ACL ||
> +		    ptr->cond != condition || acl->operation != capability)
> +			continue;
> +		ptr->is_deleted = is_delete;
> +		error = 0;
> +		break;
> +	}
> +	if (!is_delete && error && tomoyo_commit_ok(entry, &e, sizeof(e))) {
> +		tomoyo_add_domain_acl(domain, &entry->head);
> +		entry = NULL;
> +		error = 0;
> +	}
> +	mutex_unlock(&tomoyo_policy_lock);
> +	kfree(entry);
> +	return error;
> +}
> 
> -- 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2009-10-29  5:22 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-04 12:49 [TOMOYO #16 00/25] Starting TOMOYO 2.3 Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() and security_path_chown() Tetsuo Handa
2009-10-08 17:10   ` John Johansen
2009-10-12  1:04     ` James Morris
2009-10-13 11:34       ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() andsecurity_path_chown() Tetsuo Handa
2009-10-13 11:37         ` [PATCH] TOMOYO: Add recursive directory matching operator support Tetsuo Handa
2009-10-13 11:39           ` [PATCH] TOMOYO: Use RCU primitives for list operation Tetsuo Handa
2009-10-13 11:41             ` [PATCH] TOMOYO: Bring memory allocation to outside semaphore Tetsuo Handa
2009-10-29  5:40             ` [PATCH] TOMOYO: Use RCU primitives for list operation Serge E. Hallyn
2009-12-04 12:34               ` Tetsuo Handa
2009-10-29  5:12   ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() and security_path_chown() Serge E. Hallyn
2009-10-29 15:56     ` [TOMOYO #16 01/25] LSM: Add security_path_chmod() andsecurity_path_chown() Tetsuo Handa
2009-11-22  2:49       ` [PATCH] LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock() Tetsuo Handa
2009-11-23 10:09         ` John Johansen
2009-11-23 21:50           ` James Morris
2009-10-04 12:49 ` [TOMOYO #16 02/25] LSM: Add security_path_chroot() Tetsuo Handa
2009-10-08 17:12   ` John Johansen
2009-10-29  5:32   ` Serge E. Hallyn
2009-10-04 12:49 ` [TOMOYO #16 03/25] LSM: Pass original mount flags to security_sb_mount() Tetsuo Handa
2009-10-08 17:22   ` John Johansen
2009-10-04 12:49 ` [TOMOYO #16 04/25] TOMOYO: Add header file Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 05/25] TOMOYO: Add per task_struct variables Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 06/25] TOMOYO: Add LSM adaptor Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 07/25] TOMOYO: Add path_group keyword support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 08/25] TOMOYO: Add number_group " Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 09/25] TOMOYO: Add address_group " Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 10/25] TOMOYO: Add conditional ACL support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 11/25] TOMOYO: Add auditing support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 12/25] TOMOYO: Memory management support Tetsuo Handa
2009-10-04 12:49 ` [TOMOYO #16 13/25] TOMOYO: Add garbage collector support Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 14/25] TOMOYO: Add network restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 15/25] TOMOYO: Add mount restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 16/25] TOMOYO: Add environment variables restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 17/25] TOMOYO: Add capability support Tetsuo Handa
2009-10-29  5:23   ` Serge E. Hallyn [this message]
2009-10-04 12:50 ` [TOMOYO #16 18/25] TOMOYO: Add utility functions Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 19/25] TOMOYO: Add policy I/O handler Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 20/25] TOMOYO: Add policy loader launcher Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 21/25] TOMOYO: Add securityfs interface Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 22/25] TOMOYO: Add pathname calculation functions Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 23/25] TOMOYO: Add file access restriction Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 24/25] TOMOYO: Add domain transition handler Tetsuo Handa
2009-10-04 12:50 ` [TOMOYO #16 25/25] TOMOYO: Update Kconfig and Makefile Tetsuo Handa
2009-10-06  9:39 ` [TOMOYO #16 00/25] Starting TOMOYO 2.3 Pavel Machek
2009-10-07  4:09   ` Tetsuo Handa
2009-10-07  7:38     ` Pavel Machek
2009-10-07 13:30       ` Tetsuo Handa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20091029052301.GC11558@us.ibm.com \
    --to=serue@us.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=penguin-kernel@I-love.SAKURA.ne.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox