* [PATCH v13 0/9] LSM: Multiple concurrent LSMs
[not found] <5176ABB7.5080300@schaufler-ca.com>
@ 2013-04-23 16:04 ` Casey Schaufler
2013-04-24 18:57 ` Paul Moore
2013-04-23 16:04 ` [PATCH v13 1/9] LSM: Security blob abstraction Casey Schaufler
` (8 subsequent siblings)
9 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:04 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
Change the infrastructure for Linux Security Modules (LSM)s from a
single vector of hook handlers to a list based method for handling
multiple concurrent modules.
The "security=" boot option takes a comma separated list of LSMs,
registering them in the order presented. The LSM hooks will be
executed in the order registered. Hooks that return errors are
not short circuited. All hooks are called even if one of the LSM
hooks fails. The result returned will be that of the last LSM
hook that failed.
All behavior from security/capability.c has been moved into
the hook handling. The security/commoncap functions used
to get called from the LSM specific code. The handling of the
capability functions has been moved out of the LSMs and into the
hook handling.
A level of indirection has been introduced in the handling of
security blobs. LSMs no longer access ->security fields directly,
instead they use an abstraction provided by lsm_[gs]et field
functions.
The notion that "the security context" can be represented as a
single u32 "secid" does not scale to the case where multiple LSMs
want to provide "the security context". There are two types of
use for secids, logging and networking. Logging is addressed by
replacing the secid with a set of secids. Networking is addressed
by allocating each scheme to a specific LSM.
The NetLabel, XFRM and secmark facilities are restricted to use
by one LSM at a time. This is due to limitations of the underlying
networking mechanisms. The good news is that viable configurations
can be created. The bad news is that the complexity of configuring
a system is necessarily increased.
The /proc/*/attr interfaces are given to one LSM. This can be
done by setting CONFIG_SECURITY_PRESENT. Additional interfaces
have been created in /proc/*/attr so that each LSM has its own
named interfaces.
A "security context" may now contrain information processed by
more than one LSM. The proper form of a security context identifies
the information it contains by LSM:
smack='Pop'selinux='system_u:object_r:etc_r:s0'
A security context without the LSM identifying lsm='<text>' gets
passed through to all of the LSMs that use a security context. This
maintains compatability in the case where there is only one LSM
using the security context.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/security/LSM.txt | 39 +-
drivers/usb/core/devio.c | 10 +-
fs/proc/base.c | 29 +-
fs/sysfs/dir.c | 3 +-
fs/sysfs/inode.c | 5 +-
fs/sysfs/sysfs.h | 7 +-
fs/xattr.c | 8 +-
include/linux/audit.h | 9 +-
include/linux/cred.h | 3 +-
include/linux/lsm.h | 167 ++
include/linux/sched.h | 2 +-
include/linux/security.h | 378 +++-
include/net/af_unix.h | 3 +-
include/net/netlabel.h | 3 +-
include/net/scm.h | 8 +-
include/net/xfrm.h | 4 +-
kernel/audit.c | 94 +-
kernel/audit.h | 4 +-
kernel/auditfilter.c | 21 +-
kernel/auditsc.c | 80 +-
kernel/cred.c | 6 +-
kernel/signal.c | 6 +-
net/ipv4/ip_sockglue.c | 8 +-
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 11 +-
net/netfilter/nf_conntrack_netlink.c | 24 +-
net/netfilter/nf_conntrack_standalone.c | 11 +-
net/netfilter/xt_SECMARK.c | 4 +-
net/netlabel/netlabel_kapi.c | 37 +-
net/netlabel/netlabel_unlabeled.c | 22 +-
net/netlabel/netlabel_user.c | 4 +-
net/netlabel/netlabel_user.h | 61 +-
net/unix/af_unix.c | 17 +-
net/xfrm/xfrm_user.c | 16 +-
security/Kconfig | 176 +-
security/Makefile | 3 +-
security/apparmor/context.c | 10 +-
security/apparmor/domain.c | 19 +-
security/apparmor/include/context.h | 13 +-
security/apparmor/lsm.c | 68 +-
security/capability.c | 1105 -----------
security/commoncap.c | 6 -
security/inode.c | 79 +-
security/integrity/ima/ima_policy.c | 7 +-
security/security.c | 2014 ++++++++++++++++----
security/selinux/hooks.c | 412 ++--
security/selinux/include/objsec.h | 2 +
security/selinux/include/xfrm.h | 2 +-
security/selinux/netlabel.c | 17 +-
security/selinux/selinuxfs.c | 6 +-
security/selinux/xfrm.c | 9 +-
security/smack/smack.h | 15 +-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 474 +++--
security/smack/smackfs.c | 56 +-
security/tomoyo/common.h | 6 +-
security/tomoyo/domain.c | 2 +-
security/tomoyo/securityfs_if.c | 9 +-
security/tomoyo/tomoyo.c | 49 +-
security/yama/Kconfig | 7 -
security/yama/yama_lsm.c | 35 +-
60 files changed, 3357 insertions(+), 2350 deletions(-)
^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH v13 1/9] LSM: Security blob abstraction
[not found] <5176ABB7.5080300@schaufler-ca.com>
2013-04-23 16:04 ` [PATCH v13 0/9] LSM: Multiple concurrent LSMs Casey Schaufler
@ 2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 2/9] LSM: Complete conversion to kill_pid_info_as_cred Casey Schaufler
` (7 subsequent siblings)
9 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:04 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 1/9] LSM: Security blob abstraction
Change the way that Linux security modules access security
blobs in support of multiple concurrent LSMs. Replace uses
of the task security field, the inode i_security field and
similar blob pointers with calls to trivial functions that
provide the pointers. In patch 8 of 9 these functions change
to provide the pointer for a specific LSM.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm.h | 150 ++++++++++++++++
security/apparmor/context.c | 10 +-
security/apparmor/domain.c | 8 +-
security/apparmor/include/context.h | 13 +-
security/apparmor/lsm.c | 36 ++--
security/selinux/hooks.c | 332 ++++++++++++++++++++---------------
security/selinux/include/objsec.h | 2 +
security/selinux/include/xfrm.h | 2 +-
security/selinux/netlabel.c | 13 +-
security/selinux/selinuxfs.c | 6 +-
security/selinux/xfrm.c | 9 +-
security/smack/smack.h | 15 +-
security/smack/smack_access.c | 2 +-
security/smack/smack_lsm.c | 322 ++++++++++++++++-----------------
security/smack/smackfs.c | 20 +--
security/tomoyo/common.h | 6 +-
security/tomoyo/domain.c | 2 +-
security/tomoyo/securityfs_if.c | 9 +-
security/tomoyo/tomoyo.c | 41 +++--
19 files changed, 618 insertions(+), 380 deletions(-)
diff --git a/include/linux/lsm.h b/include/linux/lsm.h
new file mode 100644
index 0000000..7c93865
--- /dev/null
+++ b/include/linux/lsm.h
@@ -0,0 +1,150 @@
+/*
+ *
+ * Copyright (C) 2012 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) 2012 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2.
+ *
+ * Author:
+ * Casey Schaufler <casey@schaufler-ca.com>
+ *
+ * Abstraction layer for LSM security blobs.
+ * This is pointless by itself, but necessary for multiple concurrent
+ * modules support. Multiple concurrent module support is also refered
+ * to as module stacking.
+ *
+ */
+#ifndef _LINUX_LSM_H
+#define _LINUX_LSM_H
+
+#include <linux/cred.h>
+#include <linux/fs.h>
+#include <linux/msg.h>
+#include <linux/key.h>
+#include <net/sock.h>
+#include <linux/security.h>
+
+/*
+ * Trivial implementation for the one-LSM-at-a-time case
+ */
+static inline void *lsm_get_blob(const void *bp, const int lsm)
+{
+ return (void *)bp;
+}
+
+/*
+ * Trivial implementation for the one-LSM-at-a-time case
+ */
+static inline void lsm_set_blob(void **vpp, void *value, const int lsm)
+{
+ *vpp = value;
+}
+
+static inline void *lsm_get_cred(const struct cred *cred,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(cred->security, 0);
+}
+
+static inline void lsm_set_cred(struct cred *cred, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&cred->security, value, 0);
+}
+
+static inline int lsm_set_init_cred(struct cred *cred, void *value,
+ const struct security_operations *sop)
+{
+ cred->security = value;
+ return 0;
+}
+
+static inline void *lsm_get_file(const struct file *file,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(file->f_security, 0);
+}
+
+static inline void lsm_set_file(struct file *file, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&file->f_security, value, 0);
+}
+
+static inline void *lsm_get_inode(const struct inode *inode,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(inode->i_security, 0);
+}
+
+static inline void lsm_set_inode(struct inode *inode, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&inode->i_security, value, 0);
+}
+
+static inline void *lsm_get_super(const struct super_block *super,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(super->s_security, 0);
+}
+
+static inline void lsm_set_super(struct super_block *super, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&super->s_security, value, 0);
+}
+
+static inline void *lsm_get_ipc(const struct kern_ipc_perm *ipc,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(ipc->security, 0);
+}
+
+static inline void lsm_set_ipc(struct kern_ipc_perm *ipc, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&ipc->security, value, 0);
+}
+
+static inline void *lsm_get_msg(const struct msg_msg *msg,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(msg->security, 0);
+}
+
+static inline void lsm_set_msg(struct msg_msg *msg, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&msg->security, value, 0);
+}
+
+#ifdef CONFIG_KEYS
+static inline void *lsm_get_key(const struct key *key,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(key->security, 0);
+}
+
+static inline void lsm_set_key(struct key *key, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&key->security, value, 0);
+}
+#endif
+
+static inline void *lsm_get_sock(const struct sock *sock,
+ const struct security_operations *sop)
+{
+ return lsm_get_blob(sock->sk_security, 0);
+}
+
+static inline void lsm_set_sock(struct sock *sock, void *value,
+ const struct security_operations *sop)
+{
+ lsm_set_blob(&sock->sk_security, value, 0);
+}
+
+#endif /* ! _LINUX_LSM_H */
diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index 8a9b502..3d9e460 100644
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -76,7 +76,7 @@ void aa_dup_task_context(struct aa_task_cxt *new, const struct aa_task_cxt *old)
*/
int aa_replace_current_profile(struct aa_profile *profile)
{
- struct aa_task_cxt *cxt = current_cred()->security;
+ struct aa_task_cxt *cxt = lsm_get_cred(current_cred(), &apparmor_ops);
struct cred *new;
BUG_ON(!profile);
@@ -87,7 +87,7 @@ int aa_replace_current_profile(struct aa_profile *profile)
if (!new)
return -ENOMEM;
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {
/* if switching to unconfined or a different profile namespace
* clear out context state
@@ -123,7 +123,7 @@ int aa_set_current_onexec(struct aa_profile *profile)
if (!new)
return -ENOMEM;
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
aa_get_profile(profile);
aa_put_profile(cxt->onexec);
cxt->onexec = profile;
@@ -150,7 +150,7 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token)
return -ENOMEM;
BUG_ON(!profile);
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
if (!cxt->previous) {
/* transfer refcount */
cxt->previous = cxt->profile;
@@ -187,7 +187,7 @@ int aa_restore_previous_profile(u64 token)
if (!new)
return -ENOMEM;
- cxt = new->security;
+ cxt = lsm_get_cred(new, &apparmor_ops);
if (cxt->token != token) {
abort_creds(new);
return -EACCES;
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 859abda..1614111 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -360,7 +360,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->cred_prepared)
return 0;
- cxt = bprm->cred->security;
+ cxt = lsm_get_cred(bprm->cred, &apparmor_ops);
BUG_ON(!cxt);
profile = aa_get_profile(aa_newest_version(cxt->profile));
@@ -557,7 +557,7 @@ int apparmor_bprm_secureexec(struct linux_binprm *bprm)
void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
{
struct aa_profile *profile = __aa_current_profile();
- struct aa_task_cxt *new_cxt = bprm->cred->security;
+ struct aa_task_cxt *new_cxt = lsm_get_cred(bprm->cred, &apparmor_ops);
/* bail out if unconfined or not changing profile */
if ((new_cxt->profile == profile) ||
@@ -634,7 +634,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
/* released below */
cred = get_current_cred();
- cxt = cred->security;
+ cxt = lsm_get_cred(cred, &apparmor_ops);
profile = aa_cred_profile(cred);
previous_profile = cxt->previous;
@@ -770,7 +770,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
}
cred = get_current_cred();
- cxt = cred->security;
+ cxt = lsm_get_cred(cred, &apparmor_ops);
profile = aa_cred_profile(cred);
/*
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index a9cbee4..8484e55 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -18,6 +18,7 @@
#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/sched.h>
+#include <linux/lsm.h>
#include "policy.h"
@@ -81,6 +82,8 @@ int aa_set_current_onexec(struct aa_profile *profile);
int aa_set_current_hat(struct aa_profile *profile, u64 token);
int aa_restore_previous_profile(u64 cookie);
+extern struct security_operations apparmor_ops;
+
/**
* __aa_task_is_confined - determine if @task has any confinement
* @task: task to check confinement of (NOT NULL)
@@ -89,7 +92,9 @@ int aa_restore_previous_profile(u64 cookie);
*/
static inline bool __aa_task_is_confined(struct task_struct *task)
{
- struct aa_task_cxt *cxt = __task_cred(task)->security;
+ struct aa_task_cxt *cxt;
+
+ cxt = lsm_get_cred(__task_cred(task), &apparmor_ops);
BUG_ON(!cxt || !cxt->profile);
if (unconfined(aa_newest_version(cxt->profile)))
@@ -108,7 +113,7 @@ static inline bool __aa_task_is_confined(struct task_struct *task)
*/
static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
{
- struct aa_task_cxt *cxt = cred->security;
+ struct aa_task_cxt *cxt = lsm_get_cred(cred, &apparmor_ops);
BUG_ON(!cxt || !cxt->profile);
return aa_newest_version(cxt->profile);
}
@@ -136,8 +141,10 @@ static inline struct aa_profile *__aa_current_profile(void)
*/
static inline struct aa_profile *aa_current_profile(void)
{
- const struct aa_task_cxt *cxt = current_cred()->security;
+ const struct aa_task_cxt *cxt;
struct aa_profile *profile;
+
+ cxt = lsm_get_cred(current_cred(), &apparmor_ops);
BUG_ON(!cxt || !cxt->profile);
profile = aa_newest_version(cxt->profile);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b21830e..8784681 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -48,8 +48,8 @@ int apparmor_initialized __initdata;
*/
static void apparmor_cred_free(struct cred *cred)
{
- aa_free_task_context(cred->security);
- cred->security = NULL;
+ aa_free_task_context(lsm_get_cred(cred, &apparmor_ops));
+ lsm_set_cred(cred, NULL, &apparmor_ops);
}
/*
@@ -62,7 +62,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (!cxt)
return -ENOMEM;
- cred->security = cxt;
+ lsm_set_cred(cred, cxt, &apparmor_ops);
return 0;
}
@@ -77,8 +77,8 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
if (!cxt)
return -ENOMEM;
- aa_dup_task_context(cxt, old->security);
- new->security = cxt;
+ aa_dup_task_context(cxt, lsm_get_cred(old, &apparmor_ops));
+ lsm_set_cred(new, cxt, &apparmor_ops);
return 0;
}
@@ -87,8 +87,8 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
*/
static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
{
- const struct aa_task_cxt *old_cxt = old->security;
- struct aa_task_cxt *new_cxt = new->security;
+ const struct aa_task_cxt *old_cxt = lsm_get_cred(old, &apparmor_ops);
+ struct aa_task_cxt *new_cxt = lsm_get_cred(new, &apparmor_ops);
aa_dup_task_context(new_cxt, old_cxt);
}
@@ -375,7 +375,7 @@ static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
static int apparmor_file_open(struct file *file, const struct cred *cred)
{
- struct aa_file_cxt *fcxt = file->f_security;
+ struct aa_file_cxt *fcxt = lsm_get_file(file, &apparmor_ops);
struct aa_profile *profile;
int error = 0;
@@ -409,8 +409,8 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
static int apparmor_file_alloc_security(struct file *file)
{
/* freed by apparmor_file_free_security */
- file->f_security = aa_alloc_file_context(GFP_KERNEL);
- if (!file->f_security)
+ lsm_set_file(file, aa_alloc_file_context(GFP_KERNEL), &apparmor_ops);
+ if (!lsm_get_file(file, &apparmor_ops))
return -ENOMEM;
return 0;
@@ -418,14 +418,15 @@ static int apparmor_file_alloc_security(struct file *file)
static void apparmor_file_free_security(struct file *file)
{
- struct aa_file_cxt *cxt = file->f_security;
+ struct aa_file_cxt *cxt = lsm_get_file(file, &apparmor_ops);
+ lsm_set_file(file, NULL, &apparmor_ops);
aa_free_file_context(cxt);
}
static int common_file_perm(int op, struct file *file, u32 mask)
{
- struct aa_file_cxt *fcxt = file->f_security;
+ struct aa_file_cxt *fcxt = lsm_get_file(file, &apparmor_ops);
struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
int error = 0;
@@ -472,7 +473,7 @@ static int common_mmap(int op, struct file *file, unsigned long prot,
struct dentry *dentry;
int mask = 0;
- if (!file || !file->f_security)
+ if (!file || !lsm_get_file(file, &apparmor_ops))
return 0;
if (prot & PROT_READ)
@@ -510,7 +511,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
struct aa_profile *profile;
/* released below */
const struct cred *cred = get_task_cred(task);
- struct aa_task_cxt *cxt = cred->security;
+ struct aa_task_cxt *cxt = lsm_get_cred(cred, &apparmor_ops);
profile = aa_cred_profile(cred);
if (strcmp(name, "current") == 0)
@@ -614,7 +615,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
-static struct security_operations apparmor_ops = {
+struct security_operations apparmor_ops = {
.name = "apparmor",
.ptrace_access_check = apparmor_ptrace_access_check,
@@ -878,6 +879,7 @@ static int param_set_mode(const char *val, struct kernel_param *kp)
*/
static int __init set_init_cxt(void)
{
+ int rc;
struct cred *cred = (struct cred *)current->real_cred;
struct aa_task_cxt *cxt;
@@ -886,9 +888,9 @@ static int __init set_init_cxt(void)
return -ENOMEM;
cxt->profile = aa_get_profile(root_ns->unconfined);
- cred->security = cxt;
+ rc = lsm_set_init_cred(cred, cxt, &apparmor_ops);
- return 0;
+ return rc;
}
static int __init apparmor_init(void)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7171a95..ddaec58 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -151,6 +151,7 @@ static int selinux_secmark_enabled(void)
*/
static void cred_init_security(void)
{
+ int rc;
struct cred *cred = (struct cred *) current->real_cred;
struct task_security_struct *tsec;
@@ -159,7 +160,9 @@ static void cred_init_security(void)
panic("SELinux: Failed to initialize initial task.\n");
tsec->osid = tsec->sid = SECINITSID_KERNEL;
- cred->security = tsec;
+ rc = lsm_set_init_cred(cred, tsec, &selinux_ops);
+ if (rc)
+ panic("SELinux: Failed to initialize initial task.\n");
}
/*
@@ -169,7 +172,7 @@ static inline u32 cred_sid(const struct cred *cred)
{
const struct task_security_struct *tsec;
- tsec = cred->security;
+ tsec = lsm_get_cred(cred, &selinux_ops);
return tsec->sid;
}
@@ -191,8 +194,9 @@ static inline u32 task_sid(const struct task_struct *task)
*/
static inline u32 current_sid(void)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec;
+ tsec = lsm_get_cred(current_cred(), &selinux_ops);
return tsec->sid;
}
@@ -213,22 +217,23 @@ static int inode_alloc_security(struct inode *inode)
isec->sid = SECINITSID_UNLABELED;
isec->sclass = SECCLASS_FILE;
isec->task_sid = sid;
- inode->i_security = isec;
+ lsm_set_inode(inode, isec, &selinux_ops);
return 0;
}
static void inode_free_security(struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct superblock_security_struct *sbsec = inode->i_sb->s_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(inode->i_sb, &selinux_ops);
spin_lock(&sbsec->isec_lock);
if (!list_empty(&isec->list))
list_del_init(&isec->list);
spin_unlock(&sbsec->isec_lock);
- inode->i_security = NULL;
+ lsm_set_inode(inode, NULL, &selinux_ops);
kmem_cache_free(sel_inode_cache, isec);
}
@@ -243,15 +248,15 @@ static int file_alloc_security(struct file *file)
fsec->sid = sid;
fsec->fown_sid = sid;
- file->f_security = fsec;
+ lsm_set_file(file, fsec, &selinux_ops);
return 0;
}
static void file_free_security(struct file *file)
{
- struct file_security_struct *fsec = file->f_security;
- file->f_security = NULL;
+ struct file_security_struct *fsec = lsm_get_file(file, &selinux_ops);
+ lsm_set_file(file, NULL, &selinux_ops);
kfree(fsec);
}
@@ -270,15 +275,16 @@ static int superblock_alloc_security(struct super_block *sb)
sbsec->sid = SECINITSID_UNLABELED;
sbsec->def_sid = SECINITSID_FILE;
sbsec->mntpoint_sid = SECINITSID_UNLABELED;
- sb->s_security = sbsec;
+ lsm_set_super(sb, sbsec, &selinux_ops);
return 0;
}
static void superblock_free_security(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
- sb->s_security = NULL;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
+ lsm_set_super(sb, NULL, &selinux_ops);
kfree(sbsec);
}
@@ -324,9 +330,10 @@ static int may_context_mount_sb_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec;
int rc;
+ tsec = lsm_get_cred(cred, &selinux_ops);
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
@@ -341,8 +348,10 @@ static int may_context_mount_inode_relabel(u32 sid,
struct superblock_security_struct *sbsec,
const struct cred *cred)
{
- const struct task_security_struct *tsec = cred->security;
+ const struct task_security_struct *tsec;
int rc;
+
+ tsec = lsm_get_cred(cred, &selinux_ops);
rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
FILESYSTEM__RELABELFROM, NULL);
if (rc)
@@ -355,7 +364,8 @@ static int may_context_mount_inode_relabel(u32 sid,
static int sb_finish_set_opts(struct super_block *sb)
{
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
struct dentry *root = sb->s_root;
struct inode *root_inode = root->d_inode;
int rc = 0;
@@ -445,7 +455,8 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
struct security_mnt_opts *opts)
{
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
char *context = NULL;
u32 len;
char tmp;
@@ -505,8 +516,9 @@ static int selinux_get_mnt_opts(const struct super_block *sb,
}
if (sbsec->flags & ROOTCONTEXT_MNT) {
struct inode *root = sbsec->sb->s_root->d_inode;
- struct inode_security_struct *isec = root->i_security;
+ struct inode_security_struct *isec;
+ isec = lsm_get_inode(root, &selinux_ops);
rc = security_sid_to_context(isec->sid, &context, &len);
if (rc)
goto out_free;
@@ -556,10 +568,12 @@ static int selinux_set_mnt_opts(struct super_block *sb,
{
const struct cred *cred = current_cred();
int rc = 0, i;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
const char *name = sb->s_type->name;
struct inode *inode = sbsec->sb->s_root->d_inode;
- struct inode_security_struct *root_isec = inode->i_security;
+ struct inode_security_struct *root_isec =
+ lsm_get_inode(inode, &selinux_ops);
u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
u32 defcontext_sid = 0;
char **mount_options = opts->mnt_opts;
@@ -754,8 +768,10 @@ out_double_mount:
static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
struct super_block *newsb)
{
- const struct superblock_security_struct *oldsbsec = oldsb->s_security;
- struct superblock_security_struct *newsbsec = newsb->s_security;
+ const struct superblock_security_struct *oldsbsec =
+ lsm_get_super(oldsb, &selinux_ops);
+ struct superblock_security_struct *newsbsec =
+ lsm_get_super(newsb, &selinux_ops);
int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT);
int set_context = (oldsbsec->flags & CONTEXT_MNT);
@@ -790,16 +806,19 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
newsbsec->sid = sid;
if (!set_rootcontext) {
struct inode *newinode = newsb->s_root->d_inode;
- struct inode_security_struct *newisec = newinode->i_security;
+ struct inode_security_struct *newisec =
+ lsm_get_inode(newinode, &selinux_ops);
newisec->sid = sid;
}
newsbsec->mntpoint_sid = sid;
}
if (set_rootcontext) {
const struct inode *oldinode = oldsb->s_root->d_inode;
- const struct inode_security_struct *oldisec = oldinode->i_security;
+ const struct inode_security_struct *oldisec =
+ lsm_get_inode(oldinode, &selinux_ops);
struct inode *newinode = newsb->s_root->d_inode;
- struct inode_security_struct *newisec = newinode->i_security;
+ struct inode_security_struct *newisec =
+ lsm_get_inode(newinode, &selinux_ops);
newisec->sid = oldisec->sid;
}
@@ -1163,7 +1182,7 @@ static int selinux_proc_get_sid(struct dentry *dentry,
static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
{
struct superblock_security_struct *sbsec = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 sid;
struct dentry *dentry;
#define INITCONTEXTLEN 255
@@ -1178,7 +1197,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
if (isec->initialized)
goto out_unlock;
- sbsec = inode->i_sb->s_security;
+ sbsec = lsm_get_super(inode->i_sb, &selinux_ops);
if (!(sbsec->flags & SE_SBINITIALIZED)) {
/* Defer initialization until selinux_complete_init,
after the initial policy is loaded and the security
@@ -1390,8 +1409,10 @@ static int task_has_perm(const struct task_struct *tsk1,
u32 sid1, sid2;
rcu_read_lock();
- __tsec1 = __task_cred(tsk1)->security; sid1 = __tsec1->sid;
- __tsec2 = __task_cred(tsk2)->security; sid2 = __tsec2->sid;
+ __tsec1 = lsm_get_cred(__task_cred(tsk1), &selinux_ops);
+ sid1 = __tsec1->sid;
+ __tsec2 = lsm_get_cred(__task_cred(tsk2), &selinux_ops);
+ sid2 = __tsec2->sid;
rcu_read_unlock();
return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
}
@@ -1481,7 +1502,7 @@ static int inode_has_perm(const struct cred *cred,
return 0;
sid = cred_sid(cred);
- isec = inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
}
@@ -1528,7 +1549,7 @@ static int file_has_perm(const struct cred *cred,
struct file *file,
u32 av)
{
- struct file_security_struct *fsec = file->f_security;
+ struct file_security_struct *fsec = lsm_get_file(file, &selinux_ops);
struct inode *inode = file_inode(file);
struct common_audit_data ad;
u32 sid = cred_sid(cred);
@@ -1560,15 +1581,16 @@ static int may_create(struct inode *dir,
struct dentry *dentry,
u16 tclass)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
u32 sid, newsid;
struct common_audit_data ad;
int rc;
- dsec = dir->i_security;
- sbsec = dir->i_sb->s_security;
+ dsec = lsm_get_inode(dir, &selinux_ops);
+ sbsec = lsm_get_super(dir->i_sb, &selinux_ops);
sid = tsec->sid;
newsid = tsec->create_sid;
@@ -1623,8 +1645,8 @@ static int may_link(struct inode *dir,
u32 av;
int rc;
- dsec = dir->i_security;
- isec = dentry->d_inode->i_security;
+ dsec = lsm_get_inode(dir, &selinux_ops);
+ isec = lsm_get_inode(dentry->d_inode, &selinux_ops);
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = dentry;
@@ -1667,10 +1689,10 @@ static inline int may_rename(struct inode *old_dir,
int old_is_dir, new_is_dir;
int rc;
- old_dsec = old_dir->i_security;
- old_isec = old_dentry->d_inode->i_security;
+ old_dsec = lsm_get_inode(old_dir, &selinux_ops);
+ old_isec = lsm_get_inode(old_dentry->d_inode, &selinux_ops);
old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
- new_dsec = new_dir->i_security;
+ new_dsec = lsm_get_inode(new_dir, &selinux_ops);
ad.type = LSM_AUDIT_DATA_DENTRY;
@@ -1698,7 +1720,7 @@ static inline int may_rename(struct inode *old_dir,
if (rc)
return rc;
if (new_dentry->d_inode) {
- new_isec = new_dentry->d_inode->i_security;
+ new_isec = lsm_get_inode(new_dentry->d_inode, &selinux_ops);
new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
rc = avc_has_perm(sid, new_isec->sid,
new_isec->sclass,
@@ -1719,7 +1741,7 @@ static int superblock_has_perm(const struct cred *cred,
struct superblock_security_struct *sbsec;
u32 sid = cred_sid(cred);
- sbsec = sb->s_security;
+ sbsec = lsm_get_super(sb, &selinux_ops);
return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
}
@@ -1838,8 +1860,8 @@ static int selinux_capset(struct cred *new, const struct cred *old,
{
int error;
- error = cap_capset(new, old,
- effective, inheritable, permitted);
+ error = cap_capset(new, old, effective, inheritable, permitted);
+
if (error)
return error;
@@ -1970,9 +1992,9 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->cred_prepared)
return 0;
- old_tsec = current_security();
- new_tsec = bprm->cred->security;
- isec = inode->i_security;
+ old_tsec = lsm_get_cred(current_cred(), &selinux_ops);
+ new_tsec = lsm_get_cred(bprm->cred, &selinux_ops);
+ isec = lsm_get_inode(inode, &selinux_ops);
/* Default to the current task SID. */
new_tsec->sid = old_tsec->sid;
@@ -2047,7 +2069,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
rcu_read_lock();
tracer = ptrace_parent(current);
if (likely(tracer != NULL)) {
- sec = __task_cred(tracer)->security;
+ sec = lsm_get_cred(__task_cred(tracer),
+ &selinux_ops);
ptsid = sec->sid;
}
rcu_read_unlock();
@@ -2070,7 +2093,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
static int selinux_bprm_secureexec(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
u32 sid, osid;
int atsecure = 0;
@@ -2152,7 +2176,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
struct rlimit *rlim, *initrlim;
int rc, i;
- new_tsec = bprm->cred->security;
+ new_tsec = lsm_get_cred(bprm->cred, &selinux_ops);
if (new_tsec->sid == new_tsec->osid)
return;
@@ -2193,7 +2217,8 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
*/
static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct itimerval itimer;
u32 osid, sid;
int rc, i;
@@ -2340,7 +2365,8 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
int rc, i, *flags;
struct security_mnt_opts opts;
char *secdata, **mount_options;
- struct superblock_security_struct *sbsec = sb->s_security;
+ struct superblock_security_struct *sbsec =
+ lsm_get_super(sb, &selinux_ops);
if (!(sbsec->flags & SE_SBINITIALIZED))
return 0;
@@ -2392,7 +2418,8 @@ static int selinux_sb_remount(struct super_block *sb, void *data)
break;
case ROOTCONTEXT_MNT: {
struct inode_security_struct *root_isec;
- root_isec = sb->s_root->d_inode->i_security;
+ root_isec = lsm_get_inode(sb->s_root->d_inode,
+ &selinux_ops);
if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
goto out_bad_option;
@@ -2488,15 +2515,16 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr, char **name,
void **value, size_t *len)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct inode_security_struct *dsec;
struct superblock_security_struct *sbsec;
u32 sid, newsid, clen;
int rc;
char *namep = NULL, *context;
- dsec = dir->i_security;
- sbsec = dir->i_sb->s_security;
+ dsec = lsm_get_inode(dir, &selinux_ops);
+ sbsec = lsm_get_super(dir->i_sb, &selinux_ops);
sid = tsec->sid;
newsid = tsec->create_sid;
@@ -2520,7 +2548,8 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
/* Possibly defer initialization to selinux_complete_init. */
if (sbsec->flags & SE_SBINITIALIZED) {
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec =
+ lsm_get_inode(inode, &selinux_ops);
isec->sclass = inode_mode_to_security_class(inode->i_mode);
isec->sid = newsid;
isec->initialized = 1;
@@ -2609,7 +2638,7 @@ static noinline int audit_inode_permission(struct inode *inode,
unsigned flags)
{
struct common_audit_data ad;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
int rc;
ad.type = LSM_AUDIT_DATA_INODE;
@@ -2649,7 +2678,7 @@ static int selinux_inode_permission(struct inode *inode, int mask)
perms = file_mask_to_av(inode->i_mode, mask);
sid = cred_sid(cred);
- isec = inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);
audited = avc_audit_required(perms, &avd, rc,
@@ -2724,7 +2753,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
struct inode *inode = dentry->d_inode;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
struct superblock_security_struct *sbsec;
struct common_audit_data ad;
u32 newsid, sid = current_sid();
@@ -2733,7 +2762,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
if (strcmp(name, XATTR_NAME_SELINUX))
return selinux_inode_setotherxattr(dentry, name);
- sbsec = inode->i_sb->s_security;
+ sbsec = lsm_get_super(inode->i_sb, &selinux_ops);
if (!(sbsec->flags & SE_SBLABELSUPP))
return -EOPNOTSUPP;
@@ -2801,7 +2830,7 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
int flags)
{
struct inode *inode = dentry->d_inode;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 newsid;
int rc;
@@ -2856,7 +2885,7 @@ static int selinux_inode_getsecurity(const struct inode *inode, const char *name
u32 size;
int error;
char *context = NULL;
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
if (strcmp(name, XATTR_SELINUX_SUFFIX))
return -EOPNOTSUPP;
@@ -2892,7 +2921,7 @@ out_nofree:
static int selinux_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 newsid;
int rc;
@@ -2921,7 +2950,7 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
*secid = isec->sid;
}
@@ -3169,7 +3198,7 @@ static int selinux_file_set_fowner(struct file *file)
{
struct file_security_struct *fsec;
- fsec = file->f_security;
+ fsec = lsm_get_file(file, &selinux_ops);
fsec->fown_sid = current_sid();
return 0;
@@ -3186,7 +3215,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
/* struct fown_struct is never outside the context of a struct file */
file = container_of(fown, struct file, f_owner);
- fsec = file->f_security;
+ fsec = lsm_get_file(file, &selinux_ops);
if (!signum)
perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
@@ -3209,8 +3238,8 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
struct file_security_struct *fsec;
struct inode_security_struct *isec;
- fsec = file->f_security;
- isec = file_inode(file)->i_security;
+ fsec = lsm_get_file(file, &selinux_ops);
+ isec = lsm_get_inode(file->f_path.dentry->d_inode, &selinux_ops);
/*
* Save inode label and policy sequence number
* at open-time so that selinux_file_permission
@@ -3249,7 +3278,7 @@ static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (!tsec)
return -ENOMEM;
- cred->security = tsec;
+ lsm_set_cred(cred, tsec, &selinux_ops);
return 0;
}
@@ -3258,14 +3287,14 @@ static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/
static void selinux_cred_free(struct cred *cred)
{
- struct task_security_struct *tsec = cred->security;
+ struct task_security_struct *tsec = lsm_get_cred(cred, &selinux_ops);
/*
* cred->security == NULL if security_cred_alloc_blank() or
* security_prepare_creds() returned an error.
*/
- BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
- cred->security = (void *) 0x7UL;
+ BUG_ON(tsec && (unsigned long) tsec < PAGE_SIZE);
+ lsm_set_cred(cred, NULL, &selinux_ops);
kfree(tsec);
}
@@ -3278,13 +3307,13 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
const struct task_security_struct *old_tsec;
struct task_security_struct *tsec;
- old_tsec = old->security;
+ old_tsec = lsm_get_cred(old, &selinux_ops);
tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
if (!tsec)
return -ENOMEM;
- new->security = tsec;
+ lsm_set_cred(new, tsec, &selinux_ops);
return 0;
}
@@ -3293,9 +3322,15 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
*/
static void selinux_cred_transfer(struct cred *new, const struct cred *old)
{
- const struct task_security_struct *old_tsec = old->security;
- struct task_security_struct *tsec = new->security;
+ const struct task_security_struct *old_tsec;
+ struct task_security_struct *tsec;
+
+ old_tsec = lsm_get_cred(old, &selinux_ops);
+ tsec = lsm_get_cred(new, &selinux_ops);
+ /*
+ * This is a data copy, not a pointer assignment.
+ */
*tsec = *old_tsec;
}
@@ -3305,7 +3340,7 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
*/
static int selinux_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_security_struct *tsec = new->security;
+ struct task_security_struct *tsec = lsm_get_cred(new, &selinux_ops);
u32 sid = current_sid();
int ret;
@@ -3328,8 +3363,8 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid)
*/
static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
- struct task_security_struct *tsec = new->security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
+ struct task_security_struct *tsec = lsm_get_cred(new, &selinux_ops);
u32 sid = current_sid();
int ret;
@@ -3450,6 +3485,7 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
perm = PROCESS__SIGNULL; /* null signal; existence test */
else
perm = signal_to_av(sig);
+
if (secid)
rc = avc_has_perm(secid, task_sid(p),
SECCLASS_PROCESS, perm, NULL);
@@ -3466,7 +3502,7 @@ static int selinux_task_wait(struct task_struct *p)
static void selinux_task_to_inode(struct task_struct *p,
struct inode *inode)
{
- struct inode_security_struct *isec = inode->i_security;
+ struct inode_security_struct *isec = lsm_get_inode(inode, &selinux_ops);
u32 sid = task_sid(p);
isec->sid = sid;
@@ -3721,7 +3757,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
u32 tsid = task_sid(task);
@@ -3739,7 +3775,8 @@ static int sock_has_perm(struct task_struct *task, struct sock *sk, u32 perms)
static int selinux_socket_create(int family, int type,
int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
u32 newsid;
u16 secclass;
int rc;
@@ -3758,8 +3795,10 @@ static int selinux_socket_create(int family, int type,
static int selinux_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- const struct task_security_struct *tsec = current_security();
- struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
+ struct inode_security_struct *isec =
+ lsm_get_inode(SOCK_INODE(sock), &selinux_ops);
struct sk_security_struct *sksec;
int err = 0;
@@ -3776,7 +3815,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
isec->initialized = 1;
if (sock->sk) {
- sksec = sock->sk->sk_security;
+ sksec = lsm_get_sock(sock->sk, &selinux_ops);
sksec->sid = isec->sid;
sksec->sclass = isec->sclass;
err = selinux_netlbl_socket_post_create(sock->sk, family);
@@ -3807,7 +3846,8 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
family = sk->sk_family;
if (family == PF_INET || family == PF_INET6) {
char *addrp;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
struct sockaddr_in *addr4 = NULL;
@@ -3891,7 +3931,7 @@ out:
static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
int err;
err = sock_has_perm(current, sk, SOCKET__CONNECT);
@@ -3959,9 +3999,9 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
if (err)
return err;
- newisec = SOCK_INODE(newsock)->i_security;
+ newisec = lsm_get_inode(SOCK_INODE(newsock), &selinux_ops);
- isec = SOCK_INODE(sock)->i_security;
+ isec = lsm_get_inode(SOCK_INODE(sock), &selinux_ops);
newisec->sclass = isec->sclass;
newisec->sid = isec->sid;
newisec->initialized = 1;
@@ -4017,9 +4057,12 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
struct sock *other,
struct sock *newsk)
{
- struct sk_security_struct *sksec_sock = sock->sk_security;
- struct sk_security_struct *sksec_other = other->sk_security;
- struct sk_security_struct *sksec_new = newsk->sk_security;
+ struct sk_security_struct *sksec_sock =
+ lsm_get_sock(sock, &selinux_ops);
+ struct sk_security_struct *sksec_other =
+ lsm_get_sock(other, &selinux_ops);
+ struct sk_security_struct *sksec_new =
+ lsm_get_sock(newsk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
int err;
@@ -4050,8 +4093,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
static int selinux_socket_unix_may_send(struct socket *sock,
struct socket *other)
{
- struct sk_security_struct *ssec = sock->sk->sk_security;
- struct sk_security_struct *osec = other->sk->sk_security;
+ struct sk_security_struct *ssec = lsm_get_sock(sock->sk, &selinux_ops);
+ struct sk_security_struct *osec = lsm_get_sock(other->sk, &selinux_ops);
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4090,7 +4133,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
u16 family)
{
int err = 0;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
struct lsm_network_audit net = {0,};
@@ -4122,7 +4165,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
int err;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
u16 family = sk->sk_family;
u32 sk_sid = sksec->sid;
struct common_audit_data ad;
@@ -4192,7 +4235,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
int err = 0;
char *scontext;
u32 scontext_len;
- struct sk_security_struct *sksec = sock->sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sock->sk, &selinux_ops);
u32 peer_sid = SECSID_NULL;
if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
@@ -4257,24 +4300,24 @@ static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority
sksec->peer_sid = SECINITSID_UNLABELED;
sksec->sid = SECINITSID_UNLABELED;
selinux_netlbl_sk_security_reset(sksec);
- sk->sk_security = sksec;
+ lsm_set_sock(sk, sksec, &selinux_ops);
return 0;
}
static void selinux_sk_free_security(struct sock *sk)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
- sk->sk_security = NULL;
+ lsm_set_sock(sk, NULL, &selinux_ops);
selinux_netlbl_sk_security_free(sksec);
kfree(sksec);
}
static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
{
- struct sk_security_struct *sksec = sk->sk_security;
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
+ struct sk_security_struct *newsksec = lsm_get_sock(newsk, &selinux_ops);
newsksec->sid = sksec->sid;
newsksec->peer_sid = sksec->peer_sid;
@@ -4288,7 +4331,8 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
if (!sk)
*secid = SECINITSID_ANY_SOCKET;
else {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
*secid = sksec->sid;
}
@@ -4296,8 +4340,9 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
static void selinux_sock_graft(struct sock *sk, struct socket *parent)
{
- struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct inode_security_struct *isec =
+ lsm_get_inode(SOCK_INODE(parent), &selinux_ops);
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
sk->sk_family == PF_UNIX)
@@ -4308,7 +4353,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
struct request_sock *req)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
int err;
u16 family = sk->sk_family;
u32 newsid;
@@ -4338,7 +4383,7 @@ static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void selinux_inet_csk_clone(struct sock *newsk,
const struct request_sock *req)
{
- struct sk_security_struct *newsksec = newsk->sk_security;
+ struct sk_security_struct *newsksec = lsm_get_sock(newsk, &selinux_ops);
newsksec->sid = req->secid;
newsksec->peer_sid = req->peer_secid;
@@ -4355,7 +4400,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
{
u16 family = sk->sk_family;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
/* handle mapped IPv4 packets arriving via IPv6 sockets */
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -4374,7 +4419,7 @@ static int selinux_secmark_relabel_packet(u32 sid)
const struct task_security_struct *__tsec;
u32 tsid;
- __tsec = current_security();
+ __tsec = lsm_get_cred(current_cred(), &selinux_ops);
tsid = __tsec->sid;
return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL);
@@ -4479,7 +4524,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
int err = 0;
u32 perm;
struct nlmsghdr *nlh;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
if (skb->len < NLMSG_SPACE(0)) {
err = -EINVAL;
@@ -4599,7 +4644,8 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
* because we want to make sure we apply the necessary labeling
* before IPsec is applied so we can leverage AH protection */
if (skb->sk) {
- struct sk_security_struct *sksec = skb->sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(skb->sk, &selinux_ops);
sid = sksec->sid;
} else
sid = SECINITSID_KERNEL;
@@ -4631,7 +4677,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
if (sk == NULL)
return NF_ACCEPT;
- sksec = sk->sk_security;
+ sksec = lsm_get_sock(sk, &selinux_ops);
ad.type = LSM_AUDIT_DATA_NET;
ad.u.net = &net;
@@ -4699,7 +4745,8 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
peer_sid = SECINITSID_KERNEL;
}
} else {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
peer_sid = sksec->sid;
secmark_perm = PACKET__SEND;
}
@@ -4783,15 +4830,15 @@ static int ipc_alloc_security(struct task_struct *task,
sid = task_sid(task);
isec->sclass = sclass;
isec->sid = sid;
- perm->security = isec;
+ lsm_set_ipc(perm, isec, &selinux_ops);
return 0;
}
static void ipc_free_security(struct kern_ipc_perm *perm)
{
- struct ipc_security_struct *isec = perm->security;
- perm->security = NULL;
+ struct ipc_security_struct *isec = lsm_get_ipc(perm, &selinux_ops);
+ lsm_set_ipc(perm, NULL, &selinux_ops);
kfree(isec);
}
@@ -4804,16 +4851,16 @@ static int msg_msg_alloc_security(struct msg_msg *msg)
return -ENOMEM;
msec->sid = SECINITSID_UNLABELED;
- msg->security = msec;
+ lsm_set_msg(msg, msec, &selinux_ops);
return 0;
}
static void msg_msg_free_security(struct msg_msg *msg)
{
- struct msg_security_struct *msec = msg->security;
+ struct msg_security_struct *msec = lsm_get_msg(msg, &selinux_ops);
- msg->security = NULL;
+ lsm_set_msg(msg, NULL, &selinux_ops);
kfree(msec);
}
@@ -4824,7 +4871,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
struct common_audit_data ad;
u32 sid = current_sid();
- isec = ipc_perms->security;
+ isec = lsm_get_ipc(ipc_perms, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = ipc_perms->key;
@@ -4854,7 +4901,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
if (rc)
return rc;
- isec = msq->q_perm.security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -4879,7 +4926,7 @@ static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = msq->q_perm.security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -4924,8 +4971,8 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = current_sid();
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
+ msec = lsm_get_msg(msg, &selinux_ops);
/*
* First time through, need to assign label to the message
@@ -4969,8 +5016,8 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
u32 sid = task_sid(target);
int rc;
- isec = msq->q_perm.security;
- msec = msg->security;
+ isec = lsm_get_ipc(&msq->q_perm, &selinux_ops);
+ msec = lsm_get_msg(msg, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = msq->q_perm.key;
@@ -4995,7 +5042,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
if (rc)
return rc;
- isec = shp->shm_perm.security;
+ isec = lsm_get_ipc(&shp->shm_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
@@ -5020,7 +5067,7 @@ static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = shp->shm_perm.security;
+ isec = lsm_get_ipc(&shp->shm_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = shp->shm_perm.key;
@@ -5087,7 +5134,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
if (rc)
return rc;
- isec = sma->sem_perm.security;
+ isec = lsm_get_ipc(&sma->sem_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
@@ -5112,7 +5159,7 @@ static int selinux_sem_associate(struct sem_array *sma, int semflg)
struct common_audit_data ad;
u32 sid = current_sid();
- isec = sma->sem_perm.security;
+ isec = lsm_get_ipc(&sma->sem_perm, &selinux_ops);
ad.type = LSM_AUDIT_DATA_IPC;
ad.u.ipc_id = sma->sem_perm.key;
@@ -5194,7 +5241,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- struct ipc_security_struct *isec = ipcp->security;
+ struct ipc_security_struct *isec = lsm_get_ipc(ipcp, &selinux_ops);
*secid = isec->sid;
}
@@ -5219,7 +5266,7 @@ static int selinux_getprocattr(struct task_struct *p,
}
rcu_read_lock();
- __tsec = __task_cred(p)->security;
+ __tsec = lsm_get_cred(__task_cred(p), &selinux_ops);
if (!strcmp(name, "current"))
sid = __tsec->sid;
@@ -5328,7 +5375,7 @@ static int selinux_setprocattr(struct task_struct *p,
operation. See selinux_bprm_set_creds for the execve
checks and may_create for the file creation checks. The
operation will then fail if the context is not permitted. */
- tsec = new->security;
+ tsec = lsm_get_cred(new, &selinux_ops);
if (!strcmp(name, "exec")) {
tsec->exec_sid = sid;
} else if (!strcmp(name, "fscreate")) {
@@ -5442,21 +5489,21 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
if (!ksec)
return -ENOMEM;
- tsec = cred->security;
+ tsec = lsm_get_cred(cred, &selinux_ops);
if (tsec->keycreate_sid)
ksec->sid = tsec->keycreate_sid;
else
ksec->sid = tsec->sid;
- k->security = ksec;
+ lsm_set_key(k, ksec, &selinux_ops);
return 0;
}
static void selinux_key_free(struct key *k)
{
- struct key_security_struct *ksec = k->security;
+ struct key_security_struct *ksec = lsm_get_key(k, &selinux_ops);
- k->security = NULL;
+ lsm_set_key(k, NULL, &selinux_ops);
kfree(ksec);
}
@@ -5477,14 +5524,14 @@ static int selinux_key_permission(key_ref_t key_ref,
sid = cred_sid(cred);
key = key_ref_to_ptr(key_ref);
- ksec = key->security;
+ ksec = lsm_get_key(key, &selinux_ops);
return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
}
static int selinux_key_getsecurity(struct key *key, char **_buffer)
{
- struct key_security_struct *ksec = key->security;
+ struct key_security_struct *ksec = lsm_get_key(key, &selinux_ops);
char *context = NULL;
unsigned len;
int rc;
@@ -5498,7 +5545,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
-static struct security_operations selinux_ops = {
+struct security_operations selinux_ops = {
.name = "selinux",
.ptrace_access_check = selinux_ptrace_access_check,
@@ -5702,6 +5749,7 @@ static struct security_operations selinux_ops = {
static __init int selinux_init(void)
{
+
if (!security_module_enable(&selinux_ops)) {
selinux_enabled = 0;
return 0;
@@ -5720,8 +5768,8 @@ static __init int selinux_init(void)
default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
sel_inode_cache = kmem_cache_create("selinux_inode_security",
- sizeof(struct inode_security_struct),
- 0, SLAB_PANIC, NULL);
+ sizeof(struct inode_security_struct),
+ 0, SLAB_PANIC, NULL);
avc_init();
if (register_security(&selinux_ops))
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index aa47bca..c4f9cf1 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -24,6 +24,7 @@
#include <linux/binfmts.h>
#include <linux/in.h>
#include <linux/spinlock.h>
+#include <linux/lsm.h>
#include "flask.h"
#include "avc.h"
@@ -119,5 +120,6 @@ struct key_security_struct {
};
extern unsigned int selinux_checkreqprot;
+extern struct security_operations selinux_ops;
#endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 65f67cb..1219221 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -31,7 +31,7 @@ static inline struct inode_security_struct *get_sock_isec(struct sock *sk)
if (!sk->sk_socket)
return NULL;
- return SOCK_INODE(sk->sk_socket)->i_security;
+ return lsm_get_inode(SOCK_INODE(sk->sk_socket), &selinux_ops);
}
#ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index da4b8b2..7a9cbd0 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -81,7 +81,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_secattr != NULL)
@@ -221,7 +221,8 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
* being labeled by it's parent socket, if it is just exit */
sk = skb->sk;
if (sk != NULL) {
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec =
+ lsm_get_sock(sk, &selinux_ops);
if (sksec->nlbl_state != NLBL_REQSKB)
return 0;
secattr = sksec->nlbl_secattr;
@@ -283,7 +284,7 @@ inet_conn_request_return:
*/
void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
{
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
if (family == PF_INET)
sksec->nlbl_state = NLBL_LABELED;
@@ -304,7 +305,7 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr *secattr;
if (family != PF_INET)
@@ -402,7 +403,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
{
int rc = 0;
struct sock *sk = sock->sk;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr secattr;
if (level == IPPROTO_IP && optname == IP_OPTIONS &&
@@ -435,7 +436,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
{
int rc;
- struct sk_security_struct *sksec = sk->sk_security;
+ struct sk_security_struct *sksec = lsm_get_sock(sk, &selinux_ops);
struct netlbl_lsm_secattr *secattr;
if (sksec->nlbl_state != NLBL_REQSKB &&
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index ff42773..e9a10a5 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -83,7 +83,7 @@ static int task_has_security(struct task_struct *tsk,
u32 sid = 0;
rcu_read_lock();
- tsec = __task_cred(tsk)->security;
+ tsec = lsm_get_cred(__task_cred(tsk), &selinux_ops);
if (tsec)
sid = tsec->sid;
rcu_read_unlock();
@@ -1262,7 +1262,7 @@ static int sel_make_bools(void)
if (len >= PAGE_SIZE)
goto out;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
if (ret)
goto out;
@@ -1827,7 +1827,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
goto err;
inode->i_ino = ++sel_last_ino;
- isec = (struct inode_security_struct *)inode->i_security;
+ isec = lsm_get_inode(inode, &selinux_ops);
isec->sid = SECINITSID_DEVNULL;
isec->sclass = SECCLASS_CHR_FILE;
isec->initialized = 1;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 8ab2951..5574ae4 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -198,7 +198,8 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
struct xfrm_user_sec_ctx *uctx, u32 sid)
{
int rc = 0;
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct xfrm_sec_ctx *ctx = NULL;
char *ctx_str = NULL;
u32 str_len;
@@ -334,7 +335,8 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
*/
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
int rc = 0;
if (ctx) {
@@ -379,7 +381,8 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
*/
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
- const struct task_security_struct *tsec = current_security();
+ const struct task_security_struct *tsec =
+ lsm_get_cred(current_cred(), &selinux_ops);
struct xfrm_sec_ctx *ctx = x->security;
int rc = 0;
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 99b3612..d112298 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -20,6 +20,7 @@
#include <net/netlabel.h>
#include <linux/list.h>
#include <linux/rculist.h>
+#include <linux/lsm.h>
#include <linux/lsm_audit.h>
/*
@@ -203,6 +204,7 @@ struct smk_audit_info {
* These functions are in smack_lsm.c
*/
struct inode_smack *new_inode_smack(char *);
+int smk_setcurrent(char *, size_t);
/*
* These functions are in smack_access.c
@@ -221,6 +223,7 @@ u32 smack_to_secid(const char *);
/*
* Shared data.
*/
+extern int smack_use_netlbl;
extern int smack_cipso_direct;
extern int smack_cipso_mapped;
extern char *smack_net_ambient;
@@ -243,18 +246,18 @@ extern struct security_operations smack_ops;
/*
* Is the directory transmuting?
*/
-static inline int smk_inode_transmutable(const struct inode *isp)
+static inline int smk_inode_transmutable(struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = lsm_get_inode(isp, &smack_ops);
return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
}
/*
* Present a pointer to the smack label in an inode blob.
*/
-static inline char *smk_of_inode(const struct inode *isp)
+static inline char *smk_of_inode(struct inode *isp)
{
- struct inode_smack *sip = isp->i_security;
+ struct inode_smack *sip = lsm_get_inode(isp, &smack_ops);
return sip->smk_inode;
}
@@ -279,7 +282,9 @@ static inline char *smk_of_forked(const struct task_smack *tsp)
*/
static inline char *smk_of_current(void)
{
- return smk_of_task(current_security());
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
+
+ return tsp->smk_task;
}
/*
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index db14689..b4b4044 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -197,7 +197,7 @@ out_audit:
*/
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
char *sp = smk_of_task(tsp);
int may;
int rc;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index fa64740..5fef975 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -40,7 +40,16 @@
#include <linux/binfmts.h>
#include "smack.h"
-#define task_security(task) (task_cred_xxx((task), security))
+static void *task_security(struct task_struct *task)
+{
+ const struct cred *cred;
+
+ rcu_read_lock();
+ cred = __task_cred(task);
+ rcu_read_unlock();
+
+ return lsm_get_cred(cred, &smack_ops);
+}
#define TRANS_TRUE "TRUE"
#define TRANS_TRUE_SIZE 4
@@ -174,8 +183,7 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, ctp);
- rc = smk_curacc(tsp, MAY_READWRITE, &ad);
- return rc;
+ return smk_curacc(tsp, MAY_READWRITE, &ad);
}
/**
@@ -200,8 +208,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, ptp);
- rc = smk_curacc(tsp, MAY_READWRITE, &ad);
- return rc;
+ return smk_curacc(tsp, MAY_READWRITE, &ad);
}
/**
@@ -252,7 +259,7 @@ static int smack_sb_alloc_security(struct super_block *sb)
sbsp->smk_hat = smack_known_hat.smk_known;
sbsp->smk_initialized = 0;
- sb->s_security = sbsp;
+ lsm_set_super(sb, sbsp, &smack_ops);
return 0;
}
@@ -264,8 +271,10 @@ static int smack_sb_alloc_security(struct super_block *sb)
*/
static void smack_sb_free_security(struct super_block *sb)
{
- kfree(sb->s_security);
- sb->s_security = NULL;
+ struct superblock_smack *sbsp = lsm_get_super(sb, &smack_ops);
+
+ kfree(sbsp);
+ lsm_set_super(sb, NULL, &smack_ops);
}
/**
@@ -325,7 +334,7 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
{
struct dentry *root = sb->s_root;
struct inode *inode = root->d_inode;
- struct superblock_smack *sp = sb->s_security;
+ struct superblock_smack *sp = lsm_get_super(sb, &smack_ops);
struct inode_smack *isp;
char *op;
char *commap;
@@ -368,9 +377,9 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
/*
* Initialize the root inode.
*/
- isp = inode->i_security;
+ isp = lsm_get_inode(inode, &smack_ops);
if (isp == NULL)
- inode->i_security = new_inode_smack(sp->smk_root);
+ lsm_set_inode(inode, new_inode_smack(sp->smk_root), &smack_ops);
else
isp->smk_inode = sp->smk_root;
@@ -386,7 +395,7 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
*/
static int smack_sb_statfs(struct dentry *dentry)
{
- struct superblock_smack *sbp = dentry->d_sb->s_security;
+ struct superblock_smack *sbp = lsm_get_super(dentry->d_sb, &smack_ops);
int rc;
struct smk_audit_info ad;
@@ -411,12 +420,13 @@ static int smack_sb_statfs(struct dentry *dentry)
static int smack_sb_mount(const char *dev_name, struct path *path,
const char *type, unsigned long flags, void *data)
{
- struct superblock_smack *sbp = path->dentry->d_sb->s_security;
+ struct superblock_smack *sbp;
struct smk_audit_info ad;
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, *path);
+ sbp = lsm_get_super(path->dentry->d_sb, &smack_ops);
return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
}
@@ -440,7 +450,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, path);
- sbp = path.dentry->d_sb->s_security;
+ sbp = lsm_get_super(path.dentry->d_sb, &smack_ops);
return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
}
@@ -457,7 +467,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
static int smack_bprm_set_creds(struct linux_binprm *bprm)
{
struct inode *inode = file_inode(bprm->file);
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = lsm_get_cred(bprm->cred, &smack_ops);
struct inode_smack *isp;
int rc;
@@ -468,7 +478,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->cred_prepared)
return 0;
- isp = inode->i_security;
+ isp = lsm_get_inode(inode, &smack_ops);
if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
return 0;
@@ -489,7 +499,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
*/
static void smack_bprm_committing_creds(struct linux_binprm *bprm)
{
- struct task_smack *bsp = bprm->cred->security;
+ struct task_smack *bsp = lsm_get_cred(bprm->cred, &smack_ops);
if (bsp->smk_task != bsp->smk_forked)
current->pdeath_signal = 0;
@@ -503,7 +513,7 @@ static void smack_bprm_committing_creds(struct linux_binprm *bprm)
*/
static int smack_bprm_secureexec(struct linux_binprm *bprm)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
int ret = cap_bprm_secureexec(bprm);
if (!ret && (tsp->smk_task != tsp->smk_forked))
@@ -524,9 +534,12 @@ static int smack_bprm_secureexec(struct linux_binprm *bprm)
*/
static int smack_inode_alloc_security(struct inode *inode)
{
- inode->i_security = new_inode_smack(smk_of_current());
- if (inode->i_security == NULL)
+ struct inode_smack *isp = new_inode_smack(smk_of_current());
+
+ if (isp == NULL)
return -ENOMEM;
+
+ lsm_set_inode(inode, isp, &smack_ops);
return 0;
}
@@ -538,8 +551,8 @@ static int smack_inode_alloc_security(struct inode *inode)
*/
static void smack_inode_free_security(struct inode *inode)
{
- kfree(inode->i_security);
- inode->i_security = NULL;
+ kfree(lsm_get_inode(inode, &smack_ops));
+ lsm_set_inode(inode, NULL, &smack_ops);
}
/**
@@ -558,7 +571,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
void **value, size_t *len)
{
struct smack_known *skp;
- struct inode_smack *issp = inode->i_security;
+ struct inode_smack *issp = lsm_get_inode(inode, &smack_ops);
char *csp = smk_of_current();
char *isp = smk_of_inode(inode);
char *dsp = smk_of_inode(dir);
@@ -863,7 +876,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
char *nsp;
- struct inode_smack *isp = dentry->d_inode->i_security;
+ struct inode_smack *isp = lsm_get_inode(dentry->d_inode, &smack_ops);
if (strcmp(name, XATTR_NAME_SMACK) == 0) {
nsp = smk_import(value, size);
@@ -938,7 +951,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
if (rc == 0) {
- isp = dentry->d_inode->i_security;
+ isp = lsm_get_inode(dentry->d_inode, &smack_ops);
isp->smk_task = NULL;
isp->smk_mmap = NULL;
}
@@ -955,9 +968,8 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
*
* Returns the size of the attribute or an error code
*/
-static int smack_inode_getsecurity(const struct inode *inode,
- const char *name, void **buffer,
- bool alloc)
+static int smack_inode_getsecurity(const struct inode *inode, const char *name,
+ void **buffer, bool alloc)
{
struct socket_smack *ssp;
struct socket *sock;
@@ -968,7 +980,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
int rc = 0;
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
- isp = smk_of_inode(inode);
+ isp = smk_of_inode(ip);
ilen = strlen(isp) + 1;
*buffer = isp;
return ilen;
@@ -985,7 +997,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
isp = ssp->smk_in;
@@ -1015,13 +1027,11 @@ static int smack_inode_getsecurity(const struct inode *inode,
static int smack_inode_listsecurity(struct inode *inode, char *buffer,
size_t buffer_size)
{
- int len = strlen(XATTR_NAME_SMACK);
+ const int len = sizeof(XATTR_NAME_SMACK);
- if (buffer != NULL && len <= buffer_size) {
+ if (buffer != NULL && len <= buffer_size)
memcpy(buffer, XATTR_NAME_SMACK, len);
- return len;
- }
- return -EINVAL;
+ return len;
}
/**
@@ -1031,7 +1041,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
*/
static void smack_inode_getsecid(const struct inode *inode, u32 *secid)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = lsm_get_inode(inode, &smack_ops);
*secid = smack_to_secid(isp->smk_inode);
}
@@ -1070,7 +1080,7 @@ static int smack_file_permission(struct file *file, int mask)
*/
static int smack_file_alloc_security(struct file *file)
{
- file->f_security = smk_of_current();
+ lsm_set_file(file, smk_of_current(), &smack_ops);
return 0;
}
@@ -1083,7 +1093,7 @@ static int smack_file_alloc_security(struct file *file)
*/
static void smack_file_free_security(struct file *file)
{
- file->f_security = NULL;
+ lsm_set_file(file, NULL, &smack_ops);
}
/**
@@ -1101,15 +1111,16 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd,
{
int rc = 0;
struct smk_audit_info ad;
+ char *fsp = lsm_get_file(file, &smack_ops);
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, file->f_path);
if (_IOC_DIR(cmd) & _IOC_WRITE)
- rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
+ rc = smk_curacc(fsp, MAY_WRITE, &ad);
if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ))
- rc = smk_curacc(file->f_security, MAY_READ, &ad);
+ rc = smk_curacc(fsp, MAY_READ, &ad);
return rc;
}
@@ -1127,7 +1138,7 @@ static int smack_file_lock(struct file *file, unsigned int cmd)
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, file->f_path);
- return smk_curacc(file->f_security, MAY_WRITE, &ad);
+ return smk_curacc(lsm_get_file(file, &smack_ops), MAY_WRITE, &ad);
}
/**
@@ -1157,7 +1168,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
case F_SETSIG:
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
smk_ad_setfield_u_fs_path(&ad, file->f_path);
- rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
+ rc = smk_curacc(lsm_get_file(file, &smack_ops), MAY_WRITE, &ad);
break;
default:
break;
@@ -1195,12 +1206,12 @@ static int smack_mmap_file(struct file *file,
if (file == NULL)
return 0;
- isp = file_inode(file)->i_security;
+ isp = lsm_get_inode(file_inode(file), &smack_ops);
if (isp->smk_mmap == NULL)
return 0;
msmack = isp->smk_mmap;
- tsp = current_security();
+ tsp = lsm_get_cred(current_cred(), &smack_ops);
sp = smk_of_current();
skp = smk_find_entry(sp);
rc = 0;
@@ -1279,7 +1290,7 @@ static int smack_mmap_file(struct file *file,
*/
static int smack_file_set_fowner(struct file *file)
{
- file->f_security = smk_of_current();
+ lsm_set_file(file, smk_of_current(), &smack_ops);
return 0;
}
@@ -1299,22 +1310,24 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
{
struct file *file;
int rc;
- char *tsp = smk_of_task(tsk->cred->security);
+ char *tsp = smk_of_task(lsm_get_cred(tsk->cred, &smack_ops));
+ char *fsp;
struct smk_audit_info ad;
/*
* struct fown_struct is never outside the context of a struct file
*/
file = container_of(fown, struct file, f_owner);
+ fsp = lsm_get_file(file, &smack_ops);
/* we don't log here as rc can be overriden */
- rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL);
+ rc = smk_access(fsp, tsp, MAY_WRITE, NULL);
if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
rc = 0;
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, tsk);
- smack_log(file->f_security, tsp, MAY_WRITE, rc, &ad);
+ smack_log(fsp, tsp, MAY_WRITE, rc, &ad);
return rc;
}
@@ -1339,7 +1352,7 @@ static int smack_file_receive(struct file *file)
if (file->f_mode & FMODE_WRITE)
may |= MAY_WRITE;
- return smk_curacc(file->f_security, may, &ad);
+ return smk_curacc(lsm_get_file(file, &smack_ops), may, &ad);
}
/**
@@ -1353,9 +1366,9 @@ static int smack_file_receive(struct file *file)
*/
static int smack_file_open(struct file *file, const struct cred *cred)
{
- struct inode_smack *isp = file_inode(file)->i_security;
+ struct inode_smack *isp = lsm_get_inode(file_inode(file), &smack_ops);
- file->f_security = isp->smk_inode;
+ lsm_set_file(file, isp->smk_inode, &smack_ops);
return 0;
}
@@ -1381,7 +1394,7 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (tsp == NULL)
return -ENOMEM;
- cred->security = tsp;
+ lsm_set_cred(cred, tsp, &smack_ops);
return 0;
}
@@ -1394,14 +1407,14 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/
static void smack_cred_free(struct cred *cred)
{
- struct task_smack *tsp = cred->security;
+ struct task_smack *tsp = lsm_get_cred(cred, &smack_ops);
struct smack_rule *rp;
struct list_head *l;
struct list_head *n;
if (tsp == NULL)
return;
- cred->security = NULL;
+ lsm_set_cred(cred, NULL, &smack_ops);
list_for_each_safe(l, n, &tsp->smk_rules) {
rp = list_entry(l, struct smack_rule, list);
@@ -1422,7 +1435,7 @@ static void smack_cred_free(struct cred *cred)
static int smack_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct task_smack *old_tsp = old->security;
+ struct task_smack *old_tsp = lsm_get_cred(old, &smack_ops);
struct task_smack *new_tsp;
int rc;
@@ -1434,7 +1447,7 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
if (rc != 0)
return rc;
- new->security = new_tsp;
+ lsm_set_cred(new, new_tsp, &smack_ops);
return 0;
}
@@ -1447,8 +1460,8 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
*/
static void smack_cred_transfer(struct cred *new, const struct cred *old)
{
- struct task_smack *old_tsp = old->security;
- struct task_smack *new_tsp = new->security;
+ struct task_smack *old_tsp = lsm_get_cred(old, &smack_ops);
+ struct task_smack *new_tsp = lsm_get_cred(new, &smack_ops);
new_tsp->smk_task = old_tsp->smk_task;
new_tsp->smk_forked = old_tsp->smk_task;
@@ -1468,7 +1481,7 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
*/
static int smack_kernel_act_as(struct cred *new, u32 secid)
{
- struct task_smack *new_tsp = new->security;
+ struct task_smack *new_tsp = lsm_get_cred(new, &smack_ops);
char *smack = smack_from_secid(secid);
if (smack == NULL)
@@ -1489,8 +1502,8 @@ static int smack_kernel_act_as(struct cred *new, u32 secid)
static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
- struct task_smack *tsp = new->security;
+ struct inode_smack *isp = lsm_get_inode(inode, &smack_ops);
+ struct task_smack *tsp = lsm_get_cred(new, &smack_ops);
tsp->smk_forked = isp->smk_inode;
tsp->smk_task = isp->smk_inode;
@@ -1709,7 +1722,7 @@ static int smack_task_wait(struct task_struct *p)
*/
static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
{
- struct inode_smack *isp = inode->i_security;
+ struct inode_smack *isp = lsm_get_inode(inode, &smack_ops);
isp->smk_inode = smk_of_task(task_security(p));
}
@@ -1740,7 +1753,7 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
ssp->smk_out = csp;
ssp->smk_packet = NULL;
- sk->sk_security = ssp;
+ lsm_set_sock(sk, ssp, &smack_ops);
return 0;
}
@@ -1753,7 +1766,8 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
*/
static void smack_sk_free_security(struct sock *sk)
{
- kfree(sk->sk_security);
+ kfree(lsm_get_sock(sk, &smack_ops));
+ lsm_set_sock(sk, NULL, &smack_ops);
}
/**
@@ -1806,7 +1820,7 @@ static char *smack_host_label(struct sockaddr_in *sip)
static int smack_netlabel(struct sock *sk, int labeled)
{
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
int rc = 0;
/*
@@ -1850,7 +1864,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
int rc;
int sk_lbl;
char *hostsp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
struct smk_audit_info ad;
rcu_read_lock();
@@ -1893,7 +1907,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
const void *value, size_t size, int flags)
{
char *sp;
- struct inode_smack *nsp = inode->i_security;
+ struct inode_smack *nsp = lsm_get_inode(inode, &smack_ops);
struct socket_smack *ssp;
struct socket *sock;
int rc = 0;
@@ -1920,7 +1934,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
if (sock == NULL || sock->sk == NULL)
return -EOPNOTSUPP;
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
ssp->smk_in = sp;
@@ -2011,7 +2025,7 @@ static int smack_flags_to_may(int flags)
*/
static int smack_msg_msg_alloc_security(struct msg_msg *msg)
{
- msg->security = smk_of_current();
+ lsm_set_msg(msg, smk_of_current(), &smack_ops);
return 0;
}
@@ -2023,7 +2037,7 @@ static int smack_msg_msg_alloc_security(struct msg_msg *msg)
*/
static void smack_msg_msg_free_security(struct msg_msg *msg)
{
- msg->security = NULL;
+ lsm_set_msg(msg, NULL, &smack_ops);
}
/**
@@ -2034,7 +2048,7 @@ static void smack_msg_msg_free_security(struct msg_msg *msg)
*/
static char *smack_of_shm(struct shmid_kernel *shp)
{
- return (char *)shp->shm_perm.security;
+ return lsm_get_ipc(&shp->shm_perm, &smack_ops);
}
/**
@@ -2045,9 +2059,7 @@ static char *smack_of_shm(struct shmid_kernel *shp)
*/
static int smack_shm_alloc_security(struct shmid_kernel *shp)
{
- struct kern_ipc_perm *isp = &shp->shm_perm;
-
- isp->security = smk_of_current();
+ lsm_set_ipc(&shp->shm_perm, smk_of_current(), &smack_ops);
return 0;
}
@@ -2059,9 +2071,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp)
*/
static void smack_shm_free_security(struct shmid_kernel *shp)
{
- struct kern_ipc_perm *isp = &shp->shm_perm;
-
- isp->security = NULL;
+ lsm_set_ipc(&shp->shm_perm, NULL, &smack_ops);
}
/**
@@ -2073,14 +2083,13 @@ static void smack_shm_free_security(struct shmid_kernel *shp)
*/
static int smk_curacc_shm(struct shmid_kernel *shp, int access)
{
- char *ssp = smack_of_shm(shp);
struct smk_audit_info ad;
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
ad.a.u.ipc_id = shp->shm_perm.id;
#endif
- return smk_curacc(ssp, access, &ad);
+ return smk_curacc(smack_of_shm(shp), access, &ad);
}
/**
@@ -2092,10 +2101,7 @@ static int smk_curacc_shm(struct shmid_kernel *shp, int access)
*/
static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
{
- int may;
-
- may = smack_flags_to_may(shmflg);
- return smk_curacc_shm(shp, may);
+ return smk_curacc_shm(shp, smack_flags_to_may(shmflg));
}
/**
@@ -2143,10 +2149,7 @@ static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd)
static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
int shmflg)
{
- int may;
-
- may = smack_flags_to_may(shmflg);
- return smk_curacc_shm(shp, may);
+ return smk_curacc_shm(shp, smack_flags_to_may(shmflg));
}
/**
@@ -2157,7 +2160,7 @@ static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
*/
static char *smack_of_sem(struct sem_array *sma)
{
- return (char *)sma->sem_perm.security;
+ return lsm_get_ipc(&sma->sem_perm, &smack_ops);
}
/**
@@ -2168,9 +2171,7 @@ static char *smack_of_sem(struct sem_array *sma)
*/
static int smack_sem_alloc_security(struct sem_array *sma)
{
- struct kern_ipc_perm *isp = &sma->sem_perm;
-
- isp->security = smk_of_current();
+ lsm_set_ipc(&sma->sem_perm, smk_of_current(), &smack_ops);
return 0;
}
@@ -2182,9 +2183,7 @@ static int smack_sem_alloc_security(struct sem_array *sma)
*/
static void smack_sem_free_security(struct sem_array *sma)
{
- struct kern_ipc_perm *isp = &sma->sem_perm;
-
- isp->security = NULL;
+ lsm_set_ipc(&sma->sem_perm, NULL, &smack_ops);
}
/**
@@ -2215,10 +2214,7 @@ static int smk_curacc_sem(struct sem_array *sma, int access)
*/
static int smack_sem_associate(struct sem_array *sma, int semflg)
{
- int may;
-
- may = smack_flags_to_may(semflg);
- return smk_curacc_sem(sma, may);
+ return smk_curacc_sem(sma, smack_flags_to_may(semflg));
}
/**
@@ -2286,9 +2282,7 @@ static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
*/
static int smack_msg_queue_alloc_security(struct msg_queue *msq)
{
- struct kern_ipc_perm *kisp = &msq->q_perm;
-
- kisp->security = smk_of_current();
+ lsm_set_ipc(&msq->q_perm, smk_of_current(), &smack_ops);
return 0;
}
@@ -2300,9 +2294,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq)
*/
static void smack_msg_queue_free_security(struct msg_queue *msq)
{
- struct kern_ipc_perm *kisp = &msq->q_perm;
-
- kisp->security = NULL;
+ lsm_set_ipc(&msq->q_perm, NULL, &smack_ops);
}
/**
@@ -2313,7 +2305,7 @@ static void smack_msg_queue_free_security(struct msg_queue *msq)
*/
static char *smack_of_msq(struct msg_queue *msq)
{
- return (char *)msq->q_perm.security;
+ return lsm_get_ipc(&msq->q_perm, &smack_ops);
}
/**
@@ -2344,10 +2336,7 @@ static int smk_curacc_msq(struct msg_queue *msq, int access)
*/
static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg)
{
- int may;
-
- may = smack_flags_to_may(msqflg);
- return smk_curacc_msq(msq, may);
+ return smk_curacc_msq(msq, smack_flags_to_may(msqflg));
}
/**
@@ -2394,10 +2383,7 @@ static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd)
static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
int msqflg)
{
- int may;
-
- may = smack_flags_to_may(msqflg);
- return smk_curacc_msq(msq, may);
+ return smk_curacc_msq(msq, smack_flags_to_may(msqflg));
}
/**
@@ -2425,15 +2411,14 @@ static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
*/
static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
{
- char *isp = ipp->security;
- int may = smack_flags_to_may(flag);
struct smk_audit_info ad;
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
ad.a.u.ipc_id = ipp->id;
#endif
- return smk_curacc(isp, may, &ad);
+ return smk_curacc(lsm_get_ipc(ipp, &smack_ops),
+ smack_flags_to_may(flag), &ad);
}
/**
@@ -2443,9 +2428,7 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
*/
static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
{
- char *smack = ipp->security;
-
- *secid = smack_to_secid(smack);
+ *secid = smack_to_secid(lsm_get_ipc(ipp, &smack_ops));
}
/**
@@ -2471,7 +2454,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
if (inode == NULL)
return;
- isp = inode->i_security;
+ isp = lsm_get_inode(inode, &smack_ops);
mutex_lock(&isp->smk_lock);
/*
@@ -2482,7 +2465,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
goto unlockandout;
sbp = inode->i_sb;
- sbsp = sbp->s_security;
+ sbsp = lsm_get_super(sbp, &smack_ops);
/*
* We're going to use the superblock default label
* if there's no label on the file.
@@ -2664,40 +2647,26 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
}
/**
- * smack_setprocattr - Smack process attribute setting
- * @p: the object task
- * @name: the name of the attribute in /proc/.../attr
+ * smk_setcurrent - Set Smack process attribute setting
* @value: the value to set
* @size: the size of the value
*
- * Sets the Smack value of the task. Only setting self
- * is permitted and only with privilege
+ * Sets the Smack value of the task. Only with privilege
*
* Returns the length of the smack label or an error code
*/
-static int smack_setprocattr(struct task_struct *p, char *name,
- void *value, size_t size)
+int smk_setcurrent(char *value, size_t size)
{
struct task_smack *tsp;
struct cred *new;
char *newsmack;
- /*
- * Changing another process' Smack value is too dangerous
- * and supports no sane use case.
- */
- if (p != current)
- return -EPERM;
-
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
return -EINVAL;
- if (strcmp(name, "current") != 0)
- return -EINVAL;
-
newsmack = smk_import(value, size);
if (newsmack == NULL)
return -EINVAL;
@@ -2712,7 +2681,7 @@ static int smack_setprocattr(struct task_struct *p, char *name,
if (new == NULL)
return -ENOMEM;
- tsp = new->security;
+ tsp = lsm_get_cred(new, &smack_ops);
tsp->smk_task = newsmack;
commit_creds(new);
@@ -2720,6 +2689,33 @@ static int smack_setprocattr(struct task_struct *p, char *name,
}
/**
+ * smack_setprocattr - Smack process attribute setting
+ * @p: the object task
+ * @name: the name of the attribute in /proc/.../attr
+ * @value: the value to set
+ * @size: the size of the value
+ *
+ * Sets the Smack value of the task. Only setting self
+ * is permitted and only with privilege
+ *
+ * Returns the length of the smack label or an error code
+ */
+static int smack_setprocattr(struct task_struct *p, char *name,
+ void *value, size_t size)
+{
+ /*
+ * Changing another process' Smack value is too dangerous
+ * and supports no sane use case.
+ */
+ if (p != current)
+ return -EPERM;
+ if (strcmp(name, "current") != 0)
+ return -EINVAL;
+
+ return smk_setcurrent(value, size);
+}
+
+/**
* smack_unix_stream_connect - Smack access on UDS
* @sock: one sock
* @other: the other sock
@@ -2731,9 +2727,9 @@ static int smack_setprocattr(struct task_struct *p, char *name,
static int smack_unix_stream_connect(struct sock *sock,
struct sock *other, struct sock *newsk)
{
- struct socket_smack *ssp = sock->sk_security;
- struct socket_smack *osp = other->sk_security;
- struct socket_smack *nsp = newsk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sock, &smack_ops);
+ struct socket_smack *osp = lsm_get_sock(other, &smack_ops);
+ struct socket_smack *nsp = lsm_get_sock(newsk, &smack_ops);
struct smk_audit_info ad;
int rc = 0;
@@ -2768,8 +2764,8 @@ static int smack_unix_stream_connect(struct sock *sock,
*/
static int smack_unix_may_send(struct socket *sock, struct socket *other)
{
- struct socket_smack *ssp = sock->sk->sk_security;
- struct socket_smack *osp = other->sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sock->sk, &smack_ops);
+ struct socket_smack *osp = lsm_get_sock(other->sk, &smack_ops);
struct smk_audit_info ad;
int rc = 0;
@@ -2888,7 +2884,7 @@ static char *smack_from_secattr(struct netlbl_lsm_secattr *sap,
static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct netlbl_lsm_secattr secattr;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
char *csp;
int rc;
struct smk_audit_info ad;
@@ -2900,6 +2896,8 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
/*
* Translate what netlabel gave us.
+ * If Netlabel is unavailable use the ambient label.
+ * In this case we'd expect the ambient label to be "@".
*/
netlbl_secattr_init(&secattr);
@@ -2947,7 +2945,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
int slen = 1;
int rc = 0;
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
if (ssp->smk_packet != NULL) {
rcp = ssp->smk_packet;
slen = strlen(rcp) + 1;
@@ -2994,14 +2992,14 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
family = sock->sk->sk_family;
if (family == PF_UNIX) {
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
s = smack_to_secid(ssp->smk_out);
} else if (family == PF_INET || family == PF_INET6) {
/*
* Translate what netlabel gave us.
*/
if (sock != NULL && sock->sk != NULL)
- ssp = sock->sk->sk_security;
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
netlbl_secattr_init(&secattr);
rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0) {
@@ -3032,7 +3030,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
(sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
return;
- ssp = sk->sk_security;
+ ssp = lsm_get_sock(sk, &smack_ops);
ssp->smk_in = ssp->smk_out = smk_of_current();
/* cssp->smk_packet is already set in smack_inet_csk_clone() */
}
@@ -3051,7 +3049,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
{
u16 family = sk->sk_family;
struct smack_known *skp;
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
struct netlbl_lsm_secattr secattr;
struct sockaddr_in addr;
struct iphdr *hdr;
@@ -3125,7 +3123,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
static void smack_inet_csk_clone(struct sock *sk,
const struct request_sock *req)
{
- struct socket_smack *ssp = sk->sk_security;
+ struct socket_smack *ssp = lsm_get_sock(sk, &smack_ops);
if (req->peer_secid != 0)
ssp->smk_packet = smack_from_secid(req->peer_secid);
@@ -3155,7 +3153,8 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- key->security = smk_of_task(cred->security);
+ lsm_set_key(key, smk_of_task(lsm_get_cred(cred, &smack_ops)),
+ &smack_ops);
return 0;
}
@@ -3167,7 +3166,7 @@ static int smack_key_alloc(struct key *key, const struct cred *cred,
*/
static void smack_key_free(struct key *key)
{
- key->security = NULL;
+ lsm_set_key(key, NULL, &smack_ops);
}
/*
@@ -3184,16 +3183,18 @@ static int smack_key_permission(key_ref_t key_ref,
{
struct key *keyp;
struct smk_audit_info ad;
- char *tsp = smk_of_task(cred->security);
+ char *tsp = smk_of_task(lsm_get_cred(cred, &smack_ops));
+ char *ksp;
keyp = key_ref_to_ptr(key_ref);
if (keyp == NULL)
return -EINVAL;
+ ksp = lsm_get_key(keyp, &smack_ops);
/*
* If the key hasn't been initialized give it access so that
* it may do so.
*/
- if (keyp->security == NULL)
+ if (ksp == NULL)
return 0;
/*
* This should not occur
@@ -3205,8 +3206,7 @@ static int smack_key_permission(key_ref_t key_ref,
ad.a.u.key_struct.key = keyp->serial;
ad.a.u.key_struct.key_desc = keyp->description;
#endif
- return smk_access(tsp, keyp->security,
- MAY_READWRITE, &ad);
+ return smk_access(tsp, ksp, MAY_READWRITE, &ad);
}
#endif /* CONFIG_KEYS */
@@ -3342,7 +3342,7 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
if (secdata)
*secdata = sp;
- *seclen = strlen(sp);
+ *seclen = strlen(sp) + 1;
return 0;
}
@@ -3571,6 +3571,7 @@ static __init void init_smack_known_list(void)
*/
static __init int smack_init(void)
{
+ int rc;
struct cred *cred;
struct task_smack *tsp;
@@ -3588,7 +3589,10 @@ static __init int smack_init(void)
* Set the security state for the initial task.
*/
cred = (struct cred *) current->cred;
- cred->security = tsp;
+
+ rc = lsm_set_init_cred(cred, tsp, &smack_ops);
+ if (rc != 0)
+ panic("smack: Unable to initialize credentials.\n");
/* initialize the smack_known_list */
init_smack_known_list();
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 76a5dca..5335444 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -108,7 +108,7 @@ struct smack_master_list {
struct smack_rule *smk_rule;
};
-LIST_HEAD(smack_rule_list);
+static LIST_HEAD(smack_rule_list);
static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
@@ -1173,12 +1173,12 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
}
smk_netlabel_audit_set(&audit_info);
+ rc = 0;
if (found == 0) {
skp = kzalloc(sizeof(*skp), GFP_KERNEL);
if (skp == NULL)
rc = -ENOMEM;
else {
- rc = 0;
skp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
skp->smk_mask.s_addr = mask.s_addr;
skp->smk_label = sp;
@@ -1191,8 +1191,6 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
&skp->smk_host.sin_addr, &skp->smk_mask,
PF_INET, &audit_info);
- else
- rc = 0;
skp->smk_label = sp;
}
@@ -1582,7 +1580,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *data;
- char *sp = smk_of_task(current->cred->security);
+ char *sp = smk_of_task(lsm_get_cred(current->cred, &smack_ops));
int rc = count;
if (!smack_privileged(CAP_MAC_ADMIN))
@@ -1696,14 +1694,14 @@ static const struct file_operations smk_logging_ops = {
static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -1750,7 +1748,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_FIXED24_FMT);
@@ -1905,14 +1903,14 @@ static const struct file_operations smk_load2_ops = {
static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_start(s, pos, &tsp->smk_rules);
}
static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_seq_next(s, v, pos, &tsp->smk_rules);
}
@@ -1958,7 +1956,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- struct task_smack *tsp = current_security();
+ struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_LONG_FMT);
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index d4f166b..ef0cdcc 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -28,6 +28,7 @@
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/un.h>
+#include <linux/lsm.h>
#include <net/sock.h>
#include <net/af_unix.h>
#include <net/ip.h>
@@ -1079,6 +1080,7 @@ extern struct list_head tomoyo_domain_list;
extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
extern struct list_head tomoyo_namespace_list;
extern struct mutex tomoyo_policy_lock;
+extern struct security_operations tomoyo_security_ops;
extern struct srcu_struct tomoyo_ss;
extern struct tomoyo_domain_info tomoyo_kernel_domain;
extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
@@ -1202,7 +1204,7 @@ static inline void tomoyo_put_group(struct tomoyo_group *group)
*/
static inline struct tomoyo_domain_info *tomoyo_domain(void)
{
- return current_cred()->security;
+ return lsm_get_cred(current_cred(), &tomoyo_security_ops);
}
/**
@@ -1215,7 +1217,7 @@ static inline struct tomoyo_domain_info *tomoyo_domain(void)
static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
*task)
{
- return task_cred_xxx(task, security);
+ return lsm_get_cred(__task_cred(task), &tomoyo_security_ops);
}
/**
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 3865145..15042e7 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -840,7 +840,7 @@ force_jump_domain:
domain = old_domain;
/* Update reference count on "struct tomoyo_domain_info". */
atomic_inc(&domain->users);
- bprm->cred->security = domain;
+ lsm_set_cred(bprm->cred, domain, &tomoyo_security_ops);
kfree(exename.name);
if (!retval) {
ee->r.domain = domain;
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index fcf3278..2c0332c 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -75,8 +75,10 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
error = -ENOMEM;
} else {
struct tomoyo_domain_info *old_domain =
- cred->security;
- cred->security = new_domain;
+ lsm_get_cred(cred,
+ &tomoyo_security_ops);
+ lsm_set_cred(cred, new_domain,
+ &tomoyo_security_ops);
atomic_inc(&new_domain->users);
atomic_dec(&old_domain->users);
commit_creds(cred);
@@ -242,7 +244,8 @@ static int __init tomoyo_initerface_init(void)
struct dentry *tomoyo_dir;
/* Don't create securityfs entries unless registered. */
- if (current_cred()->security != &tomoyo_kernel_domain)
+ if (lsm_get_cred(current_cred(), &tomoyo_security_ops) !=
+ &tomoyo_kernel_domain)
return 0;
tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index a2ee362..2b4cade 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -17,7 +17,7 @@
*/
static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
{
- new->security = NULL;
+ lsm_set_cred(new, NULL, &tomoyo_security_ops);
return 0;
}
@@ -33,8 +33,10 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
- struct tomoyo_domain_info *domain = old->security;
- new->security = domain;
+ struct tomoyo_domain_info *domain;
+
+ domain = lsm_get_cred(old, &tomoyo_security_ops);
+ lsm_set_cred(new, domain, &tomoyo_security_ops);
if (domain)
atomic_inc(&domain->users);
return 0;
@@ -58,9 +60,13 @@ static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
*/
static void tomoyo_cred_free(struct cred *cred)
{
- struct tomoyo_domain_info *domain = cred->security;
- if (domain)
+ struct tomoyo_domain_info *domain;
+
+ domain = lsm_get_cred(cred, &tomoyo_security_ops);
+ if (domain) {
atomic_dec(&domain->users);
+ lsm_set_cred(cred, NULL, &tomoyo_security_ops);
+ }
}
/**
@@ -98,13 +104,13 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
* stored inside "bprm->cred->security" will be acquired later inside
* tomoyo_find_next_domain().
*/
- atomic_dec(&((struct tomoyo_domain_info *)
- bprm->cred->security)->users);
+ atomic_dec(&((struct tomoyo_domain_info *)lsm_get_cred(bprm->cred,
+ &tomoyo_security_ops))->users);
/*
* Tell tomoyo_bprm_check_security() is called for the first time of an
* execve operation.
*/
- bprm->cred->security = NULL;
+ lsm_set_cred(bprm->cred, NULL, &tomoyo_security_ops);
return 0;
}
@@ -117,8 +123,9 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
*/
static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
{
- struct tomoyo_domain_info *domain = bprm->cred->security;
+ struct tomoyo_domain_info *domain;
+ domain = lsm_get_cred(bprm->cred, &tomoyo_security_ops);
/*
* Execute permission is checked against pathname passed to do_execve()
* using current domain.
@@ -503,7 +510,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
*/
-static struct security_operations tomoyo_security_ops = {
+struct security_operations tomoyo_security_ops = {
.name = "tomoyo",
.cred_alloc_blank = tomoyo_cred_alloc_blank,
.cred_prepare = tomoyo_cred_prepare,
@@ -545,16 +552,22 @@ struct srcu_struct tomoyo_ss;
*/
static int __init tomoyo_init(void)
{
+ int rc;
struct cred *cred = (struct cred *) current_cred();
+ /* register ourselves with the security framework */
if (!security_module_enable(&tomoyo_security_ops))
return 0;
- /* register ourselves with the security framework */
- if (register_security(&tomoyo_security_ops) ||
- init_srcu_struct(&tomoyo_ss))
+
+ if (init_srcu_struct(&tomoyo_ss))
panic("Failure registering TOMOYO Linux");
printk(KERN_INFO "TOMOYO Linux initialized\n");
- cred->security = &tomoyo_kernel_domain;
+
+ rc = lsm_set_init_cred(cred, &tomoyo_kernel_domain,
+ &tomoyo_security_ops);
+ if (rc)
+ panic("Failure allocating credential for TOMOYO Linux");
+
tomoyo_mm_init();
return 0;
}
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH v13 2/9] LSM: Complete conversion to kill_pid_info_as_cred
[not found] <5176ABB7.5080300@schaufler-ca.com>
2013-04-23 16:04 ` [PATCH v13 0/9] LSM: Multiple concurrent LSMs Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 1/9] LSM: Security blob abstraction Casey Schaufler
@ 2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 3/9] LSM: Multiple concurrent secids Casey Schaufler
` (6 subsequent siblings)
9 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:04 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 2/9] LSM: Complete conversion to kill_pid_info_as_cred
The kill_pid_info_as_cred() function takes a secid as a parameter,
but the value is always taken from the cred that is also passed as
a parameter. Remove the secid parameter. Change the LSM interface
to take the cred rather than the secid, eliminating the need to get
or pass the secid in cases where it is unused.
The two LSMs that use this hook, SELinux and Smack, are updated.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
drivers/usb/core/devio.c | 10 ++--------
include/linux/sched.h | 2 +-
include/linux/security.h | 9 +++++----
kernel/signal.c | 6 +++---
security/selinux/hooks.c | 7 +++----
security/smack/smack_lsm.c | 10 +++++-----
6 files changed, 19 insertions(+), 25 deletions(-)
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 8823e98..18763ea 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -75,7 +75,6 @@ struct dev_state {
const struct cred *cred;
void __user *disccontext;
unsigned long ifclaimed;
- u32 secid;
u32 disabled_bulk_eps;
};
@@ -91,7 +90,6 @@ struct async {
struct urb *urb;
unsigned int mem_usage;
int status;
- u32 secid;
u8 bulk_addr;
u8 bulk_status;
};
@@ -492,7 +490,6 @@ static void async_completed(struct urb *urb)
struct dev_state *ps = as->ps;
struct siginfo sinfo;
struct pid *pid = NULL;
- u32 secid = 0;
const struct cred *cred = NULL;
int signr;
@@ -507,7 +504,6 @@ static void async_completed(struct urb *urb)
sinfo.si_addr = as->userurb;
pid = get_pid(as->pid);
cred = get_cred(as->cred);
- secid = as->secid;
}
snoop(&urb->dev->dev, "urb complete\n");
snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
@@ -521,7 +517,7 @@ static void async_completed(struct urb *urb)
spin_unlock(&ps->lock);
if (signr) {
- kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred, secid);
+ kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred);
put_pid(pid);
put_cred(cred);
}
@@ -815,7 +811,6 @@ static int usbdev_open(struct inode *inode, struct file *file)
ps->cred = get_current_cred();
ps->disccontext = NULL;
ps->ifclaimed = 0;
- security_task_getsecid(current, &ps->secid);
smp_wmb();
list_add_tail(&ps->list, &dev->filelist);
file->private_data = ps;
@@ -1430,7 +1425,6 @@ static int proc_do_submiturb(struct dev_state *ps, struct usbdevfs_urb *uurb,
as->ifnum = ifnum;
as->pid = get_pid(task_pid(current));
as->cred = get_current_cred();
- security_task_getsecid(current, &as->secid);
snoop_urb(ps->dev, as->userurb, as->urb->pipe,
as->urb->transfer_buffer_length, 0, SUBMIT,
NULL, 0);
@@ -2211,7 +2205,7 @@ static void usbdev_remove(struct usb_device *udev)
sinfo.si_code = SI_ASYNCIO;
sinfo.si_addr = ps->disccontext;
kill_pid_info_as_cred(ps->discsignr, &sinfo,
- ps->disc_pid, ps->cred, ps->secid);
+ ps->disc_pid, ps->cred);
}
}
}
diff --git a/include/linux/sched.h b/include/linux/sched.h
index e692a02..08a6871 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -2164,7 +2164,7 @@ extern int force_sig_info(int, struct siginfo *, struct task_struct *);
extern int __kill_pgrp_info(int sig, struct siginfo *info, struct pid *pgrp);
extern int kill_pid_info(int sig, struct siginfo *info, struct pid *pid);
extern int kill_pid_info_as_cred(int, struct siginfo *, struct pid *,
- const struct cred *, u32);
+ const struct cred *);
extern int kill_pgrp(struct pid *pid, int sig, int priv);
extern int kill_pid(struct pid *pid, int sig, int priv);
extern int kill_proc_info(int, struct siginfo *, pid_t);
diff --git a/include/linux/security.h b/include/linux/security.h
index 032c366..a1079ab 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -777,7 +777,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @p contains the task_struct for process.
* @info contains the signal information.
* @sig contains the signal value.
- * @secid contains the sid of the process where the signal originated
+ * @cred contains the sid of the process where the signal originated
* Return 0 if permission is granted.
* @task_wait:
* Check permission before allowing a process to reap a child process @p
@@ -1546,7 +1546,8 @@ struct security_operations {
int (*task_getscheduler) (struct task_struct *p);
int (*task_movememory) (struct task_struct *p);
int (*task_kill) (struct task_struct *p,
- struct siginfo *info, int sig, u32 secid);
+ struct siginfo *info, int sig,
+ const struct cred *cred);
int (*task_wait) (struct task_struct *p);
int (*task_prctl) (int option, unsigned long arg2,
unsigned long arg3, unsigned long arg4,
@@ -1808,7 +1809,7 @@ int security_task_setscheduler(struct task_struct *p);
int security_task_getscheduler(struct task_struct *p);
int security_task_movememory(struct task_struct *p);
int security_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid);
+ int sig, const struct cred *cred);
int security_task_wait(struct task_struct *p);
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5);
@@ -2377,7 +2378,7 @@ static inline int security_task_movememory(struct task_struct *p)
static inline int security_task_kill(struct task_struct *p,
struct siginfo *info, int sig,
- u32 secid)
+ const struct cred *cred)
{
return 0;
}
diff --git a/kernel/signal.c b/kernel/signal.c
index dd72567..c702648 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -815,7 +815,7 @@ static int check_kill_permission(int sig, struct siginfo *info,
}
}
- return security_task_kill(t, info, sig, 0);
+ return security_task_kill(t, info, sig, NULL);
}
/**
@@ -1388,7 +1388,7 @@ static int kill_as_cred_perm(const struct cred *cred,
/* like kill_pid_info(), but doesn't use uid/euid of "current" */
int kill_pid_info_as_cred(int sig, struct siginfo *info, struct pid *pid,
- const struct cred *cred, u32 secid)
+ const struct cred *cred)
{
int ret = -EINVAL;
struct task_struct *p;
@@ -1407,7 +1407,7 @@ int kill_pid_info_as_cred(int sig, struct siginfo *info, struct pid *pid,
ret = -EPERM;
goto out_unlock;
}
- ret = security_task_kill(p, info, sig, secid);
+ ret = security_task_kill(p, info, sig, cred);
if (ret)
goto out_unlock;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ddaec58..9ff6d6d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3476,7 +3476,7 @@ static int selinux_task_movememory(struct task_struct *p)
}
static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid)
+ int sig, const struct cred *crd)
{
u32 perm;
int rc;
@@ -3486,9 +3486,8 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
else
perm = signal_to_av(sig);
- if (secid)
- rc = avc_has_perm(secid, task_sid(p),
- SECCLASS_PROCESS, perm, NULL);
+ if (crd)
+ rc = cred_has_perm(crd, __task_cred(p), perm);
else
rc = current_has_perm(p, perm);
return rc;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 5fef975..223bbdf 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1664,7 +1664,7 @@ static int smack_task_movememory(struct task_struct *p)
* @p: the task object
* @info: unused
* @sig: unused
- * @secid: identifies the smack to use in lieu of current's
+ * @subcred: identifies the smack to use in lieu of current's
*
* Return 0 if write access is permitted
*
@@ -1672,7 +1672,7 @@ static int smack_task_movememory(struct task_struct *p)
* in the USB code. Someday it may go away.
*/
static int smack_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid)
+ int sig, const struct cred *subcred)
{
struct smk_audit_info ad;
@@ -1682,15 +1682,15 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
* Sending a signal requires that the sender
* can write the receiver.
*/
- if (secid == 0)
+ if (subcred == NULL)
return smk_curacc(smk_of_task(task_security(p)), MAY_WRITE,
&ad);
/*
- * If the secid isn't 0 we're dealing with some USB IO
+ * If the subcred isn't NULL we're dealing with some USB IO
* specific behavior. This is not clean. For one thing
* we can't take privilege into account.
*/
- return smk_access(smack_from_secid(secid),
+ return smk_access(smk_of_task(lsm_get_cred(subcred, &smack_ops)),
smk_of_task(task_security(p)), MAY_WRITE, &ad);
}
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH v13 3/9] LSM: Multiple concurrent secids
[not found] <5176ABB7.5080300@schaufler-ca.com>
` (2 preceding siblings ...)
2013-04-23 16:04 ` [PATCH v13 2/9] LSM: Complete conversion to kill_pid_info_as_cred Casey Schaufler
@ 2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 4/9] LSM: Multiple security context maintenance Casey Schaufler
` (5 subsequent siblings)
9 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:04 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 3/9] LSM: Multiple concurrent secids
Change the representation of a secid from a single u32
to a structure containing multiple instances of u32s.
This permits interfaces that require information about
the security context maintained by multiple LSMs (i.e.
audit) and hooks that provide that information to do so.
The networking interfaces that require a single secid
have been changed to hook into the mechanism.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/audit.h | 9 ++-
include/linux/cred.h | 3 +-
include/linux/security.h | 44 +++++++-----
include/net/af_unix.h | 3 +-
include/net/scm.h | 4 +-
include/net/xfrm.h | 5 +-
kernel/audit.c | 73 +++++++++++---------
kernel/audit.h | 4 +-
kernel/auditfilter.c | 16 +++--
kernel/auditsc.c | 66 +++++++++---------
kernel/cred.c | 6 +-
net/ipv4/ip_sockglue.c | 5 +-
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 11 ++-
net/netfilter/nf_conntrack_netlink.c | 14 +++-
net/netfilter/nf_conntrack_standalone.c | 7 +-
net/netfilter/xt_SECMARK.c | 7 +-
net/netlabel/netlabel_unlabeled.c | 33 +++++----
net/netlabel/netlabel_user.c | 7 +-
net/netlabel/netlabel_user.h | 5 +-
net/unix/af_unix.c | 17 ++++-
net/xfrm/xfrm_user.c | 32 +++++----
security/capability.c | 2 +-
security/integrity/ima/ima_policy.c | 7 +-
security/security.c | 41 ++++++-----
24 files changed, 256 insertions(+), 165 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 5a6d718..0be1759e 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -43,6 +43,7 @@ struct mq_attr;
struct mqstat;
struct audit_watch;
struct audit_tree;
+struct secids;
struct audit_krule {
int vers_ops;
@@ -423,9 +424,11 @@ extern void audit_log_link_denied(const char *operation,
struct path *link);
extern void audit_log_lost(const char *message);
#ifdef CONFIG_SECURITY
-extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
+extern void audit_log_secctx(struct audit_buffer *ab,
+ u32 secid);
#else
-static inline void audit_log_secctx(struct audit_buffer *ab, u32 secid)
+static inline void audit_log_secctx(struct audit_buffer *ab,
+ u32 secid)
{ }
#endif
@@ -436,7 +439,7 @@ extern int audit_filter_user(void);
extern int audit_filter_type(int type);
extern int audit_receive_filter(int type, int pid, int seq,
void *data, size_t datasz, kuid_t loginuid,
- u32 sessionid, u32 sid);
+ u32 sessionid, struct secids *sid);
extern int audit_enabled;
#else /* CONFIG_AUDIT */
static inline __printf(4, 5)
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 04421e8..459302a 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -22,6 +22,7 @@
struct user_struct;
struct cred;
struct inode;
+struct secids;
/*
* COW Supplementary groups list
@@ -151,7 +152,7 @@ extern const struct cred *override_creds(const struct cred *);
extern void revert_creds(const struct cred *);
extern struct cred *prepare_kernel_cred(struct task_struct *);
extern int change_create_files_as(struct cred *, struct inode *);
-extern int set_security_override(struct cred *, u32);
+extern int set_security_override(struct cred *, struct secids *);
extern int set_security_override_from_ctx(struct cred *, const char *);
extern int set_create_files_as(struct cred *, struct inode *);
extern void __init cred_init(void);
diff --git a/include/linux/security.h b/include/linux/security.h
index a1079ab..038df6f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -156,6 +156,12 @@ extern int mmap_min_addr_handler(struct ctl_table *table, int write,
typedef int (*initxattrs) (struct inode *inode,
const struct xattr *xattr_array, void *fs_data);
+/* A collection of secids, which are what (certain) LSMs deal with */
+struct secids {
+ int si_count;
+ u32 si_lsm[1];
+};
+
#ifdef CONFIG_SECURITY
struct security_mnt_opts {
@@ -1767,7 +1773,7 @@ int security_inode_killpriv(struct dentry *dentry);
int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
-void security_inode_getsecid(const struct inode *inode, u32 *secid);
+void security_inode_getsecid(const struct inode *inode, struct secids *secid);
int security_file_permission(struct file *file, int mask);
int security_file_alloc(struct file *file);
void security_file_free(struct file *file);
@@ -1790,7 +1796,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
void security_cred_free(struct cred *cred);
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
void security_transfer_creds(struct cred *new, const struct cred *old);
-int security_kernel_act_as(struct cred *new, u32 secid);
+int security_kernel_act_as(struct cred *new, struct secids *secid);
int security_kernel_create_files_as(struct cred *new, struct inode *inode);
int security_kernel_module_request(char *kmod_name);
int security_kernel_module_from_file(struct file *file);
@@ -1799,7 +1805,7 @@ int security_task_fix_setuid(struct cred *new, const struct cred *old,
int security_task_setpgid(struct task_struct *p, pid_t pgid);
int security_task_getpgid(struct task_struct *p);
int security_task_getsid(struct task_struct *p);
-void security_task_getsecid(struct task_struct *p, u32 *secid);
+void security_task_getsecid(struct task_struct *p, struct secids *secid);
int security_task_setnice(struct task_struct *p, int nice);
int security_task_setioprio(struct task_struct *p, int ioprio);
int security_task_getioprio(struct task_struct *p);
@@ -1815,7 +1821,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5);
void security_task_to_inode(struct task_struct *p, struct inode *inode);
int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
+void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct secids *secid);
int security_msg_msg_alloc(struct msg_msg *msg);
void security_msg_msg_free(struct msg_msg *msg);
int security_msg_queue_alloc(struct msg_queue *msq);
@@ -1841,8 +1847,8 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
int security_getprocattr(struct task_struct *p, char *name, char **value);
int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
-int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen);
+int security_secctx_to_secid(const char *secdata, u32 seclen, struct secids *secid);
void security_release_secctx(char *secdata, u32 seclen);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
@@ -2187,9 +2193,9 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer,
return 0;
}
-static inline void security_inode_getsecid(const struct inode *inode, u32 *secid)
+static inline void security_inode_getsecid(const struct inode *inode, struct secids *secid)
{
- *secid = 0;
+ secid->si_lsm[0] = 0;
}
static inline int security_file_permission(struct file *file, int mask)
@@ -2291,7 +2297,7 @@ static inline void security_transfer_creds(struct cred *new,
{
}
-static inline int security_kernel_act_as(struct cred *cred, u32 secid)
+static inline int security_kernel_act_as(struct cred *cred, struct secids *secid)
{
return 0;
}
@@ -2334,9 +2340,9 @@ static inline int security_task_getsid(struct task_struct *p)
return 0;
}
-static inline void security_task_getsecid(struct task_struct *p, u32 *secid)
+static inline void security_task_getsecid(struct task_struct *p, struct secids *secid)
{
- *secid = 0;
+ secid->si_lsm[0] = 0;
}
static inline int security_task_setnice(struct task_struct *p, int nice)
@@ -2405,9 +2411,9 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp,
return 0;
}
-static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct secids *secid)
{
- *secid = 0;
+ secid->si_lsm[0] = 0;
}
static inline int security_msg_msg_alloc(struct msg_msg *msg)
@@ -2519,14 +2525,14 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
return cap_netlink_send(sk, skb);
}
-static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static inline int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen)
{
return -EOPNOTSUPP;
}
static inline int security_secctx_to_secid(const char *secdata,
u32 seclen,
- u32 *secid)
+ struct secids *secid)
{
return -EOPNOTSUPP;
}
@@ -2571,7 +2577,7 @@ int security_socket_shutdown(struct socket *sock, int how);
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len);
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, struct secids *secid);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
void security_sk_free(struct sock *sk);
void security_sk_clone(const struct sock *sk, struct sock *newsk);
@@ -2700,7 +2706,7 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
return -ENOPROTOOPT;
}
-static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, struct secids *secid)
{
return -ENOPROTOOPT;
}
@@ -2999,7 +3005,7 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
#ifdef CONFIG_SECURITY
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
int security_audit_rule_known(struct audit_krule *krule);
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
+int security_audit_rule_match(struct secids *secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx);
void security_audit_rule_free(void *lsmrule);
@@ -3016,7 +3022,7 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
return 0;
}
-static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
+static inline int security_audit_rule_match(struct secids *secid, u32 field, u32 op,
void *lsmrule, struct audit_context *actx)
{
return 0;
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 0a996a3..9cb2470 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -32,12 +32,11 @@ struct unix_skb_parms {
const struct cred *cred;
struct scm_fp_list *fp; /* Passed files */
#ifdef CONFIG_SECURITY_NETWORK
- u32 secid; /* Security ID */
+ struct secids *secid; /* Security ID */
#endif
};
#define UNIXCB(skb) (*(struct unix_skb_parms *)&((skb)->cb))
-#define UNIXSID(skb) (&UNIXCB((skb)).secid)
#define unix_state_lock(s) spin_lock(&unix_sk(s)->lock)
#define unix_state_unlock(s) spin_unlock(&unix_sk(s)->lock)
diff --git a/include/net/scm.h b/include/net/scm.h
index 975cca0..e0ce1eb 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -30,7 +30,7 @@ struct scm_cookie {
struct scm_fp_list *fp; /* Passed files */
struct scm_creds creds; /* Skb credentials */
#ifdef CONFIG_SECURITY_NETWORK
- u32 secid; /* Passed security ID */
+ struct secids secid; /* Passed security ID */
#endif
};
@@ -97,7 +97,7 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
int err;
if (test_bit(SOCK_PASSSEC, &sock->flags)) {
- err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
+ err = security_secid_to_secctx(&scm->secid, &secdata, &seclen);
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 24c8886..45976ad 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -698,11 +698,14 @@ static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
{
char *secctx;
u32 secctx_len;
+ struct secids sid;
+
+ sid.si_lsm[0] = secid;
audit_log_format(audit_buf, " auid=%u ses=%u",
from_kuid(&init_user_ns, auid), ses);
if (secid != 0 &&
- security_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
+ security_secid_to_secctx(&sid, &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
security_release_secctx(secctx, secctx_len);
} else
diff --git a/kernel/audit.c b/kernel/audit.c
index d596e53..eab4b52 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -107,7 +107,7 @@ static int audit_backlog_wait_overflow = 0;
/* The identity of the user shutting down the audit system. */
kuid_t audit_sig_uid = INVALID_UID;
pid_t audit_sig_pid = -1;
-u32 audit_sig_sid = 0;
+struct secids audit_sig_sid;
/* Records can be lost in several ways:
0) [suppressed in audit_alloc]
@@ -265,8 +265,8 @@ void audit_log_lost(const char *message)
}
static int audit_log_config_change(char *function_name, int new, int old,
- kuid_t loginuid, u32 sessionid, u32 sid,
- int allow_changes)
+ kuid_t loginuid, u32 sessionid,
+ struct secids *sid, int allow_changes)
{
struct audit_buffer *ab;
int rc = 0;
@@ -282,7 +282,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
rc = security_secid_to_secctx(sid, &ctx, &len);
if (rc) {
- audit_log_format(ab, " sid=%u", sid);
+ audit_log_format(ab, " sid=%u", sid->si_count);
allow_changes = 0; /* Something weird, deny request */
} else {
audit_log_format(ab, " subj=%s", ctx);
@@ -296,7 +296,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
static int audit_do_config_change(char *function_name, int *to_change,
int new, kuid_t loginuid, u32 sessionid,
- u32 sid)
+ struct secids *sid)
{
int allow_changes, rc = 0, old = *to_change;
@@ -323,20 +323,20 @@ static int audit_do_config_change(char *function_name, int *to_change,
}
static int audit_set_rate_limit(int limit, kuid_t loginuid, u32 sessionid,
- u32 sid)
+ struct secids *sid)
{
return audit_do_config_change("audit_rate_limit", &audit_rate_limit,
limit, loginuid, sessionid, sid);
}
static int audit_set_backlog_limit(int limit, kuid_t loginuid, u32 sessionid,
- u32 sid)
+ struct secids *sid)
{
return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit,
limit, loginuid, sessionid, sid);
}
-static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, u32 sid)
+static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, struct secids *sid)
{
int rc;
if (state < AUDIT_OFF || state > AUDIT_LOCKED)
@@ -351,7 +351,7 @@ static int audit_set_enabled(int state, kuid_t loginuid, u32 sessionid, u32 sid)
return rc;
}
-static int audit_set_failure(int state, kuid_t loginuid, u32 sessionid, u32 sid)
+static int audit_set_failure(int state, kuid_t loginuid, u32 sessionid, struct secids *sid)
{
if (state != AUDIT_FAIL_SILENT
&& state != AUDIT_FAIL_PRINTK
@@ -609,7 +609,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
}
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
- kuid_t auid, u32 ses, u32 sid)
+ kuid_t auid, u32 ses, struct secids *sid)
{
int rc = 0;
char *ctx = NULL;
@@ -630,7 +630,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
if (sid) {
rc = security_secid_to_secctx(sid, &ctx, &len);
if (rc)
- audit_log_format(*ab, " ssid=%u", sid);
+ audit_log_format(*ab, " ssid=%u", sid->si_count);
else {
audit_log_format(*ab, " subj=%s", ctx);
security_release_secctx(ctx, len);
@@ -642,7 +642,8 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
- u32 seq, sid;
+ u32 seq;
+ struct secids sid;
void *data;
struct audit_status *status_get, status_set;
int err;
@@ -692,13 +693,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
status_get = (struct audit_status *)data;
if (status_get->mask & AUDIT_STATUS_ENABLED) {
err = audit_set_enabled(status_get->enabled,
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
if (err < 0)
return err;
}
if (status_get->mask & AUDIT_STATUS_FAILURE) {
err = audit_set_failure(status_get->failure,
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
if (err < 0)
return err;
}
@@ -708,20 +709,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid", new_pid,
audit_pid, loginuid,
- sessionid, sid, 1);
+ sessionid, &sid, 1);
audit_pid = new_pid;
audit_nlk_portid = NETLINK_CB(skb).portid;
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) {
err = audit_set_rate_limit(status_get->rate_limit,
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
if (err < 0)
return err;
}
if (status_get->mask & AUDIT_STATUS_BACKLOG_LIMIT)
err = audit_set_backlog_limit(status_get->backlog_limit,
- loginuid, sessionid, sid);
+ loginuid, sessionid,
+ &sid);
break;
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
@@ -739,7 +741,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
break;
}
audit_log_common_recv_msg(&ab, msg_type,
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
if (msg_type != AUDIT_USER_TTY)
audit_log_format(ab, " msg='%.1024s'",
@@ -764,7 +766,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return -EINVAL;
if (audit_enabled == AUDIT_LOCKED) {
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
audit_log_format(ab, " audit_enabled=%d res=0",
audit_enabled);
@@ -775,7 +777,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
case AUDIT_LIST:
err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid,
seq, data, nlmsg_len(nlh),
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
break;
case AUDIT_ADD_RULE:
case AUDIT_DEL_RULE:
@@ -783,7 +785,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return -EINVAL;
if (audit_enabled == AUDIT_LOCKED) {
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
audit_log_format(ab, " audit_enabled=%d res=0",
audit_enabled);
@@ -794,13 +796,13 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
case AUDIT_LIST_RULES:
err = audit_receive_filter(msg_type, NETLINK_CB(skb).portid,
seq, data, nlmsg_len(nlh),
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
break;
case AUDIT_TRIM:
audit_trim_trees();
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
audit_log_format(ab, " op=trim res=1");
audit_log_end(ab);
@@ -832,7 +834,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
err = audit_tag_tree(old, new);
audit_log_common_recv_msg(&ab, AUDIT_CONFIG_CHANGE,
- loginuid, sessionid, sid);
+ loginuid, sessionid, &sid);
audit_log_format(ab, " op=make_equiv old=");
audit_log_untrustedstring(ab, old);
@@ -846,20 +848,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
case AUDIT_SIGNAL_INFO:
len = 0;
- if (audit_sig_sid) {
- err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
+ if (audit_sig_sid.si_count) {
+ err = security_secid_to_secctx(&audit_sig_sid, &ctx,
+ &len);
if (err)
return err;
}
sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
if (!sig_data) {
- if (audit_sig_sid)
+ if (audit_sig_sid.si_count)
security_release_secctx(ctx, len);
return -ENOMEM;
}
sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
sig_data->pid = audit_sig_pid;
- if (audit_sig_sid) {
+ if (audit_sig_sid.si_count) {
memcpy(sig_data->ctx, ctx, len);
security_release_secctx(ctx, len);
}
@@ -1525,21 +1528,29 @@ void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
#ifdef CONFIG_SECURITY
/**
- * audit_log_secctx - Converts and logs SELinux context
+ * audit_log_secctx - Converts and logs security context
* @ab: audit_buffer
* @secid: security number
*
* This is a helper function that calls security_secid_to_secctx to convert
- * secid to secctx and then adds the (converted) SELinux context to the audit
+ * secid to secctx and then adds the (converted) security context to the audit
* log by calling audit_log_format, thus also preventing leak of internal secid
* to userspace. If secid cannot be converted audit_panic is called.
+ *
+ * This is only called by the secmark code.
*/
void audit_log_secctx(struct audit_buffer *ab, u32 secid)
{
u32 len;
char *secctx;
+ struct secids secids;
+
+ memset(&secids, 0, sizeof(secids));
+
+ secids.si_lsm[0] = secid;
+ secids.si_count = 1;
- if (security_secid_to_secctx(secid, &secctx, &len)) {
+ if (security_secid_to_secctx(&secids, &secctx, &len)) {
audit_panic("Cannot convert secid to context");
} else {
audit_log_format(ab, " obj=%s", secctx);
diff --git a/kernel/audit.h b/kernel/audit.h
index d51cba8..a4d5d9a 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -95,8 +95,6 @@ struct audit_netlink_list {
int audit_send_list(void *);
-extern int selinux_audit_rule_update(void);
-
extern struct mutex audit_filter_mutex;
extern void audit_free_rule_rcu(struct rcu_head *);
extern struct list_head audit_filter_list[];
@@ -150,7 +148,7 @@ extern char *audit_unpack_string(void **, size_t *, size_t);
extern pid_t audit_sig_pid;
extern kuid_t audit_sig_uid;
-extern u32 audit_sig_sid;
+extern struct secids audit_sig_sid;
#ifdef CONFIG_AUDITSYSCALL
extern int __audit_signal_info(int sig, struct task_struct *t);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f9fc54b..765873b 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1109,8 +1109,9 @@ static void audit_list_rules(int pid, int seq, struct sk_buff_head *q)
}
/* Log rule additions and removals */
-static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
- char *action, struct audit_krule *rule,
+static void audit_log_rule_change(kuid_t loginuid, u32 sessionid,
+ struct secids *sid, char *action,
+ struct audit_krule *rule,
int res)
{
struct audit_buffer *ab;
@@ -1123,11 +1124,11 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
return;
audit_log_format(ab, "auid=%u ses=%u",
from_kuid(&init_user_ns, loginuid), sessionid);
- if (sid) {
+ if (sid->si_count) {
char *ctx = NULL;
u32 len;
if (security_secid_to_secctx(sid, &ctx, &len))
- audit_log_format(ab, " ssid=%u", sid);
+ audit_log_format(ab, " ssid=%u", sid->si_count);
else {
audit_log_format(ab, " subj=%s", ctx);
security_release_secctx(ctx, len);
@@ -1152,7 +1153,8 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid, u32 sid,
* @sid: SE Linux Security ID of sender
*/
int audit_receive_filter(int type, int pid, int seq, void *data,
- size_t datasz, kuid_t loginuid, u32 sessionid, u32 sid)
+ size_t datasz, kuid_t loginuid, u32 sessionid,
+ struct secids *sid)
{
struct task_struct *tsk;
struct audit_netlink_list *dest;
@@ -1362,7 +1364,7 @@ static int audit_filter_user_rules(struct audit_krule *rule,
for (i = 0; i < rule->field_count; i++) {
struct audit_field *f = &rule->fields[i];
int result = 0;
- u32 sid;
+ struct secids sid;
switch (f->type) {
case AUDIT_PID:
@@ -1385,7 +1387,7 @@ static int audit_filter_user_rules(struct audit_krule *rule,
case AUDIT_SUBJ_CLR:
if (f->lsm_rule) {
security_task_getsecid(current, &sid);
- result = security_audit_rule_match(sid,
+ result = security_audit_rule_match(&sid,
f->type,
f->op,
f->lsm_rule,
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index a371f85..e7e788b 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -114,8 +114,8 @@ struct audit_names {
kuid_t uid;
kgid_t gid;
dev_t rdev;
- u32 osid;
- struct audit_cap_data fcap;
+ struct secids osid;
+ struct audit_cap_data fcap;
unsigned int fcap_ver;
int name_len; /* number of name's characters to log */
unsigned char type; /* record type */
@@ -151,7 +151,7 @@ struct audit_aux_data_pids {
kuid_t target_auid[AUDIT_AUX_PIDS];
kuid_t target_uid[AUDIT_AUX_PIDS];
unsigned int target_sessionid[AUDIT_AUX_PIDS];
- u32 target_sid[AUDIT_AUX_PIDS];
+ struct secids target_sid[AUDIT_AUX_PIDS];
char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
int pid_count;
};
@@ -215,7 +215,7 @@ struct audit_context {
kuid_t target_auid;
kuid_t target_uid;
unsigned int target_sessionid;
- u32 target_sid;
+ struct secids target_sid;
char target_comm[TASK_COMM_LEN];
struct audit_tree_refs *trees, *first_trees;
@@ -232,7 +232,7 @@ struct audit_context {
kuid_t uid;
kgid_t gid;
umode_t mode;
- u32 osid;
+ struct secids osid;
int has_perm;
uid_t perm_uid;
gid_t perm_gid;
@@ -599,7 +599,7 @@ static int audit_filter_rules(struct task_struct *tsk,
{
const struct cred *cred;
int i, need_sid = 1;
- u32 sid;
+ struct secids sid;
cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
@@ -757,10 +757,11 @@ static int audit_filter_rules(struct task_struct *tsk,
security_task_getsecid(tsk, &sid);
need_sid = 0;
}
- result = security_audit_rule_match(sid, f->type,
- f->op,
- f->lsm_rule,
- ctx);
+ result = security_audit_rule_match(&sid,
+ f->type,
+ f->op,
+ f->lsm_rule,
+ ctx);
}
break;
case AUDIT_OBJ_USER:
@@ -774,13 +775,16 @@ static int audit_filter_rules(struct task_struct *tsk,
/* Find files that match */
if (name) {
result = security_audit_rule_match(
- name->osid, f->type, f->op,
+ &name->osid, f->type, f->op,
f->lsm_rule, ctx);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
- if (security_audit_rule_match(n->osid, f->type,
- f->op, f->lsm_rule,
- ctx)) {
+ if (security_audit_rule_match(
+ &n->osid,
+ f->type,
+ f->op,
+ f->lsm_rule,
+ ctx)) {
++result;
break;
}
@@ -789,7 +793,7 @@ static int audit_filter_rules(struct task_struct *tsk,
/* Find ipc objects that match */
if (!ctx || ctx->type != AUDIT_IPC)
break;
- if (security_audit_rule_match(ctx->ipc.osid,
+ if (security_audit_rule_match(&ctx->ipc.osid,
f->type, f->op,
f->lsm_rule, ctx))
++result;
@@ -1104,13 +1108,13 @@ void audit_log_task_context(struct audit_buffer *ab)
char *ctx = NULL;
unsigned len;
int error;
- u32 sid;
+ struct secids sid;
security_task_getsecid(current, &sid);
- if (!sid)
+ if (sid.si_count == 0)
return;
- error = security_secid_to_secctx(sid, &ctx, &len);
+ error = security_secid_to_secctx(&sid, &ctx, &len);
if (error) {
if (error != -EINVAL)
goto error_path;
@@ -1182,8 +1186,9 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
EXPORT_SYMBOL(audit_log_task_info);
static int audit_log_pid_context(struct audit_context *context, pid_t pid,
- kuid_t auid, kuid_t uid, unsigned int sessionid,
- u32 sid, char *comm)
+ kuid_t auid, kuid_t uid,
+ unsigned int sessionid, struct secids *sid,
+ char *comm)
{
struct audit_buffer *ab;
char *ctx = NULL;
@@ -1443,17 +1448,17 @@ static void show_special(struct audit_context *context, int *call_panic)
context->socketcall.args[i]);
break; }
case AUDIT_IPC: {
- u32 osid = context->ipc.osid;
+ struct secids *sip = &context->ipc.osid;
audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
from_kuid(&init_user_ns, context->ipc.uid),
from_kgid(&init_user_ns, context->ipc.gid),
context->ipc.mode);
- if (osid) {
+ if (sip->si_count) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(osid, &ctx, &len)) {
- audit_log_format(ab, " osid=%u", osid);
+ if (security_secid_to_secctx(sip, &ctx, &len)) {
+ audit_log_format(ab, " osid=%u", sip->si_count);
*call_panic = 1;
} else {
audit_log_format(ab, " obj=%s", ctx);
@@ -1566,12 +1571,11 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
MAJOR(n->rdev),
MINOR(n->rdev));
}
- if (n->osid != 0) {
+ if (n->osid.si_count != 0) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(
- n->osid, &ctx, &len)) {
- audit_log_format(ab, " osid=%u", n->osid);
+ if (security_secid_to_secctx(&n->osid, &ctx, &len)) {
+ audit_log_format(ab, " osid=%u", n->osid.si_count);
*call_panic = 2;
} else {
audit_log_format(ab, " obj=%s", ctx);
@@ -1679,7 +1683,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
axs->target_auid[i],
axs->target_uid[i],
axs->target_sessionid[i],
- axs->target_sid[i],
+ &axs->target_sid[i],
axs->target_comm[i]))
call_panic = 1;
}
@@ -1688,7 +1692,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
audit_log_pid_context(context, context->target_pid,
context->target_auid, context->target_uid,
context->target_sessionid,
- context->target_sid, context->target_comm))
+ &context->target_sid, context->target_comm))
call_panic = 1;
if (context->pwd.dentry && context->pwd.mnt) {
@@ -1834,7 +1838,7 @@ void __audit_syscall_exit(int success, long return_code)
context->aux = NULL;
context->aux_pids = NULL;
context->target_pid = 0;
- context->target_sid = 0;
+ context->target_sid.si_count = 0;
context->sockaddr_len = 0;
context->type = 0;
context->fds[0] = -1;
diff --git a/kernel/cred.c b/kernel/cred.c
index e0573a4..c94a3ff 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -641,7 +641,7 @@ EXPORT_SYMBOL(prepare_kernel_cred);
* Set the LSM security ID in a set of credentials so that the subjective
* security is overridden when an alternative set of credentials is used.
*/
-int set_security_override(struct cred *new, u32 secid)
+int set_security_override(struct cred *new, struct secids *secid)
{
return security_kernel_act_as(new, secid);
}
@@ -659,14 +659,14 @@ EXPORT_SYMBOL(set_security_override);
*/
int set_security_override_from_ctx(struct cred *new, const char *secctx)
{
- u32 secid;
+ struct secids secid;
int ret;
ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
if (ret < 0)
return ret;
- return set_security_override(new, secid);
+ return set_security_override(new, &secid);
}
EXPORT_SYMBOL(set_security_override_from_ctx);
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index d9c4f11..a55f8c0 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -108,14 +108,15 @@ static void ip_cmsg_recv_retopts(struct msghdr *msg, struct sk_buff *skb)
static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
{
char *secdata;
- u32 seclen, secid;
+ u32 seclen;
+ struct secids secid;
int err;
err = security_socket_getpeersec_dgram(NULL, skb, &secid);
if (err)
return;
- err = security_secid_to_secctx(secid, &secdata, &seclen);
+ err = security_secid_to_secctx(&secid, &secdata, &seclen);
if (err)
return;
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index f2ca127..03dd794 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -98,14 +98,21 @@ static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
int ret;
u32 len;
char *secctx;
+ struct secids secid;
+ struct security_operations *sop;
- ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+ memset(&secid, 0, sizeof(secid));
+
+ secid.si_lsm[lsm_secmark_ops->order] = ct->secmark;
+ secid.si_count = 1;
+
+ ret = security_secid_to_secctx(&secid, &secctx, &len, &sop);
if (ret)
return 0;
ret = seq_printf(s, "secctx=%s ", secctx);
- security_release_secctx(secctx, len);
+ security_release_secctx(secctx, len, sop);
return ret;
}
#else
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 9904b15..4a95072 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -301,8 +301,13 @@ ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
struct nlattr *nest_secctx;
int len, ret;
char *secctx;
+ struct secids secid;
- ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+ memset(&secid, 0, sizeof(secid));
+
+ secid.si_lsm[0] = ct->secmark;
+
+ ret = security_secid_to_secctx(&secid, &secctx, &len);
if (ret)
return 0;
@@ -548,8 +553,13 @@ ctnetlink_secctx_size(const struct nf_conn *ct)
{
#ifdef CONFIG_NF_CONNTRACK_SECMARK
int len, ret;
+ struct secids secid;
+
+ memset(&secid, 0, sizeof(secid));
+
+ secid.si_lsm[0] = ct->secmark;
- ret = security_secid_to_secctx(ct->secmark, NULL, &len);
+ ret = security_secid_to_secctx(&secid, NULL, &len);
if (ret)
return 0;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index fedee39..4e5bb3e 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -123,8 +123,13 @@ static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
int ret;
u32 len;
char *secctx;
+ struct secids secid;
- ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+ memset(&secid, 0, sizeof(secid));
+
+ secid.si_lsm[0] = ct->secmark;
+
+ ret = security_secid_to_secctx(&secid, &secctx, &len);
if (ret)
return 0;
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 9faf5e0..0f7a066 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -52,12 +52,17 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
static int checkentry_lsm(struct xt_secmark_target_info *info)
{
int err;
+ struct secids secid;
info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
info->secid = 0;
+ secid.si_lsm[0] = 0;
+
err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
- &info->secid);
+ &secid);
+ info->secid = secid.si_lsm[0];
+
if (err) {
if (err == -EINVAL)
pr_info("invalid security context \'%s\'\n", info->secctx);
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 8a6c6ea..520caaa 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -396,6 +396,9 @@ int netlbl_unlhsh_add(struct net *net,
struct audit_buffer *audit_buf = NULL;
char *secctx = NULL;
u32 secctx_len;
+ struct secids sid;
+
+ sid.si_lsm[0] = secid;
if (addr_len != sizeof(struct in_addr) &&
addr_len != sizeof(struct in6_addr))
@@ -458,7 +461,7 @@ int netlbl_unlhsh_add(struct net *net,
unlhsh_add_return:
rcu_read_unlock();
if (audit_buf != NULL) {
- if (security_secid_to_secctx(secid,
+ if (security_secid_to_secctx(&sid,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
@@ -495,6 +498,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
struct net_device *dev;
char *secctx;
u32 secctx_len;
+ struct secids sid;
spin_lock(&netlbl_unlhsh_lock);
list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
@@ -514,8 +518,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
addr->s_addr, mask->s_addr);
if (dev != NULL)
dev_put(dev);
+ sid.si_lsm[0] = entry->secid;
if (entry != NULL &&
- security_secid_to_secctx(entry->secid,
+ security_secid_to_secctx(&sid,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
@@ -557,6 +562,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
struct net_device *dev;
char *secctx;
u32 secctx_len;
+ struct secids sid;
spin_lock(&netlbl_unlhsh_lock);
list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
@@ -575,8 +581,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
addr, mask);
if (dev != NULL)
dev_put(dev);
+ sid.si_lsm[0] = entry->secid;
if (entry != NULL &&
- security_secid_to_secctx(entry->secid,
+ security_secid_to_secctx(&sid,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
@@ -902,7 +909,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
void *addr;
void *mask;
u32 addr_len;
- u32 secid;
+ struct secids secid;
struct netlbl_audit audit_info;
/* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -931,7 +938,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
return ret_val;
return netlbl_unlhsh_add(&init_net,
- dev_name, addr, mask, addr_len, secid,
+ dev_name, addr, mask, addr_len, secid.si_lsm[0],
&audit_info);
}
@@ -953,7 +960,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
void *addr;
void *mask;
u32 addr_len;
- u32 secid;
+ struct secids secid;
struct netlbl_audit audit_info;
/* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -980,7 +987,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
return ret_val;
return netlbl_unlhsh_add(&init_net,
- NULL, addr, mask, addr_len, secid,
+ NULL, addr, mask, addr_len, secid.si_lsm[0],
&audit_info);
}
@@ -1092,7 +1099,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
struct netlbl_unlhsh_walk_arg *cb_arg = arg;
struct net_device *dev;
void *data;
- u32 secid;
+ struct secids secid;
char *secctx;
u32 secctx_len;
@@ -1134,7 +1141,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;
- secid = addr4->secid;
+ secid.si_lsm[0] = addr4->secid;
} else {
ret_val = nla_put(cb_arg->skb,
NLBL_UNLABEL_A_IPV6ADDR,
@@ -1150,10 +1157,10 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;
- secid = addr6->secid;
+ secid.si_lsm[0] = addr6->secid;
}
- ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
+ ret_val = security_secid_to_secctx(&secid, &secctx, &secctx_len);
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
@@ -1531,11 +1538,13 @@ int __init netlbl_unlabel_defconf(void)
int ret_val;
struct netlbl_dom_map *entry;
struct netlbl_audit audit_info;
+ struct secids secid;
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
- security_task_getsecid(current, &audit_info.secid);
+ security_task_getsecid(current, &secid);
+ audit_info.secid = secid.si_lsm[0];
audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 9650c4a..7ef8262 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -100,10 +100,13 @@ struct audit_buffer *netlbl_audit_start_common(int type,
struct audit_buffer *audit_buf;
char *secctx;
u32 secctx_len;
+ struct secids secid;
if (audit_enabled == 0)
return NULL;
+ secid.si_lsm[0] = audit_info->secid;
+
audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
if (audit_buf == NULL)
return NULL;
@@ -113,9 +116,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
audit_info->sessionid);
if (audit_info->secid != 0 &&
- security_secid_to_secctx(audit_info->secid,
- &secctx,
- &secctx_len) == 0) {
+ security_secid_to_secctx(&secid, &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
security_release_secctx(secctx, secctx_len);
}
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index 8196978..a6f1705 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -49,7 +49,10 @@
static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
struct netlbl_audit *audit_info)
{
- security_task_getsecid(current, &audit_info->secid);
+ struct secids secid;
+
+ security_task_getsecid(current, &secid);
+ audit_info->secid = secid.si_lsm[0];
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 2db702d..0051f1b 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -135,14 +135,27 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
#define UNIX_ABSTRACT(sk) (unix_sk(sk)->addr->hash < UNIX_HASH_SIZE)
#ifdef CONFIG_SECURITY_NETWORK
+/*
+ * Casey says - look for a memory leak here.
+ */
static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
{
- memcpy(UNIXSID(skb), &scm->secid, sizeof(u32));
+ struct secids *sip = kzalloc(sizeof(*sip), GFP_KERNEL);
+
+ if (sip)
+ memcpy(sip, &scm->secid, sizeof(*sip));
+ UNIXCB(skb).secid = sip;
}
static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
{
- scm->secid = *UNIXSID(skb);
+ struct secids *sip = UNIXCB(skb).secid;
+
+ if (sip) {
+ memcpy(&scm->secid, sip, sizeof(scm->secid));
+ kfree(sip);
+ } else
+ memset(&scm->secid, 0, sizeof(scm->secid));
}
#else
static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index fbd9e6c..5476610 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -597,7 +597,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct km_event c;
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- u32 sid;
+ struct secids sid;
err = verify_newsa_info(p, attrs);
if (err)
@@ -614,7 +614,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
err = xfrm_state_update(x);
security_task_getsecid(current, &sid);
- xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
+ xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid.si_lsm[0]);
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@@ -676,7 +676,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_usersa_id *p = nlmsg_data(nlh);
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- u32 sid;
+ struct secids sid;
x = xfrm_user_state_lookup(net, p, attrs, &err);
if (x == NULL)
@@ -702,7 +702,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
out:
security_task_getsecid(current, &sid);
- xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
+ xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid.si_lsm[0]);
xfrm_state_put(x);
return err;
}
@@ -1395,7 +1395,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
int excl;
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- u32 sid;
+ struct secids sid;
err = verify_newpolicy_info(p);
if (err)
@@ -1415,7 +1415,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl);
security_task_getsecid(current, &sid);
- xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
+ xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid.si_lsm[0]);
if (err) {
security_xfrm_policy_free(xp->security);
@@ -1653,11 +1653,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
} else {
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- u32 sid;
+ struct secids sid;
security_task_getsecid(current, &sid);
xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
- sid);
+ sid.si_lsm[0]);
if (err != 0)
goto out;
@@ -1682,10 +1682,12 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_usersa_flush *p = nlmsg_data(nlh);
struct xfrm_audit audit_info;
int err;
+ struct secids secid;
audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current);
- security_task_getsecid(current, &audit_info.secid);
+ security_task_getsecid(current, &secid);
+ audit_info.secid = secid.si_lsm[0];
err = xfrm_state_flush(net, p->proto, &audit_info);
if (err) {
if (err == -ESRCH) /* empty table */
@@ -1871,6 +1873,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
u8 type = XFRM_POLICY_TYPE_MAIN;
int err;
struct xfrm_audit audit_info;
+ struct secids secid;
err = copy_from_user_policy_type(&type, attrs);
if (err)
@@ -1878,7 +1881,8 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current);
- security_task_getsecid(current, &audit_info.secid);
+ security_task_getsecid(current, &secid);
+ audit_info.secid = secid.si_lsm[0];
err = xfrm_policy_flush(net, type, &audit_info);
if (err) {
if (err == -ESRCH) /* empty table */
@@ -1947,11 +1951,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
if (up->hard) {
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- u32 sid;
+ struct secids sid;
security_task_getsecid(current, &sid);
xfrm_policy_delete(xp, p->dir);
- xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
+ xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid.si_lsm[0]);
} else {
// reset the timers here?
@@ -1990,11 +1994,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
if (ue->hard) {
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- u32 sid;
+ struct secids sid;
security_task_getsecid(current, &sid);
__xfrm_state_delete(x);
- xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
+ xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid.si_lsm[0]);
}
err = 0;
out:
diff --git a/security/capability.c b/security/capability.c
index 6783c3e..08bca78 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -447,7 +447,7 @@ static int cap_task_wait(struct task_struct *p)
}
static int cap_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid)
+ int sig, const struct cred *ucred)
{
return 0;
}
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 399433a..147d61c 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -184,7 +184,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
return false;
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
- u32 osid, sid;
+ struct secids sid;
+ struct secids osid;
int retried = 0;
if (!rule->lsm[i].rule)
@@ -195,7 +196,7 @@ retry:
case LSM_OBJ_ROLE:
case LSM_OBJ_TYPE:
security_inode_getsecid(inode, &osid);
- rc = security_filter_rule_match(osid,
+ rc = security_filter_rule_match(&osid,
rule->lsm[i].type,
Audit_equal,
rule->lsm[i].rule,
@@ -205,7 +206,7 @@ retry:
case LSM_SUBJ_ROLE:
case LSM_SUBJ_TYPE:
security_task_getsecid(tsk, &sid);
- rc = security_filter_rule_match(sid,
+ rc = security_filter_rule_match(&sid,
rule->lsm[i].type,
Audit_equal,
rule->lsm[i].rule,
diff --git a/security/security.c b/security/security.c
index 03f248b..000a1fc 100644
--- a/security/security.c
+++ b/security/security.c
@@ -648,9 +648,9 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
return security_ops->inode_listsecurity(inode, buffer, buffer_size);
}
-void security_inode_getsecid(const struct inode *inode, u32 *secid)
+void security_inode_getsecid(const struct inode *inode, struct secids *secid)
{
- security_ops->inode_getsecid(inode, secid);
+ security_ops->inode_getsecid(inode, &secid->si_lsm[0]);
}
int security_file_permission(struct file *file, int mask)
@@ -805,9 +805,9 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
security_ops->cred_transfer(new, old);
}
-int security_kernel_act_as(struct cred *new, u32 secid)
+int security_kernel_act_as(struct cred *new, struct secids *secid)
{
- return security_ops->kernel_act_as(new, secid);
+ return security_ops->kernel_act_as(new, secid->si_lsm[0]);
}
int security_kernel_create_files_as(struct cred *new, struct inode *inode)
@@ -851,9 +851,9 @@ int security_task_getsid(struct task_struct *p)
return security_ops->task_getsid(p);
}
-void security_task_getsecid(struct task_struct *p, u32 *secid)
+void security_task_getsecid(struct task_struct *p, struct secids *secid)
{
- security_ops->task_getsecid(p, secid);
+ security_ops->task_getsecid(p, &secid->si_lsm[0]);
}
EXPORT_SYMBOL(security_task_getsecid);
@@ -894,9 +894,9 @@ int security_task_movememory(struct task_struct *p)
}
int security_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, u32 secid)
+ int sig, const struct cred *ocred)
{
- return security_ops->task_kill(p, info, sig, secid);
+ return security_ops->task_kill(p, info, sig, ocred);
}
int security_task_wait(struct task_struct *p)
@@ -926,9 +926,9 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
return security_ops->ipc_permission(ipcp, flag);
}
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct secids *secid)
{
- security_ops->ipc_getsecid(ipcp, secid);
+ security_ops->ipc_getsecid(ipcp, &secid->si_lsm[0]);
}
int security_msg_msg_alloc(struct msg_msg *msg)
@@ -1047,15 +1047,17 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
return security_ops->netlink_send(sk, skb);
}
-int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen)
{
- return security_ops->secid_to_secctx(secid, secdata, seclen);
+ return security_ops->secid_to_secctx(secid->si_lsm[0], secdata, seclen);
}
EXPORT_SYMBOL(security_secid_to_secctx);
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+int security_secctx_to_secid(const char *secdata, u32 seclen,
+ struct secids *secid)
{
- return security_ops->secctx_to_secid(secdata, seclen, secid);
+ return security_ops->secctx_to_secid(secdata, seclen,
+ &secid->si_lsm[0]);
}
EXPORT_SYMBOL(security_secctx_to_secid);
@@ -1177,9 +1179,11 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
}
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+ struct secids *secid)
{
- return security_ops->socket_getpeersec_dgram(sock, skb, secid);
+ return security_ops->socket_getpeersec_dgram(sock, skb,
+ &secid->si_lsm[0]);
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
@@ -1421,10 +1425,11 @@ void security_audit_rule_free(void *lsmrule)
security_ops->audit_rule_free(lsmrule);
}
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
+int security_audit_rule_match(struct secids *secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx)
{
- return security_ops->audit_rule_match(secid, field, op, lsmrule, actx);
+ return security_ops->audit_rule_match(secid->si_lsm[0], field, op,
+ lsmrule, actx);
}
#endif /* CONFIG_AUDIT */
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH v13 4/9] LSM: Multiple security context maintenance
[not found] <5176ABB7.5080300@schaufler-ca.com>
` (3 preceding siblings ...)
2013-04-23 16:04 ` [PATCH v13 3/9] LSM: Multiple concurrent secids Casey Schaufler
@ 2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 5/9] LSM: Networking component isolation Casey Schaufler
` (4 subsequent siblings)
9 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:04 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 4/9] LSM: Multiple security context maintenance
The legacy use of a security context is that there is
a text string which is interpreted by a single LSM.
When there is more than one LSM that uses a security
context the conbined string is managed by the lsm
infrastructure. Because the blob release mechanism
can't tell how the blob was allocated it's necessary
to tell it. This is accomplished by providing the
security operations pointer of the LSM that created
the context or NULL if it was created by the lsm
infrastructure.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/sysfs/dir.c | 3 ++-
fs/sysfs/inode.c | 5 +++--
fs/sysfs/sysfs.h | 7 ++++---
fs/xattr.c | 8 +++++---
include/linux/security.h | 22 ++++++++++++----------
include/net/scm.h | 6 ++++--
include/net/xfrm.h | 5 +++--
kernel/audit.c | 23 +++++++++++++----------
kernel/auditfilter.c | 5 +++--
kernel/auditsc.c | 20 ++++++++++++--------
net/ipv4/ip_sockglue.c | 5 +++--
net/netfilter/nf_conntrack_netlink.c | 12 +++++-------
net/netfilter/nf_conntrack_standalone.c | 5 +++--
net/netlabel/netlabel_unlabeled.c | 21 +++++++++++++--------
net/netlabel/netlabel_user.c | 5 +++--
security/security.c | 13 +++++++++----
16 files changed, 97 insertions(+), 68 deletions(-)
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index e145126..9470c42 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -287,7 +287,8 @@ void release_sysfs_dirent(struct sysfs_dirent * sd)
kfree(sd->s_name);
if (sd->s_iattr && sd->s_iattr->ia_secdata)
security_release_secctx(sd->s_iattr->ia_secdata,
- sd->s_iattr->ia_secdata_len);
+ sd->s_iattr->ia_secdata_len,
+ sd->s_iattr->ia_sop);
kfree(sd->s_iattr);
sysfs_free_ino(sd->s_ino);
kmem_cache_free(sysfs_dir_cachep, sd);
diff --git a/fs/sysfs/inode.c b/fs/sysfs/inode.c
index 0ce3ccf..4c318a3 100644
--- a/fs/sysfs/inode.c
+++ b/fs/sysfs/inode.c
@@ -157,6 +157,7 @@ static int sysfs_sd_setsecdata(struct sysfs_dirent *sd, void **secdata, u32 *sec
int sysfs_setxattr(struct dentry *dentry, const char *name, const void *value,
size_t size, int flags)
{
+ struct security_operations *sop;
struct sysfs_dirent *sd = dentry->d_fsdata;
void *secdata;
int error;
@@ -172,7 +173,7 @@ int sysfs_setxattr(struct dentry *dentry, const char *name, const void *value,
if (error)
goto out;
error = security_inode_getsecctx(dentry->d_inode,
- &secdata, &secdata_len);
+ &secdata, &secdata_len, &sop);
if (error)
goto out;
@@ -181,7 +182,7 @@ int sysfs_setxattr(struct dentry *dentry, const char *name, const void *value,
mutex_unlock(&sysfs_mutex);
if (secdata)
- security_release_secctx(secdata, secdata_len);
+ security_release_secctx(secdata, secdata_len, sop);
} else
return -EINVAL;
out:
diff --git a/fs/sysfs/sysfs.h b/fs/sysfs/sysfs.h
index d1e4043..3895884 100644
--- a/fs/sysfs/sysfs.h
+++ b/fs/sysfs/sysfs.h
@@ -39,9 +39,10 @@ struct sysfs_elem_bin_attr {
};
struct sysfs_inode_attrs {
- struct iattr ia_iattr;
- void *ia_secdata;
- u32 ia_secdata_len;
+ struct iattr ia_iattr;
+ void *ia_secdata;
+ u32 ia_secdata_len;
+ struct security_operations *ia_sop;
};
/*
diff --git a/fs/xattr.c b/fs/xattr.c
index 3377dff..542e78d 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -146,15 +146,17 @@ ssize_t
xattr_getsecurity(struct inode *inode, const char *name, void *value,
size_t size)
{
+ struct security_operations *sop;
void *buffer = NULL;
ssize_t len;
if (!value || !size) {
- len = security_inode_getsecurity(inode, name, &buffer, false);
+ len = security_inode_getsecurity(inode, name, &buffer,
+ false, &sop);
goto out_noalloc;
}
- len = security_inode_getsecurity(inode, name, &buffer, true);
+ len = security_inode_getsecurity(inode, name, &buffer, true, &sop);
if (len < 0)
return len;
if (size < len) {
@@ -163,7 +165,7 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
}
memcpy(value, buffer, len);
out:
- security_release_secctx(buffer, len);
+ security_release_secctx(buffer, len, sop);
out_noalloc:
return len;
}
diff --git a/include/linux/security.h b/include/linux/security.h
index 038df6f..4430b09 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1323,9 +1323,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* Convert secid to security context. If secdata is NULL the length of
* the result will be returned in seclen, but no secdata will be returned.
* This does mean that the length could change between calls to check the
- * length and the next call which actually allocates and returns the secdata.
- * @secid contains the security ID.
- * @secdata contains the pointer that stores the converted security context.
+ * length and the next call which actually allocates and returns the
+ * secdata.
+ * @secid contains the security IDs.
+ * @secdata contains the pointer that stores the converted security
+ * context.
* @seclen pointer which contains the length of the data
* @secctx_to_secid:
* Convert security context to secid.
@@ -1770,7 +1772,7 @@ int security_inode_listxattr(struct dentry *dentry);
int security_inode_removexattr(struct dentry *dentry, const char *name);
int security_inode_need_killpriv(struct dentry *dentry);
int security_inode_killpriv(struct dentry *dentry);
-int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
+int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc, struct security_operations **secops);
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
void security_inode_getsecid(const struct inode *inode, struct secids *secid);
@@ -1847,13 +1849,13 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
int security_getprocattr(struct task_struct *p, char *name, char **value);
int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
-int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen);
+int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen, struct security_operations **secops);
int security_secctx_to_secid(const char *secdata, u32 seclen, struct secids *secid);
-void security_release_secctx(char *secdata, u32 seclen);
+void security_release_secctx(char *secdata, u32 seclen, struct security_operations *secops);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
-int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen, struct security_operations **secops);
#else /* CONFIG_SECURITY */
struct security_mnt_opts {
};
@@ -2178,7 +2180,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
return cap_inode_killpriv(dentry);
}
-static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
+static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc, struct security_operations **secops)
{
return -EOPNOTSUPP;
}
@@ -2525,7 +2527,7 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
return cap_netlink_send(sk, skb);
}
-static inline int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen)
+static inline int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen, struct security_operations **secops)
{
return -EOPNOTSUPP;
}
@@ -2549,7 +2551,7 @@ static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32
{
return -EOPNOTSUPP;
}
-static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen, struct security_operations **secops)
{
return -EOPNOTSUPP;
}
diff --git a/include/net/scm.h b/include/net/scm.h
index e0ce1eb..33d1dda 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -92,16 +92,18 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
#ifdef CONFIG_SECURITY_NETWORK
static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
{
+ struct security_operations *sop;
char *secdata;
u32 seclen;
int err;
if (test_bit(SOCK_PASSSEC, &sock->flags)) {
- err = security_secid_to_secctx(&scm->secid, &secdata, &seclen);
+ err = security_secid_to_secctx(&scm->secid, &secdata, &seclen,
+ &sop);
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
- security_release_secctx(secdata, seclen);
+ security_release_secctx(secdata, seclen, sop);
}
}
}
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 45976ad..1dd770e 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -699,15 +699,16 @@ static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
char *secctx;
u32 secctx_len;
struct secids sid;
+ struct security_operations *sop;
sid.si_lsm[0] = secid;
audit_log_format(audit_buf, " auid=%u ses=%u",
from_kuid(&init_user_ns, auid), ses);
if (secid != 0 &&
- security_secid_to_secctx(&sid, &secctx, &secctx_len) == 0) {
+ security_secid_to_secctx(&sid, &secctx, &secctx_len, &sop) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
+ security_release_secctx(secctx, secctx_len, sop);
} else
audit_log_task_context(audit_buf);
}
diff --git a/kernel/audit.c b/kernel/audit.c
index eab4b52..a01ab21 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -268,6 +268,7 @@ static int audit_log_config_change(char *function_name, int new, int old,
kuid_t loginuid, u32 sessionid,
struct secids *sid, int allow_changes)
{
+ struct security_operations *sop;
struct audit_buffer *ab;
int rc = 0;
@@ -280,13 +281,13 @@ static int audit_log_config_change(char *function_name, int new, int old,
char *ctx = NULL;
u32 len;
- rc = security_secid_to_secctx(sid, &ctx, &len);
+ rc = security_secid_to_secctx(sid, &ctx, &len, &sop);
if (rc) {
audit_log_format(ab, " sid=%u", sid->si_count);
allow_changes = 0; /* Something weird, deny request */
} else {
audit_log_format(ab, " subj=%s", ctx);
- security_release_secctx(ctx, len);
+ security_release_secctx(ctx, len, sop);
}
}
audit_log_format(ab, " res=%d", allow_changes);
@@ -611,6 +612,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
kuid_t auid, u32 ses, struct secids *sid)
{
+ struct security_operations *sop;
int rc = 0;
char *ctx = NULL;
u32 len;
@@ -628,12 +630,12 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
from_kuid(&init_user_ns, current_uid()),
from_kuid(&init_user_ns, auid), ses);
if (sid) {
- rc = security_secid_to_secctx(sid, &ctx, &len);
+ rc = security_secid_to_secctx(sid, &ctx, &len, &sop);
if (rc)
audit_log_format(*ab, " ssid=%u", sid->si_count);
else {
audit_log_format(*ab, " subj=%s", ctx);
- security_release_secctx(ctx, len);
+ security_release_secctx(ctx, len, sop);
}
}
@@ -642,6 +644,7 @@ static int audit_log_common_recv_msg(struct audit_buffer **ab, u16 msg_type,
static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
{
+ struct security_operations *sop;
u32 seq;
struct secids sid;
void *data;
@@ -850,21 +853,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
len = 0;
if (audit_sig_sid.si_count) {
err = security_secid_to_secctx(&audit_sig_sid, &ctx,
- &len);
+ &len, &sop);
if (err)
return err;
}
sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
if (!sig_data) {
if (audit_sig_sid.si_count)
- security_release_secctx(ctx, len);
+ security_release_secctx(ctx, len, sop);
return -ENOMEM;
}
sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
sig_data->pid = audit_sig_pid;
if (audit_sig_sid.si_count) {
memcpy(sig_data->ctx, ctx, len);
- security_release_secctx(ctx, len);
+ security_release_secctx(ctx, len, sop);
}
audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_SIGNAL_INFO,
0, 0, sig_data, sizeof(*sig_data) + len);
@@ -1544,17 +1547,17 @@ void audit_log_secctx(struct audit_buffer *ab, u32 secid)
u32 len;
char *secctx;
struct secids secids;
+ struct security_operations *sop;
memset(&secids, 0, sizeof(secids));
secids.si_lsm[0] = secid;
- secids.si_count = 1;
- if (security_secid_to_secctx(&secids, &secctx, &len)) {
+ if (security_secid_to_secctx(&secids, &secctx, &len, &sop)) {
audit_panic("Cannot convert secid to context");
} else {
audit_log_format(ab, " obj=%s", secctx);
- security_release_secctx(secctx, len);
+ security_release_secctx(secctx, len, sop);
}
}
EXPORT_SYMBOL(audit_log_secctx);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 765873b..9a65644 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1114,6 +1114,7 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid,
struct audit_krule *rule,
int res)
{
+ struct security_operations *sop;
struct audit_buffer *ab;
if (!audit_enabled)
@@ -1127,11 +1128,11 @@ static void audit_log_rule_change(kuid_t loginuid, u32 sessionid,
if (sid->si_count) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(sid, &ctx, &len))
+ if (security_secid_to_secctx(sid, &ctx, &len, &sop))
audit_log_format(ab, " ssid=%u", sid->si_count);
else {
audit_log_format(ab, " subj=%s", ctx);
- security_release_secctx(ctx, len);
+ security_release_secctx(ctx, len, sop);
}
}
audit_log_format(ab, " op=");
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e7e788b..c00fe05 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1109,12 +1109,13 @@ void audit_log_task_context(struct audit_buffer *ab)
unsigned len;
int error;
struct secids sid;
+ struct security_operations *sop;
security_task_getsecid(current, &sid);
if (sid.si_count == 0)
return;
- error = security_secid_to_secctx(&sid, &ctx, &len);
+ error = security_secid_to_secctx(&sid, &ctx, &len, &sop);
if (error) {
if (error != -EINVAL)
goto error_path;
@@ -1122,7 +1123,7 @@ void audit_log_task_context(struct audit_buffer *ab)
}
audit_log_format(ab, " subj=%s", ctx);
- security_release_secctx(ctx, len);
+ security_release_secctx(ctx, len, sop);
return;
error_path:
@@ -1190,6 +1191,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
unsigned int sessionid, struct secids *sid,
char *comm)
{
+ struct security_operations *sop;
struct audit_buffer *ab;
char *ctx = NULL;
u32 len;
@@ -1202,12 +1204,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
- if (security_secid_to_secctx(sid, &ctx, &len)) {
+ if (security_secid_to_secctx(sid, &ctx, &len, &sop)) {
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
audit_log_format(ab, " obj=%s", ctx);
- security_release_secctx(ctx, len);
+ security_release_secctx(ctx, len, sop);
}
audit_log_format(ab, " ocomm=");
audit_log_untrustedstring(ab, comm);
@@ -1432,6 +1434,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
static void show_special(struct audit_context *context, int *call_panic)
{
+ struct security_operations *sop;
struct audit_buffer *ab;
int i;
@@ -1457,12 +1460,12 @@ static void show_special(struct audit_context *context, int *call_panic)
if (sip->si_count) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(sip, &ctx, &len)) {
+ if (security_secid_to_secctx(sip, &ctx, &len, &sop)) {
audit_log_format(ab, " osid=%u", sip->si_count);
*call_panic = 1;
} else {
audit_log_format(ab, " obj=%s", ctx);
- security_release_secctx(ctx, len);
+ security_release_secctx(ctx, len, sop);
}
}
if (context->ipc.has_perm) {
@@ -1530,6 +1533,7 @@ static void show_special(struct audit_context *context, int *call_panic)
static void audit_log_name(struct audit_context *context, struct audit_names *n,
int record_num, int *call_panic)
{
+ struct security_operations *sop;
struct audit_buffer *ab;
ab = audit_log_start(context, GFP_KERNEL, AUDIT_PATH);
if (!ab)
@@ -1574,12 +1578,12 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
if (n->osid.si_count != 0) {
char *ctx = NULL;
u32 len;
- if (security_secid_to_secctx(&n->osid, &ctx, &len)) {
+ if (security_secid_to_secctx(&n->osid, &ctx, &len, &sop)) {
audit_log_format(ab, " osid=%u", n->osid.si_count);
*call_panic = 2;
} else {
audit_log_format(ab, " obj=%s", ctx);
- security_release_secctx(ctx, len);
+ security_release_secctx(ctx, len, sop);
}
}
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index a55f8c0..7f0c3bb 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -110,18 +110,19 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
char *secdata;
u32 seclen;
struct secids secid;
+ struct security_operations *sop;
int err;
err = security_socket_getpeersec_dgram(NULL, skb, &secid);
if (err)
return;
- err = security_secid_to_secctx(&secid, &secdata, &seclen);
+ err = security_secid_to_secctx(&secid, &secdata, &seclen, &sop);
if (err)
return;
put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
- security_release_secctx(secdata, seclen);
+ security_release_secctx(secdata, seclen, sop);
}
static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 4a95072..cdcf9ab 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -302,12 +302,11 @@ ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
int len, ret;
char *secctx;
struct secids secid;
-
- memset(&secid, 0, sizeof(secid));
+ struct security_operations *sop;
secid.si_lsm[0] = ct->secmark;
- ret = security_secid_to_secctx(&secid, &secctx, &len);
+ ret = security_secid_to_secctx(&secid, &secctx, &len, &sop);
if (ret)
return 0;
@@ -322,7 +321,7 @@ ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
ret = 0;
nla_put_failure:
- security_release_secctx(secctx, len);
+ security_release_secctx(secctx, len, sop);
return ret;
}
#else
@@ -554,12 +553,11 @@ ctnetlink_secctx_size(const struct nf_conn *ct)
#ifdef CONFIG_NF_CONNTRACK_SECMARK
int len, ret;
struct secids secid;
-
- memset(&secid, 0, sizeof(secid));
+ struct security_operations *sop;
secid.si_lsm[0] = ct->secmark;
- ret = security_secid_to_secctx(&secid, NULL, &len);
+ ret = security_secid_to_secctx(&secid, NULL, &len, &sop);
if (ret)
return 0;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 4e5bb3e..fc571d4 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -124,18 +124,19 @@ static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
u32 len;
char *secctx;
struct secids secid;
+ struct security_operations *sop;
memset(&secid, 0, sizeof(secid));
secid.si_lsm[0] = ct->secmark;
- ret = security_secid_to_secctx(&secid, &secctx, &len);
+ ret = security_secid_to_secctx(&secid, &secctx, &len, &sop);
if (ret)
return 0;
ret = seq_printf(s, "secctx=%s ", secctx);
- security_release_secctx(secctx, len);
+ security_release_secctx(secctx, len, sop);
return ret;
}
#else
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 520caaa..d77e085 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -397,6 +397,7 @@ int netlbl_unlhsh_add(struct net *net,
char *secctx = NULL;
u32 secctx_len;
struct secids sid;
+ struct security_operations *sop;
sid.si_lsm[0] = secid;
@@ -463,9 +464,10 @@ unlhsh_add_return:
if (audit_buf != NULL) {
if (security_secid_to_secctx(&sid,
&secctx,
- &secctx_len) == 0) {
+ &secctx_len,
+ &sop) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
+ security_release_secctx(secctx, secctx_len, sop);
}
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
@@ -499,6 +501,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
char *secctx;
u32 secctx_len;
struct secids sid;
+ struct security_operations *sop;
spin_lock(&netlbl_unlhsh_lock);
list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
@@ -521,9 +524,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
sid.si_lsm[0] = entry->secid;
if (entry != NULL &&
security_secid_to_secctx(&sid,
- &secctx, &secctx_len) == 0) {
+ &secctx, &secctx_len, &sop) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
+ security_release_secctx(secctx, secctx_len, sop);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
audit_log_end(audit_buf);
@@ -563,6 +566,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
char *secctx;
u32 secctx_len;
struct secids sid;
+ struct security_operations *sop;
spin_lock(&netlbl_unlhsh_lock);
list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
@@ -584,9 +588,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
sid.si_lsm[0] = entry->secid;
if (entry != NULL &&
security_secid_to_secctx(&sid,
- &secctx, &secctx_len) == 0) {
+ &secctx, &secctx_len, &sop) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
+ security_release_secctx(secctx, secctx_len, sop);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
audit_log_end(audit_buf);
@@ -1100,6 +1104,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
struct net_device *dev;
void *data;
struct secids secid;
+ struct security_operations *sop;
char *secctx;
u32 secctx_len;
@@ -1160,14 +1165,14 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
secid.si_lsm[0] = addr6->secid;
}
- ret_val = security_secid_to_secctx(&secid, &secctx, &secctx_len);
+ ret_val = security_secid_to_secctx(&secid, &secctx, &secctx_len, &sop);
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
NLBL_UNLABEL_A_SECCTX,
secctx_len,
secctx);
- security_release_secctx(secctx, secctx_len);
+ security_release_secctx(secctx, secctx_len, sop);
if (ret_val != 0)
goto list_cb_failure;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 7ef8262..469aa0e 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -101,6 +101,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
char *secctx;
u32 secctx_len;
struct secids secid;
+ struct security_operations *sop;
if (audit_enabled == 0)
return NULL;
@@ -116,9 +117,9 @@ struct audit_buffer *netlbl_audit_start_common(int type,
audit_info->sessionid);
if (audit_info->secid != 0 &&
- security_secid_to_secctx(&secid, &secctx, &secctx_len) == 0) {
+ security_secid_to_secctx(&secid, &secctx, &secctx_len, &sop) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
+ security_release_secctx(secctx, secctx_len, sop);
}
return audit_buf;
diff --git a/security/security.c b/security/security.c
index 000a1fc..6594d8d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -627,7 +627,9 @@ int security_inode_killpriv(struct dentry *dentry)
return security_ops->inode_killpriv(dentry);
}
-int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
+int security_inode_getsecurity(const struct inode *inode, const char *name,
+ void **buffer, bool alloc,
+ struct security_operations **secops)
{
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
@@ -1047,7 +1049,8 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
return security_ops->netlink_send(sk, skb);
}
-int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen)
+int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen,
+ struct security_operations **secops)
{
return security_ops->secid_to_secctx(secid->si_lsm[0], secdata, seclen);
}
@@ -1061,7 +1064,8 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
}
EXPORT_SYMBOL(security_secctx_to_secid);
-void security_release_secctx(char *secdata, u32 seclen)
+void security_release_secctx(char *secdata, u32 seclen,
+ struct security_operations *sop)
{
security_ops->release_secctx(secdata, seclen);
}
@@ -1079,7 +1083,8 @@ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
}
EXPORT_SYMBOL(security_inode_setsecctx);
-int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen,
+ struct security_operations **secops)
{
return security_ops->inode_getsecctx(inode, ctx, ctxlen);
}
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH v13 5/9] LSM: Networking component isolation
[not found] <5176ABB7.5080300@schaufler-ca.com>
` (4 preceding siblings ...)
2013-04-23 16:04 ` [PATCH v13 4/9] LSM: Multiple security context maintenance Casey Schaufler
@ 2013-04-23 16:04 ` Casey Schaufler
2013-04-24 18:51 ` Paul Moore
2013-04-23 16:04 ` [PATCH v13 6/9] LSM: Additional interfaces in /proc/pid/attr Casey Schaufler
` (3 subsequent siblings)
9 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:04 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 5/9] LSM: Networking component isolation
The NetLabel, XFRM and secmark networking mechanisms are
limited to providing security information managed by one
LSM. These changes interface the single LSM networking
components with the multiple LSM system. Each of the
networking components will identify the security ops
vector of the LSM that will use it. There are various
wrapper functions provided to make this obvious and
painless.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 45 ++++++++++
include/net/netlabel.h | 3 +-
include/net/xfrm.h | 8 +-
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 2 +-
net/netfilter/xt_SECMARK.c | 9 +-
net/netlabel/netlabel_kapi.c | 37 ++++++--
net/netlabel/netlabel_unlabeled.c | 56 +++++-------
net/netlabel/netlabel_user.c | 10 +--
net/netlabel/netlabel_user.h | 64 ++++++++++++-
net/xfrm/xfrm_user.c | 44 +++++----
security/security.c | 4 +-
security/selinux/hooks.c | 8 +-
security/selinux/netlabel.c | 4 +-
security/smack/smack_lsm.c | 94 ++++++++++++--------
security/smack/smackfs.c | 34 ++++++-
15 files changed, 282 insertions(+), 140 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 4430b09..da0fc7f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1690,6 +1690,7 @@ struct security_operations {
void (*audit_rule_free) (void *lsmrule);
#endif /* CONFIG_AUDIT */
};
+extern struct security_operations *security_ops;
/* prototypes */
extern int security_init(void);
@@ -2604,6 +2605,15 @@ int security_tun_dev_open(void *security);
void security_skb_owned_by(struct sk_buff *skb, struct sock *sk);
+static inline int security_secmark_secctx_to_secid(const char *secdata,
+ u32 seclen, u32 *secid)
+{
+ if (security_ops && security_ops->secctx_to_secid)
+ return security_ops->secctx_to_secid(secdata, seclen, secid);
+ *secid = 0;
+ return 0;
+}
+
#else /* CONFIG_SECURITY_NETWORK */
static inline int security_unix_stream_connect(struct sock *sock,
struct sock *other,
@@ -2767,6 +2777,13 @@ static inline void security_secmark_refcount_dec(void)
{
}
+static inline int security_secmark_secctx_to_secid(const char *secdata,
+ u32 seclen, u32 *secid)
+{
+ *secid = 0;
+ return 0;
+}
+
static inline int security_tun_dev_alloc_security(void **security)
{
return 0;
@@ -2820,6 +2837,23 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl);
+static inline void security_xfrm_task_getsecid(struct task_struct *p,
+ u32 *secid)
+{
+ if (security_ops && security_ops->task_getsecid)
+ security_ops->task_getsecid(p, secid);
+ else
+ *secid = 0;
+}
+
+static inline int security_xfrm_secid_to_secctx(u32 secid, char **secdata,
+ u32 *seclen)
+{
+ if (security_ops && security_ops->secid_to_secctx)
+ return security_ops->secid_to_secctx(secid, secdata, seclen);
+ return 0;
+}
+
#else /* CONFIG_SECURITY_NETWORK_XFRM */
static inline int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx)
@@ -2882,6 +2916,17 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi
{
}
+static inline void security_xfrm_task_getsecid(struct task_struct *p,
+ u32 *secid)
+{
+ *secid = 0;
+}
+
+static inline int security_xfrm_secid_to_secctx(u32 secid, char **secdata,
+ u32 *seclen)
+{
+ return 0;
+}
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
#ifdef CONFIG_SECURITY_PATH
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 2c95d55..c0cf965 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -406,7 +406,8 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
/*
* LSM protocol operations (NetLabel LSM/kernel API)
*/
-int netlbl_enabled(void);
+int netlbl_register_lsm(struct security_operations *lsmops);
+int netlbl_enabled(struct security_operations *lsmops);
int netlbl_sock_setattr(struct sock *sk,
u16 family,
const struct netlbl_lsm_secattr *secattr);
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 1dd770e..a9f22be 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -698,17 +698,13 @@ static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
{
char *secctx;
u32 secctx_len;
- struct secids sid;
- struct security_operations *sop;
-
- sid.si_lsm[0] = secid;
audit_log_format(audit_buf, " auid=%u ses=%u",
from_kuid(&init_user_ns, auid), ses);
if (secid != 0 &&
- security_secid_to_secctx(&sid, &secctx, &secctx_len, &sop) == 0) {
+ security_xfrm_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
- security_release_secctx(secctx, secctx_len, sop);
+ security_release_secctx(secctx, secctx_len, security_ops);
} else
audit_log_task_context(audit_buf);
}
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 03dd794..b42e160 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -103,7 +103,7 @@ static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
memset(&secid, 0, sizeof(secid));
- secid.si_lsm[lsm_secmark_ops->order] = ct->secmark;
+ secid.si_lsm[0] = ct->secmark;
secid.si_count = 1;
ret = security_secid_to_secctx(&secid, &secctx, &len, &sop);
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 0f7a066..e6e51c4 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -52,17 +52,12 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
static int checkentry_lsm(struct xt_secmark_target_info *info)
{
int err;
- struct secids secid;
info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
info->secid = 0;
- secid.si_lsm[0] = 0;
-
- err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
- &secid);
- info->secid = secid.si_lsm[0];
-
+ err = security_secmark_secctx_to_secid(info->secctx,
+ strlen(info->secctx), &info->secid);
if (err) {
if (err == -EINVAL)
pr_info("invalid security context \'%s\'\n", info->secctx);
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 7c94aed..2881d48 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -607,23 +607,48 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap *catmap,
* LSM Functions
*/
+struct security_operations *netlbl_active_lsm;
+/**
+ * netlbl_register_lsm - Reserve the NetLabel subsystem for an LSM
+ *
+ * Description:
+ * To avoid potential conflicting views between LSMs over
+ * what should go in the network label reserve the Netlabel
+ * mechanism for use by one LSM. netlbl_enabled will return
+ * false for all other LSMs.
+ *
+ */
+int netlbl_register_lsm(struct security_operations *lsm)
+{
+ if (lsm == NULL)
+ return -EINVAL;
+
+ if (netlbl_active_lsm == NULL)
+ netlbl_active_lsm = lsm;
+ else if (netlbl_active_lsm != lsm)
+ return -EBUSY;
+
+ printk(KERN_INFO "NetLabel: Registered LSM \"%s\".\n", lsm->name);
+ return 0;
+}
+
/**
* netlbl_enabled - Determine if the NetLabel subsystem is enabled
*
* Description:
* The LSM can use this function to determine if it should use NetLabel
- * security attributes in it's enforcement mechanism. Currently, NetLabel is
- * considered to be enabled when it's configuration contains a valid setup for
+ * security attributes in it's enforcement mechanism. NetLabel is
+ * considered to be enabled when the LSM making the call is registered and
+ * the netlabel configuration contains a valid setup for
* at least one labeled protocol (i.e. NetLabel can understand incoming
* labeled packets of at least one type); otherwise NetLabel is considered to
* be disabled.
*
*/
-int netlbl_enabled(void)
+int netlbl_enabled(struct security_operations *lsm)
{
- /* At some point we probably want to expose this mechanism to the user
- * as well so that admins can toggle NetLabel regardless of the
- * configuration */
+ if (netlbl_active_lsm != lsm)
+ return 0;
return (atomic_read(&netlabel_mgmt_protocount) > 0);
}
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index d77e085..2580a98 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -396,10 +396,6 @@ int netlbl_unlhsh_add(struct net *net,
struct audit_buffer *audit_buf = NULL;
char *secctx = NULL;
u32 secctx_len;
- struct secids sid;
- struct security_operations *sop;
-
- sid.si_lsm[0] = secid;
if (addr_len != sizeof(struct in_addr) &&
addr_len != sizeof(struct in6_addr))
@@ -462,12 +458,11 @@ int netlbl_unlhsh_add(struct net *net,
unlhsh_add_return:
rcu_read_unlock();
if (audit_buf != NULL) {
- if (security_secid_to_secctx(&sid,
+ if (netlbl_secid_to_secctx(secid,
&secctx,
- &secctx_len,
- &sop) == 0) {
+ &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len, sop);
+ netlbl_release_secctx(secctx, secctx_len);
}
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
@@ -500,8 +495,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
struct net_device *dev;
char *secctx;
u32 secctx_len;
- struct secids sid;
- struct security_operations *sop;
spin_lock(&netlbl_unlhsh_lock);
list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
@@ -521,12 +514,11 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
addr->s_addr, mask->s_addr);
if (dev != NULL)
dev_put(dev);
- sid.si_lsm[0] = entry->secid;
if (entry != NULL &&
- security_secid_to_secctx(&sid,
- &secctx, &secctx_len, &sop) == 0) {
+ netlbl_secid_to_secctx(entry->secid,
+ &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len, sop);
+ netlbl_release_secctx(secctx, secctx_len);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
audit_log_end(audit_buf);
@@ -565,8 +557,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
struct net_device *dev;
char *secctx;
u32 secctx_len;
- struct secids sid;
- struct security_operations *sop;
spin_lock(&netlbl_unlhsh_lock);
list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
@@ -585,12 +575,11 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
addr, mask);
if (dev != NULL)
dev_put(dev);
- sid.si_lsm[0] = entry->secid;
if (entry != NULL &&
- security_secid_to_secctx(&sid,
- &secctx, &secctx_len, &sop) == 0) {
+ netlbl_secid_to_secctx(entry->secid,
+ &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len, sop);
+ netlbl_release_secctx(secctx, secctx_len);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
audit_log_end(audit_buf);
@@ -913,7 +902,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
void *addr;
void *mask;
u32 addr_len;
- struct secids secid;
+ u32 secid;
struct netlbl_audit audit_info;
/* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -934,7 +923,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
if (ret_val != 0)
return ret_val;
dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
- ret_val = security_secctx_to_secid(
+ ret_val = netlbl_secctx_to_secid(
nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
&secid);
@@ -942,7 +931,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
return ret_val;
return netlbl_unlhsh_add(&init_net,
- dev_name, addr, mask, addr_len, secid.si_lsm[0],
+ dev_name, addr, mask, addr_len, secid,
&audit_info);
}
@@ -964,7 +953,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
void *addr;
void *mask;
u32 addr_len;
- struct secids secid;
+ u32 secid;
struct netlbl_audit audit_info;
/* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -983,7 +972,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
if (ret_val != 0)
return ret_val;
- ret_val = security_secctx_to_secid(
+ ret_val = netlbl_secctx_to_secid(
nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
&secid);
@@ -991,7 +980,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
return ret_val;
return netlbl_unlhsh_add(&init_net,
- NULL, addr, mask, addr_len, secid.si_lsm[0],
+ NULL, addr, mask, addr_len, secid,
&audit_info);
}
@@ -1103,8 +1092,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
struct netlbl_unlhsh_walk_arg *cb_arg = arg;
struct net_device *dev;
void *data;
- struct secids secid;
- struct security_operations *sop;
+ u32 secid;
char *secctx;
u32 secctx_len;
@@ -1146,7 +1134,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;
- secid.si_lsm[0] = addr4->secid;
+ secid = addr4->secid;
} else {
ret_val = nla_put(cb_arg->skb,
NLBL_UNLABEL_A_IPV6ADDR,
@@ -1162,17 +1150,17 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;
- secid.si_lsm[0] = addr6->secid;
+ secid = addr6->secid;
}
- ret_val = security_secid_to_secctx(&secid, &secctx, &secctx_len, &sop);
+ ret_val = netlbl_secid_to_secctx(secid, &secctx, &secctx_len);
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
NLBL_UNLABEL_A_SECCTX,
secctx_len,
secctx);
- security_release_secctx(secctx, secctx_len, sop);
+ netlbl_release_secctx(secctx, secctx_len);
if (ret_val != 0)
goto list_cb_failure;
@@ -1543,13 +1531,11 @@ int __init netlbl_unlabel_defconf(void)
int ret_val;
struct netlbl_dom_map *entry;
struct netlbl_audit audit_info;
- struct secids secid;
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
- security_task_getsecid(current, &secid);
- audit_info.secid = secid.si_lsm[0];
+ netlbl_task_getsecid(current, &audit_info.secid);
audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 469aa0e..e3b486d 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -100,14 +100,10 @@ struct audit_buffer *netlbl_audit_start_common(int type,
struct audit_buffer *audit_buf;
char *secctx;
u32 secctx_len;
- struct secids secid;
- struct security_operations *sop;
if (audit_enabled == 0)
return NULL;
- secid.si_lsm[0] = audit_info->secid;
-
audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
if (audit_buf == NULL)
return NULL;
@@ -117,9 +113,11 @@ struct audit_buffer *netlbl_audit_start_common(int type,
audit_info->sessionid);
if (audit_info->secid != 0 &&
- security_secid_to_secctx(&secid, &secctx, &secctx_len, &sop) == 0) {
+ netlbl_secid_to_secctx(audit_info->secid,
+ &secctx,
+ &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
- security_release_secctx(secctx, secctx_len, sop);
+ netlbl_release_secctx(secctx, secctx_len);
}
return audit_buf;
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index a6f1705..9990b24 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -41,6 +41,65 @@
/* NetLabel NETLINK helper functions */
+extern struct security_operations *netlbl_active_lsm;
+
+/**
+ * netlbl_secid_to_secctx - call the registered secid_to_secctx LSM hook
+ * @secid - The secid to convert
+ * @secdata - Where to put the result
+ * @seclen - Where to put the length of the result
+ *
+ * Returns: the result of calling the hook.
+ */
+static inline int netlbl_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+ if (netlbl_active_lsm == NULL)
+ return -EINVAL;
+ return netlbl_active_lsm->secid_to_secctx(secid, secdata, seclen);
+}
+
+/**
+ * netlbl_release_secctx - call the registered release_secctx LSM hook
+ * @secdata - The security context to release
+ * @seclen - The size of the context to release
+ *
+ */
+static inline void netlbl_release_secctx(char *secdata, u32 seclen)
+{
+ if (netlbl_active_lsm != NULL)
+ netlbl_active_lsm->release_secctx(secdata, seclen);
+}
+
+/**
+ * netlbl_secctx_to_secid - call the registered seccts_to_secid LSM hook
+ * @secdata - The security context
+ * @seclen - The size of the security context
+ * @secid - Where to put the result
+ *
+ * Returns: the result of calling the hook
+ */
+static inline int netlbl_secctx_to_secid(const char *secdata, u32 seclen,
+ u32 *secid)
+{
+ if (netlbl_active_lsm == NULL) {
+ *secid = 0;
+ return -EINVAL;
+ }
+ return netlbl_active_lsm->secctx_to_secid(secdata, seclen, secid);
+}
+
+/**
+ * netlbl_task_getsecid - call the registered task_getsecid LSM hook
+ * @p - The task
+ * @secid - Where to put the secid
+ *
+ */
+static inline void netlbl_task_getsecid(struct task_struct *p, u32 *secid)
+{
+ if (netlbl_active_lsm)
+ netlbl_active_lsm->task_getsecid(p, secid);
+}
+
/**
* netlbl_netlink_auditinfo - Fetch the audit information from a NETLINK msg
* @skb: the packet
@@ -49,10 +108,7 @@
static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
struct netlbl_audit *audit_info)
{
- struct secids secid;
-
- security_task_getsecid(current, &secid);
- audit_info->secid = secid.si_lsm[0];
+ netlbl_task_getsecid(current, &audit_info->secid);
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 5476610..8c1277b 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -597,7 +597,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct km_event c;
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- struct secids sid;
+ u32 sid;
err = verify_newsa_info(p, attrs);
if (err)
@@ -613,8 +613,8 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
else
err = xfrm_state_update(x);
- security_task_getsecid(current, &sid);
- xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid.si_lsm[0]);
+ security_xfrm_task_getsecid(current, &sid);
+ xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@@ -676,7 +676,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_usersa_id *p = nlmsg_data(nlh);
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- struct secids sid;
+ u32 sid;
x = xfrm_user_state_lookup(net, p, attrs, &err);
if (x == NULL)
@@ -701,8 +701,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
km_state_notify(x, &c);
out:
- security_task_getsecid(current, &sid);
- xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid.si_lsm[0]);
+ security_xfrm_task_getsecid(current, &sid);
+ xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
xfrm_state_put(x);
return err;
}
@@ -1395,7 +1395,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
int excl;
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- struct secids sid;
+ u32 sid;
err = verify_newpolicy_info(p);
if (err)
@@ -1414,8 +1414,8 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
* a type XFRM_MSG_UPDPOLICY - JHS */
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl);
- security_task_getsecid(current, &sid);
- xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid.si_lsm[0]);
+ security_xfrm_task_getsecid(current, &sid);
+ xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
if (err) {
security_xfrm_policy_free(xp->security);
@@ -1653,11 +1653,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
} else {
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- struct secids sid;
+ u32 sid;
- security_task_getsecid(current, &sid);
+ security_xfrm_task_getsecid(current, &sid);
xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
- sid.si_lsm[0]);
+ sid);
if (err != 0)
goto out;
@@ -1682,12 +1682,10 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_usersa_flush *p = nlmsg_data(nlh);
struct xfrm_audit audit_info;
int err;
- struct secids secid;
audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current);
- security_task_getsecid(current, &secid);
- audit_info.secid = secid.si_lsm[0];
+ security_xfrm_task_getsecid(current, &audit_info.secid);
err = xfrm_state_flush(net, p->proto, &audit_info);
if (err) {
if (err == -ESRCH) /* empty table */
@@ -1873,7 +1871,6 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
u8 type = XFRM_POLICY_TYPE_MAIN;
int err;
struct xfrm_audit audit_info;
- struct secids secid;
err = copy_from_user_policy_type(&type, attrs);
if (err)
@@ -1881,8 +1878,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current);
- security_task_getsecid(current, &secid);
- audit_info.secid = secid.si_lsm[0];
+ security_xfrm_task_getsecid(current, &audit_info.secid);
err = xfrm_policy_flush(net, type, &audit_info);
if (err) {
if (err == -ESRCH) /* empty table */
@@ -1951,11 +1947,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
if (up->hard) {
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- struct secids sid;
+ u32 sid;
- security_task_getsecid(current, &sid);
+ security_xfrm_task_getsecid(current, &sid);
xfrm_policy_delete(xp, p->dir);
- xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid.si_lsm[0]);
+ xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
} else {
// reset the timers here?
@@ -1994,11 +1990,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
if (ue->hard) {
kuid_t loginuid = audit_get_loginuid(current);
u32 sessionid = audit_get_sessionid(current);
- struct secids sid;
+ u32 sid;
- security_task_getsecid(current, &sid);
+ security_xfrm_task_getsecid(current, &sid);
__xfrm_state_delete(x);
- xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid.si_lsm[0]);
+ xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
}
err = 0;
out:
diff --git a/security/security.c b/security/security.c
index 6594d8d..d0b768c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -32,7 +32,9 @@
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY;
-static struct security_operations *security_ops;
+struct security_operations *security_ops;
+EXPORT_SYMBOL(security_ops);
+
static struct security_operations default_security_ops = {
.name = "default",
};
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9ff6d6d..7104c6b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4188,7 +4188,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
return selinux_sock_rcv_skb_compat(sk, skb, family);
secmark_active = selinux_secmark_enabled();
- peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
+ peerlbl_active = netlbl_enabled(&selinux_ops) || selinux_xfrm_enabled();
if (!secmark_active && !peerlbl_active)
return 0;
@@ -4571,7 +4571,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
return NF_ACCEPT;
secmark_active = selinux_secmark_enabled();
- netlbl_active = netlbl_enabled();
+ netlbl_active = netlbl_enabled(&selinux_ops);
peerlbl_active = netlbl_active || selinux_xfrm_enabled();
if (!secmark_active && !peerlbl_active)
return NF_ACCEPT;
@@ -4636,7 +4636,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
{
u32 sid;
- if (!netlbl_enabled())
+ if (!netlbl_enabled(&selinux_ops))
return NF_ACCEPT;
/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
@@ -4725,7 +4725,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
return NF_ACCEPT;
#endif
secmark_active = selinux_secmark_enabled();
- peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
+ peerlbl_active = netlbl_enabled(&selinux_ops) || selinux_xfrm_enabled();
if (!secmark_active && !peerlbl_active)
return NF_ACCEPT;
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 7a9cbd0..471dce1 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -180,7 +180,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
int rc;
struct netlbl_lsm_secattr secattr;
- if (!netlbl_enabled()) {
+ if (!netlbl_enabled(&selinux_ops)) {
*sid = SECSID_NULL;
return 0;
}
@@ -351,7 +351,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
u32 perm;
struct netlbl_lsm_secattr secattr;
- if (!netlbl_enabled())
+ if (!netlbl_enabled(&selinux_ops))
return 0;
netlbl_secattr_init(&secattr);
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 223bbdf..7473498 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1667,9 +1667,6 @@ static int smack_task_movememory(struct task_struct *p)
* @subcred: identifies the smack to use in lieu of current's
*
* Return 0 if write access is permitted
- *
- * The secid behavior is an artifact of an SELinux hack
- * in the USB code. Someday it may go away.
*/
static int smack_task_kill(struct task_struct *p, struct siginfo *info,
int sig, const struct cred *subcred)
@@ -1824,6 +1821,11 @@ static int smack_netlabel(struct sock *sk, int labeled)
int rc = 0;
/*
+ * If Netlabel is unavailable send unlabeled.
+ */
+ if (!smack_use_netlbl)
+ return 0;
+ /*
* Usually the netlabel code will handle changing the
* packet labeling based on the label.
* The case of a single label host is different, because
@@ -2895,19 +2897,24 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
return 0;
/*
- * Translate what netlabel gave us.
* If Netlabel is unavailable use the ambient label.
* In this case we'd expect the ambient label to be "@".
*/
- netlbl_secattr_init(&secattr);
+ if (smack_use_netlbl) {
+ /*
+ * Translate what netlabel gave us.
+ */
+ netlbl_secattr_init(&secattr);
- rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr);
- if (rc == 0)
- csp = smack_from_secattr(&secattr, ssp);
- else
- csp = smack_net_ambient;
+ rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr);
+ if (rc == 0)
+ csp = smack_from_secattr(&secattr, ssp);
+ else
+ csp = smack_net_ambient;
- netlbl_secattr_destroy(&secattr);
+ netlbl_secattr_destroy(&secattr);
+ } else
+ csp = smack_net_ambient;
#ifdef CONFIG_AUDIT
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
@@ -2922,7 +2929,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
* for networking.
*/
rc = smk_access(csp, ssp->smk_in, MAY_WRITE, &ad);
- if (rc != 0)
+ if (rc != 0 && smack_use_netlbl)
netlbl_skbuff_err(skb, rc, 0);
return rc;
}
@@ -2996,17 +3003,21 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
s = smack_to_secid(ssp->smk_out);
} else if (family == PF_INET || family == PF_INET6) {
/*
- * Translate what netlabel gave us.
+ * Translate what netlabel gave us. Use the ambient
+ * label if we can't use netlabel.
*/
- if (sock != NULL && sock->sk != NULL)
- ssp = lsm_get_sock(sock->sk, &smack_ops);
- netlbl_secattr_init(&secattr);
- rc = netlbl_skbuff_getattr(skb, family, &secattr);
- if (rc == 0) {
- sp = smack_from_secattr(&secattr, ssp);
- s = smack_to_secid(sp);
- }
- netlbl_secattr_destroy(&secattr);
+ if (smack_use_netlbl) {
+ if (sock != NULL && sock->sk != NULL)
+ ssp = lsm_get_sock(sock->sk, &smack_ops);
+ netlbl_secattr_init(&secattr);
+ rc = netlbl_skbuff_getattr(skb, family, &secattr);
+ if (rc == 0) {
+ sp = smack_from_secattr(&secattr, ssp);
+ s = smack_to_secid(sp);
+ }
+ netlbl_secattr_destroy(&secattr);
+ } else
+ s = smack_to_secid(smack_net_ambient);
}
*secid = s;
if (s == 0)
@@ -3065,13 +3076,16 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
family = PF_INET;
- netlbl_secattr_init(&secattr);
- rc = netlbl_skbuff_getattr(skb, family, &secattr);
- if (rc == 0)
- sp = smack_from_secattr(&secattr, ssp);
- else
- sp = smack_known_huh.smk_known;
- netlbl_secattr_destroy(&secattr);
+ if (smack_use_netlbl) {
+ netlbl_secattr_init(&secattr);
+ rc = netlbl_skbuff_getattr(skb, family, &secattr);
+ if (rc == 0)
+ sp = smack_from_secattr(&secattr, ssp);
+ else
+ sp = smack_known_huh.smk_known;
+ netlbl_secattr_destroy(&secattr);
+ } else
+ sp = smack_net_ambient;
#ifdef CONFIG_AUDIT
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
@@ -3098,17 +3112,19 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
* if we do we only need to label the request_sock and the stack will
* propagate the wire-label to the sock when it is created.
*/
- hdr = ip_hdr(skb);
- addr.sin_addr.s_addr = hdr->saddr;
- rcu_read_lock();
- hsp = smack_host_label(&addr);
- rcu_read_unlock();
+ if (smack_use_netlbl) {
+ hdr = ip_hdr(skb);
+ addr.sin_addr.s_addr = hdr->saddr;
+ rcu_read_lock();
+ hsp = smack_host_label(&addr);
+ rcu_read_unlock();
- if (hsp == NULL) {
- skp = smk_find_entry(sp);
- rc = netlbl_req_setattr(req, &skp->smk_netlabel);
- } else
- netlbl_req_delattr(req);
+ if (hsp == NULL) {
+ skp = smk_find_entry(sp);
+ rc = netlbl_req_setattr(req, &skp->smk_netlabel);
+ } else
+ netlbl_req_delattr(req);
+ }
return rc;
}
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 5335444..f51f98f 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -115,6 +115,13 @@ static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
const char *smack_cipso_option = SMACK_CIPSO_OPTION;
/*
+ * If another LSM has registered the Netlabel system
+ * this gets set false, indicating that all packets should get
+ * treated as if they are unlabeled, hence ambient.
+ */
+int smack_use_netlbl;
+
+/*
* Values for parsing cipso rules
* SMK_DIGITLEN: Length of a digit field in a rule.
* SMK_CIPSOMIN: Minimum possible cipso rule length.
@@ -624,6 +631,22 @@ static void smk_cipso_doi(void)
struct cipso_v4_doi *doip;
struct netlbl_audit nai;
+ if (smack_net_ambient == NULL)
+ smack_net_ambient = smack_known_floor.smk_known;
+
+ /*
+ * If someone else has registered use of netlbl abort
+ */
+ if (!smack_use_netlbl) {
+ rc = netlbl_register_lsm(&smack_ops);
+ if (rc) {
+ printk(KERN_WARNING "%s:%d Netlabel use denied\n",
+ __func__, __LINE__);
+ return;
+ }
+ smack_use_netlbl = 1;
+ }
+
smk_netlabel_audit_set(&nai);
rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
@@ -1185,9 +1208,12 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
smk_netlbladdr_insert(skp);
}
} else {
- /* we delete the unlabeled entry, only if the previous label
- * wasn't the special CIPSO option */
- if (skp->smk_label != smack_cipso_option)
+ /*
+ * Delete the unlabeled entry if the previous label
+ * wasn't the special CIPSO option or if some other
+ * LSM owns Netlabel.
+ */
+ if (skp->smk_label != smack_cipso_option && smack_use_netlbl)
rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
&skp->smk_host.sin_addr, &skp->smk_mask,
PF_INET, &audit_info);
@@ -1199,7 +1225,7 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
* this host so that incoming packets get labeled.
* but only if we didn't get the special CIPSO option
*/
- if (rc == 0 && sp != smack_cipso_option)
+ if (rc == 0 && sp != smack_cipso_option && smack_use_netlbl)
rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
smack_to_secid(skp->smk_label), &audit_info);
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH v13 6/9] LSM: Additional interfaces in /proc/pid/attr
[not found] <5176ABB7.5080300@schaufler-ca.com>
` (5 preceding siblings ...)
2013-04-23 16:04 ` [PATCH v13 5/9] LSM: Networking component isolation Casey Schaufler
@ 2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 7/9] LSM: remove Yama special case stacking Casey Schaufler
` (2 subsequent siblings)
9 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:04 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 6/9] LSM: Additional interfaces in /proc/pid/attr
SELinux, Smack and AppArmor share the files to /proc/<pid>/attr.
This is fine when only one LSM is allowed, but not so good
when there is more than one of those LSMs active. For backward
compatability the old interfaces are left as is. New interfaces
specific to the LSMs have been added. There is also a new entry
"context", which is the combined security context.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/proc/base.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 69078c7..51435ba 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2217,12 +2217,29 @@ static const struct file_operations proc_pid_attr_operations = {
};
static const struct pid_entry attr_dir_stuff[] = {
- REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("prev", S_IRUGO, proc_pid_attr_operations),
- REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
- REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("prev", S_IRUGO, proc_pid_attr_operations),
+ REG("exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("context", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#ifdef CONFIG_SECURITY_SELINUX
+ REG("selinux.current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.prev", S_IRUGO, proc_pid_attr_operations),
+ REG("selinux.exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.fscreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.keycreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("selinux.sockcreate", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#endif
+#ifdef CONFIG_SECURITY_SMACK
+ REG("smack.current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#endif
+#ifdef CONFIG_SECURITY_APPARMOR
+ REG("apparmor.current", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+ REG("apparmor.prev", S_IRUGO, proc_pid_attr_operations),
+ REG("apparmor.exec", S_IRUGO|S_IWUGO, proc_pid_attr_operations),
+#endif
};
static int proc_attr_dir_readdir(struct file * filp,
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH v13 7/9] LSM: remove Yama special case stacking
[not found] <5176ABB7.5080300@schaufler-ca.com>
` (6 preceding siblings ...)
2013-04-23 16:04 ` [PATCH v13 6/9] LSM: Additional interfaces in /proc/pid/attr Casey Schaufler
@ 2013-04-23 16:04 ` Casey Schaufler
2013-04-23 20:12 ` Kees Cook
2013-04-23 16:04 ` [PATCH v13 8/9] LSM: Hook list management Casey Schaufler
2013-04-23 16:05 ` [PATCH v13 9/9] LSM: Documentation and cleanup Casey Schaufler
9 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:04 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 7/9] LSM: remove Yama special case stacking
Remove the special case stacking for Yama.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/security.c | 21 ---------------------
security/yama/Kconfig | 8 --------
security/yama/yama_lsm.c | 19 -------------------
3 files changed, 48 deletions(-)
diff --git a/security/security.c b/security/security.c
index d0b768c..67e435b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -138,23 +138,11 @@ int __init register_security(struct security_operations *ops)
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- int rc;
- rc = yama_ptrace_access_check(child, mode);
- if (rc)
- return rc;
-#endif
return security_ops->ptrace_access_check(child, mode);
}
int security_ptrace_traceme(struct task_struct *parent)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- int rc;
- rc = yama_ptrace_traceme(parent);
- if (rc)
- return rc;
-#endif
return security_ops->ptrace_traceme(parent);
}
@@ -783,9 +771,6 @@ int security_task_create(unsigned long clone_flags)
void security_task_free(struct task_struct *task)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- yama_task_free(task);
-#endif
security_ops->task_free(task);
}
@@ -911,12 +896,6 @@ int security_task_wait(struct task_struct *p)
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
-#ifdef CONFIG_SECURITY_YAMA_STACKED
- int rc;
- rc = yama_task_prctl(option, arg2, arg3, arg4, arg5);
- if (rc != -ENOSYS)
- return rc;
-#endif
return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
}
diff --git a/security/yama/Kconfig b/security/yama/Kconfig
index 20ef514..51d6709 100644
--- a/security/yama/Kconfig
+++ b/security/yama/Kconfig
@@ -11,11 +11,3 @@ config SECURITY_YAMA
Further information can be found in Documentation/security/Yama.txt.
If you are unsure how to answer this question, answer N.
-
-config SECURITY_YAMA_STACKED
- bool "Yama stacked with other LSMs"
- depends on SECURITY_YAMA
- default n
- help
- When Yama is built into the kernel, force it to stack with the
- selected primary LSM.
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 13c88fbc..63ad9bb 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -364,16 +364,6 @@ int yama_ptrace_traceme(struct task_struct *parent)
return rc;
}
-#ifndef CONFIG_SECURITY_YAMA_STACKED
-static struct security_operations yama_ops = {
- .name = "yama",
-
- .ptrace_access_check = yama_ptrace_access_check,
- .ptrace_traceme = yama_ptrace_traceme,
- .task_prctl = yama_task_prctl,
- .task_free = yama_task_free,
-};
-#endif
#ifdef CONFIG_SYSCTL
static int yama_dointvec_minmax(struct ctl_table *table, int write,
@@ -420,18 +410,9 @@ static struct ctl_table yama_sysctl_table[] = {
static __init int yama_init(void)
{
-#ifndef CONFIG_SECURITY_YAMA_STACKED
- if (!security_module_enable(&yama_ops))
- return 0;
-#endif
printk(KERN_INFO "Yama: becoming mindful.\n");
-#ifndef CONFIG_SECURITY_YAMA_STACKED
- if (register_security(&yama_ops))
- panic("Yama: kernel registration failed.\n");
-#endif
-
#ifdef CONFIG_SYSCTL
if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table))
panic("Yama: sysctl registration failed.\n");
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH v13 8/9] LSM: Hook list management
[not found] <5176ABB7.5080300@schaufler-ca.com>
` (7 preceding siblings ...)
2013-04-23 16:04 ` [PATCH v13 7/9] LSM: remove Yama special case stacking Casey Schaufler
@ 2013-04-23 16:04 ` Casey Schaufler
2013-04-23 16:05 ` [PATCH v13 9/9] LSM: Documentation and cleanup Casey Schaufler
9 siblings, 0 replies; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:04 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 8/9] LSM: Hook list management
Implement a list for each LSM hook. Execute all of the
registered hooks in the specified order. Manage security
blobs on behalf of the modules. Integrate with the
NetLabel, xfrm and secmark networking components. Move
the capablity module directly into the hook handlers.
Provide securityfs interfaces to display which lsms are
active and which is using the legacy interfaces in
/proc/pid/attr. Bring all existing modules in line with
the new world order.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm.h | 75 +-
include/linux/security.h | 290 ++-
include/net/xfrm.h | 2 +-
kernel/audit.c | 6 +-
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 2 +-
net/netfilter/nf_conntrack_netlink.c | 14 +-
net/netfilter/nf_conntrack_standalone.c | 3 +-
security/Kconfig | 176 +-
security/apparmor/domain.c | 11 +-
security/apparmor/lsm.c | 32 +-
security/capability.c | 1 -
security/commoncap.c | 6 -
security/inode.c | 79 +-
security/security.c | 1975 ++++++++++++++++----
security/selinux/hooks.c | 71 +-
security/smack/smack_lsm.c | 50 +-
security/smack/smackfs.c | 2 +-
security/tomoyo/tomoyo.c | 8 +-
security/yama/Kconfig | 1 +
security/yama/yama_lsm.c | 34 +-
20 files changed, 2233 insertions(+), 605 deletions(-)
diff --git a/include/linux/lsm.h b/include/linux/lsm.h
index 7c93865..d8ec5a4 100644
--- a/include/linux/lsm.h
+++ b/include/linux/lsm.h
@@ -10,11 +10,6 @@
* Author:
* Casey Schaufler <casey@schaufler-ca.com>
*
- * Abstraction layer for LSM security blobs.
- * This is pointless by itself, but necessary for multiple concurrent
- * modules support. Multiple concurrent module support is also refered
- * to as module stacking.
- *
*/
#ifndef _LINUX_LSM_H
#define _LINUX_LSM_H
@@ -27,124 +22,146 @@
#include <linux/security.h>
/*
- * Trivial implementation for the one-LSM-at-a-time case
+ * Just a set of slots for each LSM to keep its blob in.
*/
-static inline void *lsm_get_blob(const void *bp, const int lsm)
+struct lsm_blob {
+ int lsm_setcount; /* Number of blobs set */
+ void *lsm_blobs[COMPOSER_MAX]; /* LSM specific blobs */
+};
+
+static inline struct lsm_blob *lsm_alloc_blob(gfp_t gfp)
{
- return (void *)bp;
+ return kzalloc(sizeof(struct lsm_blob), gfp);
+}
+
+static inline void *lsm_get_blob(const struct lsm_blob *bp, const int lsm)
+{
+ if (bp == NULL)
+ return NULL;
+ return bp->lsm_blobs[lsm];
}
-/*
- * Trivial implementation for the one-LSM-at-a-time case
- */
static inline void lsm_set_blob(void **vpp, void *value, const int lsm)
{
- *vpp = value;
+ struct lsm_blob *bp = *vpp;
+
+ if (value == NULL && bp->lsm_blobs[lsm] != NULL)
+ bp->lsm_setcount--;
+ if (value != NULL && bp->lsm_blobs[lsm] == NULL)
+ bp->lsm_setcount++;
+
+ bp->lsm_blobs[lsm] = value;
}
static inline void *lsm_get_cred(const struct cred *cred,
const struct security_operations *sop)
{
- return lsm_get_blob(cred->security, 0);
+ return lsm_get_blob(cred->security, sop->order);
}
static inline void lsm_set_cred(struct cred *cred, void *value,
const struct security_operations *sop)
{
- lsm_set_blob(&cred->security, value, 0);
+ lsm_set_blob(&cred->security, value, sop->order);
}
static inline int lsm_set_init_cred(struct cred *cred, void *value,
const struct security_operations *sop)
{
- cred->security = value;
+ if (cred->security == NULL) {
+ cred->security = lsm_alloc_blob(GFP_KERNEL);
+ if (cred->security == NULL)
+ return -ENOMEM;
+ }
+
+ lsm_set_blob(&cred->security, value, sop->order);
return 0;
}
static inline void *lsm_get_file(const struct file *file,
const struct security_operations *sop)
{
- return lsm_get_blob(file->f_security, 0);
+ return lsm_get_blob(file->f_security, sop->order);
}
static inline void lsm_set_file(struct file *file, void *value,
const struct security_operations *sop)
{
- lsm_set_blob(&file->f_security, value, 0);
+ lsm_set_blob(&file->f_security, value, sop->order);
}
static inline void *lsm_get_inode(const struct inode *inode,
const struct security_operations *sop)
{
- return lsm_get_blob(inode->i_security, 0);
+ return lsm_get_blob(inode->i_security, sop->order);
}
static inline void lsm_set_inode(struct inode *inode, void *value,
const struct security_operations *sop)
{
- lsm_set_blob(&inode->i_security, value, 0);
+ lsm_set_blob(&inode->i_security, value, sop->order);
}
static inline void *lsm_get_super(const struct super_block *super,
const struct security_operations *sop)
{
- return lsm_get_blob(super->s_security, 0);
+ return lsm_get_blob(super->s_security, sop->order);
}
static inline void lsm_set_super(struct super_block *super, void *value,
const struct security_operations *sop)
{
- lsm_set_blob(&super->s_security, value, 0);
+ lsm_set_blob(&super->s_security, value, sop->order);
}
static inline void *lsm_get_ipc(const struct kern_ipc_perm *ipc,
const struct security_operations *sop)
{
- return lsm_get_blob(ipc->security, 0);
+ return lsm_get_blob(ipc->security, sop->order);
}
static inline void lsm_set_ipc(struct kern_ipc_perm *ipc, void *value,
const struct security_operations *sop)
{
- lsm_set_blob(&ipc->security, value, 0);
+ lsm_set_blob(&ipc->security, value, sop->order);
}
static inline void *lsm_get_msg(const struct msg_msg *msg,
const struct security_operations *sop)
{
- return lsm_get_blob(msg->security, 0);
+ return lsm_get_blob(msg->security, sop->order);
}
static inline void lsm_set_msg(struct msg_msg *msg, void *value,
const struct security_operations *sop)
{
- lsm_set_blob(&msg->security, value, 0);
+ lsm_set_blob(&msg->security, value, sop->order);
}
#ifdef CONFIG_KEYS
static inline void *lsm_get_key(const struct key *key,
const struct security_operations *sop)
{
- return lsm_get_blob(key->security, 0);
+ return lsm_get_blob(key->security, sop->order);
}
static inline void lsm_set_key(struct key *key, void *value,
const struct security_operations *sop)
{
- lsm_set_blob(&key->security, value, 0);
+ lsm_set_blob(&key->security, value, sop->order);
}
#endif
static inline void *lsm_get_sock(const struct sock *sock,
const struct security_operations *sop)
{
- return lsm_get_blob(sock->sk_security, 0);
+ return lsm_get_blob(sock->sk_security, sop->order);
}
static inline void lsm_set_sock(struct sock *sock, void *value,
const struct security_operations *sop)
{
- lsm_set_blob(&sock->sk_security, value, 0);
+ lsm_set_blob(&sock->sk_security, value, sop->order);
}
#endif /* ! _LINUX_LSM_H */
diff --git a/include/linux/security.h b/include/linux/security.h
index da0fc7f..9a073b7 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -56,6 +56,10 @@ struct mm_struct;
/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX 10
+/* Maximum number of LSMs that can be used at a time. */
+#define COMPOSER_MAX CONFIG_SECURITY_COMPOSER_MAX
+#define COMPOSER_NAMES_MAX ((SECURITY_NAME_MAX + 1) * COMPOSER_MAX)
+
/* If capable should audit the security request */
#define SECURITY_CAP_NOAUDIT 0
#define SECURITY_CAP_AUDIT 1
@@ -87,8 +91,6 @@ extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
extern int cap_inode_need_killpriv(struct dentry *dentry);
extern int cap_inode_killpriv(struct dentry *dentry);
extern int cap_mmap_addr(unsigned long addr);
-extern int cap_mmap_file(struct file *file, unsigned long reqprot,
- unsigned long prot, unsigned long flags);
extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5);
@@ -112,8 +114,6 @@ struct seq_file;
extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
-void reset_security_ops(void);
-
#ifdef CONFIG_MMU
extern unsigned long mmap_min_addr;
extern unsigned long dac_mmap_min_addr;
@@ -159,7 +159,9 @@ typedef int (*initxattrs) (struct inode *inode,
/* A collection of secids, which are what (certain) LSMs deal with */
struct secids {
int si_count;
- u32 si_lsm[1];
+#ifdef CONFIG_SECURITY
+ u32 si_lsm[COMPOSER_MAX];
+#endif
};
#ifdef CONFIG_SECURITY
@@ -190,15 +192,227 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
opts->num_mnt_opts = 0;
}
+/*
+ * Index for LSM operations.
+ */
+enum lsm_hooks_index {
+ lsm_ptrace_access_check,
+ lsm_ptrace_traceme,
+ lsm_capget,
+ lsm_capset,
+ lsm_capable,
+ lsm_quotactl,
+ lsm_quota_on,
+ lsm_syslog,
+ lsm_settime,
+ lsm_vm_enough_memory,
+ lsm_bprm_set_creds,
+ lsm_bprm_check_security,
+ lsm_bprm_secureexec,
+ lsm_bprm_committing_creds,
+ lsm_bprm_committed_creds,
+ lsm_sb_alloc_security,
+ lsm_sb_free_security,
+ lsm_sb_copy_data,
+ lsm_sb_remount,
+ lsm_sb_kern_mount,
+ lsm_sb_show_options,
+ lsm_sb_statfs,
+ lsm_sb_mount,
+ lsm_sb_umount,
+ lsm_sb_pivotroot,
+ lsm_sb_set_mnt_opts,
+ lsm_sb_clone_mnt_opts,
+ lsm_sb_parse_opts_str,
+ lsm_path_unlink,
+ lsm_path_mkdir,
+ lsm_path_rmdir,
+ lsm_path_mknod,
+ lsm_path_truncate,
+ lsm_path_symlink,
+ lsm_path_link,
+ lsm_path_rename,
+ lsm_path_chmod,
+ lsm_path_chown,
+ lsm_path_chroot,
+ lsm_inode_alloc_security,
+ lsm_inode_free_security,
+ lsm_inode_init_security,
+ lsm_inode_create,
+ lsm_inode_link,
+ lsm_inode_unlink,
+ lsm_inode_symlink,
+ lsm_inode_mkdir,
+ lsm_inode_rmdir,
+ lsm_inode_mknod,
+ lsm_inode_rename,
+ lsm_inode_readlink,
+ lsm_inode_follow_link,
+ lsm_inode_permission,
+ lsm_inode_setattr,
+ lsm_inode_getattr,
+ lsm_inode_setxattr,
+ lsm_inode_post_setxattr,
+ lsm_inode_getxattr,
+ lsm_inode_listxattr,
+ lsm_inode_removexattr,
+ lsm_inode_need_killpriv,
+ lsm_inode_killpriv,
+ lsm_inode_getsecurity,
+ lsm_inode_setsecurity,
+ lsm_inode_listsecurity,
+ lsm_inode_getsecid,
+ lsm_file_permission,
+ lsm_file_alloc_security,
+ lsm_file_free_security,
+ lsm_file_ioctl,
+ lsm_mmap_addr,
+ lsm_mmap_file,
+ lsm_file_mprotect,
+ lsm_file_lock,
+ lsm_file_fcntl,
+ lsm_file_set_fowner,
+ lsm_file_send_sigiotask,
+ lsm_file_receive,
+ lsm_file_open,
+ lsm_task_create,
+ lsm_task_free,
+ lsm_cred_alloc_blank,
+ lsm_cred_free,
+ lsm_cred_prepare,
+ lsm_cred_transfer,
+ lsm_kernel_act_as,
+ lsm_kernel_create_files_as,
+ lsm_kernel_module_request,
+ lsm_kernel_module_from_file,
+ lsm_task_fix_setuid,
+ lsm_task_setpgid,
+ lsm_task_getpgid,
+ lsm_task_getsid,
+ lsm_task_getsecid,
+ lsm_task_setnice,
+ lsm_task_setioprio,
+ lsm_task_getioprio,
+ lsm_task_setrlimit,
+ lsm_task_setscheduler,
+ lsm_task_getscheduler,
+ lsm_task_movememory,
+ lsm_task_kill,
+ lsm_task_wait,
+ lsm_task_prctl,
+ lsm_task_to_inode,
+ lsm_ipc_permission,
+ lsm_ipc_getsecid,
+ lsm_msg_msg_alloc_security,
+ lsm_msg_msg_free_security,
+ lsm_msg_queue_alloc_security,
+ lsm_msg_queue_free_security,
+ lsm_msg_queue_associate,
+ lsm_msg_queue_msgctl,
+ lsm_msg_queue_msgsnd,
+ lsm_msg_queue_msgrcv,
+ lsm_shm_alloc_security,
+ lsm_shm_free_security,
+ lsm_shm_associate,
+ lsm_shm_shmctl,
+ lsm_shm_shmat,
+ lsm_sem_alloc_security,
+ lsm_sem_free_security,
+ lsm_sem_associate,
+ lsm_sem_semctl,
+ lsm_sem_semop,
+ lsm_netlink_send,
+ lsm_d_instantiate,
+ lsm_getprocattr,
+ lsm_setprocattr,
+ lsm_secid_to_secctx,
+ lsm_secctx_to_secid,
+ lsm_release_secctx,
+ lsm_inode_notifysecctx,
+ lsm_inode_setsecctx,
+ lsm_inode_getsecctx,
+ lsm_unix_stream_connect,
+ lsm_unix_may_send,
+ lsm_socket_create,
+ lsm_socket_post_create,
+ lsm_socket_bind,
+ lsm_socket_connect,
+ lsm_socket_listen,
+ lsm_socket_accept,
+ lsm_socket_sendmsg,
+ lsm_socket_recvmsg,
+ lsm_socket_getsockname,
+ lsm_socket_getpeername,
+ lsm_socket_getsockopt,
+ lsm_socket_setsockopt,
+ lsm_socket_shutdown,
+ lsm_socket_sock_rcv_skb,
+ lsm_socket_getpeersec_stream,
+ lsm_socket_getpeersec_dgram,
+ lsm_sk_alloc_security,
+ lsm_sk_free_security,
+ lsm_sk_clone_security,
+ lsm_sk_getsecid,
+ lsm_sock_graft,
+ lsm_inet_conn_request,
+ lsm_inet_csk_clone,
+ lsm_inet_conn_established,
+ lsm_secmark_relabel_packet,
+ lsm_secmark_refcount_inc,
+ lsm_secmark_refcount_dec,
+ lsm_req_classify_flow,
+ lsm_tun_dev_alloc_security,
+ lsm_tun_dev_free_security,
+ lsm_tun_dev_create,
+ lsm_tun_dev_attach_queue,
+ lsm_tun_dev_attach,
+ lsm_tun_dev_open,
+ lsm_skb_owned_by,
+ lsm_xfrm_policy_alloc_security,
+ lsm_xfrm_policy_clone_security,
+ lsm_xfrm_policy_free_security,
+ lsm_xfrm_policy_delete_security,
+ lsm_xfrm_state_alloc_security,
+ lsm_xfrm_state_free_security,
+ lsm_xfrm_state_delete_security,
+ lsm_xfrm_policy_lookup,
+ lsm_xfrm_state_pol_flow_match,
+ lsm_xfrm_decode_session,
+ lsm_key_alloc,
+ lsm_key_free,
+ lsm_key_permission,
+ lsm_key_getsecurity,
+ lsm_audit_rule_init,
+ lsm_audit_rule_known,
+ lsm_audit_rule_match,
+ lsm_audit_rule_free,
+ lsm_name, /* Used by security/inode.c */
+ LSM_MAX_HOOKS
+};
+
+/*
+ * There is a list for each hook.
+ */
+extern struct list_head lsm_hooks[LSM_MAX_HOOKS];
+
/**
* struct security_operations - main security structure
*
* Security module identifier.
*
+ * @list:
+ * An array of lists of hooks. These are traversed on
+ * hook execution.
+ *
* @name:
* A string that acts as a unique identifier for the LSM with max number
* of characters = SECURITY_NAME_MAX.
*
+ * @order:
+ * The numeric order in which this LSM will be invoked.
+ * Set during LSM initialization. Used to identify
+ * which security blob to use when there is more than one LSM.
+ *
* Security hooks for program execution operations.
*
* @bprm_set_creds:
@@ -1408,7 +1622,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* This is the main security structure.
*/
struct security_operations {
+ struct list_head list[LSM_MAX_HOOKS];
char name[SECURITY_NAME_MAX + 1];
+ int order;
int (*ptrace_access_check) (struct task_struct *child, unsigned int mode);
int (*ptrace_traceme) (struct task_struct *parent);
@@ -1690,14 +1906,19 @@ struct security_operations {
void (*audit_rule_free) (void *lsmrule);
#endif /* CONFIG_AUDIT */
};
-extern struct security_operations *security_ops;
+
+/*
+ * The security operations vector for /proc interfaces.
+ */
+extern struct security_operations *lsm_present;
/* prototypes */
extern int security_init(void);
extern int security_module_enable(struct security_operations *ops);
-extern int register_security(struct security_operations *ops);
-extern void __init security_fixup_ops(struct security_operations *ops);
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+extern void security_module_disable(struct security_operations *ops);
+#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
/* Security operations */
int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
@@ -2198,7 +2419,7 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer,
static inline void security_inode_getsecid(const struct inode *inode, struct secids *secid)
{
- secid->si_lsm[0] = 0;
+ *secid = 0;
}
static inline int security_file_permission(struct file *file, int mask)
@@ -2345,7 +2566,7 @@ static inline int security_task_getsid(struct task_struct *p)
static inline void security_task_getsecid(struct task_struct *p, struct secids *secid)
{
- secid->si_lsm[0] = 0;
+ *secid = 0;
}
static inline int security_task_setnice(struct task_struct *p, int nice)
@@ -2416,7 +2637,7 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp,
static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct secids *secid)
{
- secid->si_lsm[0] = 0;
+ *secid = 0;
}
static inline int security_msg_msg_alloc(struct msg_msg *msg)
@@ -2605,11 +2826,13 @@ int security_tun_dev_open(void *security);
void security_skb_owned_by(struct sk_buff *skb, struct sock *sk);
+extern struct security_operations *lsm_secmark_ops;
+
static inline int security_secmark_secctx_to_secid(const char *secdata,
u32 seclen, u32 *secid)
{
- if (security_ops && security_ops->secctx_to_secid)
- return security_ops->secctx_to_secid(secdata, seclen, secid);
+ if (lsm_secmark_ops && lsm_secmark_ops->secctx_to_secid)
+ return lsm_secmark_ops->secctx_to_secid(secdata, seclen, secid);
*secid = 0;
return 0;
}
@@ -2837,11 +3060,13 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl);
+extern struct security_operations *lsm_xfrm_ops;
+
static inline void security_xfrm_task_getsecid(struct task_struct *p,
u32 *secid)
{
- if (security_ops && security_ops->task_getsecid)
- security_ops->task_getsecid(p, secid);
+ if (lsm_xfrm_ops && lsm_xfrm_ops->task_getsecid)
+ lsm_xfrm_ops->task_getsecid(p, secid);
else
*secid = 0;
}
@@ -2849,8 +3074,8 @@ static inline void security_xfrm_task_getsecid(struct task_struct *p,
static inline int security_xfrm_secid_to_secctx(u32 secid, char **secdata,
u32 *seclen)
{
- if (security_ops && security_ops->secid_to_secctx)
- return security_ops->secid_to_secctx(secid, secdata, seclen);
+ if (lsm_xfrm_ops && lsm_xfrm_ops->secid_to_secctx)
+ return lsm_xfrm_ops->secid_to_secctx(secid, secdata, seclen);
return 0;
}
@@ -3134,36 +3359,5 @@ static inline void free_secdata(void *secdata)
{ }
#endif /* CONFIG_SECURITY */
-#ifdef CONFIG_SECURITY_YAMA
-extern int yama_ptrace_access_check(struct task_struct *child,
- unsigned int mode);
-extern int yama_ptrace_traceme(struct task_struct *parent);
-extern void yama_task_free(struct task_struct *task);
-extern int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
- unsigned long arg4, unsigned long arg5);
-#else
-static inline int yama_ptrace_access_check(struct task_struct *child,
- unsigned int mode)
-{
- return 0;
-}
-
-static inline int yama_ptrace_traceme(struct task_struct *parent)
-{
- return 0;
-}
-
-static inline void yama_task_free(struct task_struct *task)
-{
-}
-
-static inline int yama_task_prctl(int option, unsigned long arg2,
- unsigned long arg3, unsigned long arg4,
- unsigned long arg5)
-{
- return -ENOSYS;
-}
-#endif /* CONFIG_SECURITY_YAMA */
-
#endif /* ! __LINUX_SECURITY_H */
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a9f22be..6dde1d4 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -704,7 +704,7 @@ static inline void xfrm_audit_helper_usrinfo(kuid_t auid, u32 ses, u32 secid,
if (secid != 0 &&
security_xfrm_secid_to_secctx(secid, &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
- security_release_secctx(secctx, secctx_len, security_ops);
+ security_release_secctx(secctx, secctx_len, lsm_xfrm_ops);
} else
audit_log_task_context(audit_buf);
}
diff --git a/kernel/audit.c b/kernel/audit.c
index a01ab21..1cca29d 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1549,9 +1549,13 @@ void audit_log_secctx(struct audit_buffer *ab, u32 secid)
struct secids secids;
struct security_operations *sop;
+ if (!lsm_secmark_ops)
+ return;
+
memset(&secids, 0, sizeof(secids));
- secids.si_lsm[0] = secid;
+ secids.si_lsm[lsm_secmark_ops->order] = secid;
+ secids.si_count = 1;
if (security_secid_to_secctx(&secids, &secctx, &len, &sop)) {
audit_panic("Cannot convert secid to context");
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index b42e160..03dd794 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -103,7 +103,7 @@ static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
memset(&secid, 0, sizeof(secid));
- secid.si_lsm[0] = ct->secmark;
+ secid.si_lsm[lsm_secmark_ops->order] = ct->secmark;
secid.si_count = 1;
ret = security_secid_to_secctx(&secid, &secctx, &len, &sop);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index cdcf9ab..7ebcbbf 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -304,7 +304,12 @@ ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
struct secids secid;
struct security_operations *sop;
- secid.si_lsm[0] = ct->secmark;
+ memset(&secid, 0, sizeof(secid));
+
+ if (lsm_secmark_ops) {
+ secid.si_lsm[lsm_secmark_ops->order] = ct->secmark;
+ secid.si_count = 1;
+ }
ret = security_secid_to_secctx(&secid, &secctx, &len, &sop);
if (ret)
@@ -555,7 +560,12 @@ ctnetlink_secctx_size(const struct nf_conn *ct)
struct secids secid;
struct security_operations *sop;
- secid.si_lsm[0] = ct->secmark;
+ memset(&secid, 0, sizeof(secid));
+
+ if (lsm_secmark_ops) {
+ secid.si_lsm[lsm_secmark_ops->order] = ct->secmark;
+ secid.si_count = 1;
+ }
ret = security_secid_to_secctx(&secid, NULL, &len, &sop);
if (ret)
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index fc571d4..5f94265 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -128,7 +128,8 @@ static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
memset(&secid, 0, sizeof(secid));
- secid.si_lsm[0] = ct->secmark;
+ secid.si_lsm[lsm_secmark_ops->order] = ct->secmark;
+ secid.si_count = 1;
ret = security_secid_to_secctx(&secid, &secctx, &len, &sop);
if (ret)
diff --git a/security/Kconfig b/security/Kconfig
index e9c6ac7..b3a95b3 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -48,6 +48,40 @@ config SECURITY_NETWORK
implement socket and networking access controls.
If you are unsure how to answer this question, answer N.
+choice
+ depends on SECURITY && NETLABEL
+ prompt "Security module using Netlabel to label IP headers"
+ default NETLABEL_SECURITY_SMACK if SECURITY_SMACK
+ default NETLABEL_SECURITY_SELINUX if SECURITY_SELINUX
+
+ help
+ Select the security module that will send attribute
+ information in IP header options.
+ Most SELinux configurations do not take advantage
+ of Netlabel, while all Smack configurations do. Unless
+ there is a need to do otherwise chose Smack in preference
+ to SELinux.
+
+ config NETLABEL_SECURITY_SELINUX
+ bool "SELinux" if SECURITY_SELINUX=y
+ help
+ Send SELinux MLS information in IP packet headers
+
+ config NETLABEL_SECURITY_SMACK
+ bool "Smack" if SECURITY_SMACK=y
+ help
+ Send Smack labels in IP packet headers
+
+endchoice
+
+config NETLABEL_LSM
+ string
+ default "smack" if NETLABEL_SECURITY_SMACK
+ default "selinux" if NETLABEL_SECURITY_SELINUX
+ default "NOTHING"
+ help
+ The name of the LSM to use with Netlabel
+
config SECURITY_NETWORK_XFRM
bool "XFRM (IPSec) Networking Security Hooks"
depends on XFRM && SECURITY_NETWORK
@@ -61,6 +95,54 @@ config SECURITY_NETWORK_XFRM
IPSec.
If you are unsure how to answer this question, answer N.
+choice
+ depends on XFRM && SECURITY_NETWORK && SECURITY_NETWORK_XFRM
+ prompt "Security module providing the XFRM security hooks"
+ default XFRM_SECURITY_SELINUX if SECURITY_SELINUX
+
+ help
+ Select the security module that will send attribute
+ information based on IPSec policy
+ Most SELinux configurations take advantage of XFRM.
+
+ config XFRM_SECURITY_SELINUX
+ bool "SELinux" if SECURITY_SELINUX=y
+ help
+ Use SELinux IPSec policy
+
+endchoice
+
+choice
+ depends on SECURITY_NETWORK
+ prompt "Security module providing the secmark security hooks"
+ default SECMARK_SECURITY_SELINUX if SECURITY_SELINUX
+
+ help
+ Select the security module that will send attribute
+ information based on secmark policy
+ Most SELinux configurations take advantage of secmark.
+
+ config SECMARK_SECURITY_SELINUX
+ bool "SELinux" if SECURITY_SELINUX=y
+ help
+ Use SELinux secmark policy
+
+endchoice
+
+config SECMARK_LSM
+ string
+ default "selinux" if SECMARK_SECURITY_SELINUX
+ default "None"
+ help
+ The name of the LSM to use with the networking secmark
+
+config XFRM_LSM
+ string
+ default "selinux" if XFRM_SECURITY_SELINUX
+ default "None"
+ help
+ The name of the LSM to use with XFRM and IPSec policy
+
config SECURITY_PATH
bool "Security hooks for pathname based access control"
depends on SECURITY
@@ -123,49 +205,89 @@ source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/yama/Kconfig
+config SECURITY_COMPOSER_MAX
+ int "Maximum allowed security modules (1 to 12)"
+ depends on SECURITY
+ default 6
+ range 1 12
+ help
+ The number of security modules that can be loaded.
+ The default value allows for all of the upstream modules.
+ The maximum allowed value is 12.
+
+config DEFAULT_SECURITY
+ string "Ordered list of LSMs to register"
+ depends on SECURITY
+ default "ALL"
+ help
+ A comma separated list of LSMs to register.
+ LSMs that are not configured that are listed
+ will be ignored. If the "security=" option is
+ specified in the boot line it will override
+ this value. If the value is "ALL" all LSMs
+ configured in the kernel will be loaded in
+ the order they request registration.
+
source security/integrity/Kconfig
choice
- prompt "Default security module"
- default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
- default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
- default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
- default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
- default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
- default DEFAULT_SECURITY_DAC
+ depends on SECURITY
+ prompt "Presented security module"
+ default PRESENT_SECURITY_SELINUX \
+ if SECURITY_SELINUX && !(SECURITY_APPARMOR || SECURITY_SMACK)
+ default PRESENT_SECURITY_SMACK \
+ if SECURITY_SMACK && !(SECURITY_APPARMOR || SECURITY_SELINUX)
+ default PRESENT_SECURITY_APPARMOR \
+ if SECURITY_APPARMOR && !(SECURITY_SMACK || SECURITY_SELINUX)
+ default PRESENT_SECURITY_FIRST \
+ if SECURITY_APPARMOR || SECURITY_SMACK || SECURITY_SELINUX
+ default PRESENT_SECURITY_NONE
help
- Select the security module that will be used by default if the
- kernel parameter security= is not specified.
+ Select the security module that will be presented
+ with the /proc/*/attr interface.
+ If not specified the first registered LSM that uses
+ the /proc/*/attr interface will be chosen.
- config DEFAULT_SECURITY_SELINUX
+ config PRESENT_SECURITY_SELINUX
bool "SELinux" if SECURITY_SELINUX=y
+ help
+ Present SELinux context information in the
+ files in /proc/*/attr
- config DEFAULT_SECURITY_SMACK
+ config PRESENT_SECURITY_SMACK
bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+ help
+ Present Smack process label information
+ in /proc/*/attr/current
- config DEFAULT_SECURITY_TOMOYO
- bool "TOMOYO" if SECURITY_TOMOYO=y
-
- config DEFAULT_SECURITY_APPARMOR
+ config PRESENT_SECURITY_APPARMOR
bool "AppArmor" if SECURITY_APPARMOR=y
+ help
+ Present AppArmor context information in the
+ files in /proc/*/attr
- config DEFAULT_SECURITY_YAMA
- bool "Yama" if SECURITY_YAMA=y
+ config PRESENT_SECURITY_FIRST
+ bool "Use first registered LSM"
+ help
+ Present information from the first LSM that uses
+ /proc/*/attr in the files in /proc/*/attr
- config DEFAULT_SECURITY_DAC
- bool "Unix Discretionary Access Controls"
+ config PRESENT_SECURITY_NONE
+ bool "Present Nothing"
+ help
+ Do not present LSM information in /proc/*/attr
endchoice
-config DEFAULT_SECURITY
+config PRESENT_SECURITY
string
- default "selinux" if DEFAULT_SECURITY_SELINUX
- default "smack" if DEFAULT_SECURITY_SMACK
- default "tomoyo" if DEFAULT_SECURITY_TOMOYO
- default "apparmor" if DEFAULT_SECURITY_APPARMOR
- default "yama" if DEFAULT_SECURITY_YAMA
- default "" if DEFAULT_SECURITY_DAC
+ default "selinux" if PRESENT_SECURITY_SELINUX
+ default "smack" if PRESENT_SECURITY_SMACK
+ default "apparmor" if PRESENT_SECURITY_APPARMOR
+ default "FIRSTLSM" if PRESENT_SECURITY_FIRST
+ default "NOTHING"
+ help
+ The name of the LSM to present in /proc/.../attr
endmenu
-
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 1614111..e67c88c 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -353,9 +353,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
file_inode(bprm->file)->i_mode
};
const char *name = NULL, *target = NULL, *info = NULL;
- int error = cap_bprm_set_creds(bprm);
- if (error)
- return error;
+ int error = 0;
if (bprm->cred_prepared)
return 0;
@@ -539,15 +537,10 @@ cleanup:
*/
int apparmor_bprm_secureexec(struct linux_binprm *bprm)
{
- int ret = cap_bprm_secureexec(bprm);
-
/* the decision to use secure exec is computed in set_creds
* and stored in bprm->unsafe.
*/
- if (!ret && (bprm->unsafe & AA_SECURE_X_NEEDED))
- ret = 1;
-
- return ret;
+ return bprm->unsafe & AA_SECURE_X_NEEDED;
}
/**
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8784681..6542339 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -96,19 +96,11 @@ static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
static int apparmor_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- int error = cap_ptrace_access_check(child, mode);
- if (error)
- return error;
-
return aa_ptrace(current, child, mode);
}
static int apparmor_ptrace_traceme(struct task_struct *parent)
{
- int error = cap_ptrace_traceme(parent);
- if (error)
- return error;
-
return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
}
@@ -140,14 +132,11 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit)
{
struct aa_profile *profile;
- /* cap_capable returns 0 on success, else -EPERM */
- int error = cap_capable(cred, ns, cap, audit);
- if (!error) {
- profile = aa_cred_profile(cred);
- if (!unconfined(profile))
- error = aa_capable(current, profile, cap, audit);
- }
- return error;
+
+ profile = aa_cred_profile(cred);
+ if (!unconfined(profile))
+ return aa_capable(current, profile, cap, audit);
+ return 0;
}
/**
@@ -897,7 +886,7 @@ static int __init apparmor_init(void)
{
int error;
- if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) {
+ if (!apparmor_enabled || security_module_enable(&apparmor_ops)) {
aa_info_message("AppArmor disabled by boot time parameter");
apparmor_enabled = 0;
return 0;
@@ -915,12 +904,6 @@ static int __init apparmor_init(void)
goto register_security_out;
}
- error = register_security(&apparmor_ops);
- if (error) {
- AA_ERROR("Unable to register AppArmor\n");
- goto set_init_cxt_out;
- }
-
/* Report that AppArmor successfully initialized */
apparmor_initialized = 1;
if (aa_g_profile_mode == APPARMOR_COMPLAIN)
@@ -932,9 +915,6 @@ static int __init apparmor_init(void)
return error;
-set_init_cxt_out:
- aa_free_task_context(current->real_cred->security);
-
register_security_out:
aa_free_root_ns();
diff --git a/security/capability.c b/security/capability.c
index 08bca78..d7b2a38 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -975,7 +975,6 @@ void __init security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, file_free_security);
set_to_cap_if_null(ops, file_ioctl);
set_to_cap_if_null(ops, mmap_addr);
- set_to_cap_if_null(ops, mmap_file);
set_to_cap_if_null(ops, file_mprotect);
set_to_cap_if_null(ops, file_lock);
set_to_cap_if_null(ops, file_fcntl);
diff --git a/security/commoncap.c b/security/commoncap.c
index c44b6fe..3b12ab1 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -988,9 +988,3 @@ int cap_mmap_addr(unsigned long addr)
}
return ret;
}
-
-int cap_mmap_file(struct file *file, unsigned long reqprot,
- unsigned long prot, unsigned long flags)
-{
- return 0;
-}
diff --git a/security/inode.c b/security/inode.c
index 43ce6e1..1ca6aaf 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -21,6 +21,9 @@
#include <linux/namei.h>
#include <linux/security.h>
#include <linux/magic.h>
+#ifdef CONFIG_SECURITY
+#include <linux/lsm.h>
+#endif
static struct vfsmount *mount;
static int mount_count;
@@ -215,6 +218,70 @@ void securityfs_remove(struct dentry *dentry)
}
EXPORT_SYMBOL_GPL(securityfs_remove);
+#ifdef CONFIG_SECURITY
+static struct dentry *lsm_dentry;
+static ssize_t lsm_read(struct file *filp, char __user *buf, size_t count,
+ loff_t *ppos)
+{
+ struct security_operations *sop;
+ char *data;
+ int len;
+
+ data = kzalloc(COMPOSER_NAMES_MAX + 1, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+
+ list_for_each_entry(sop, &lsm_hooks[lsm_name], list[lsm_name]) {
+ strcat(data, sop->name);
+ strcat(data, ",");
+ }
+ len = strlen(data);
+ if (len > 1)
+ data[len-1] = '\n';
+
+ len = simple_read_from_buffer(buf, count, ppos, data, len);
+ kfree(data);
+
+ return len;
+}
+
+static const struct file_operations lsm_ops = {
+ .read = lsm_read,
+ .llseek = generic_file_llseek,
+};
+
+static struct dentry *present_dentry;
+static ssize_t present_read(struct file *filp, char __user *buf, size_t count,
+ loff_t *ppos)
+{
+ struct security_operations *sop = lsm_present;
+ char *raw;
+ char *data;
+ int len;
+
+ if (sop)
+ raw = sop->name;
+ else
+ raw = "(none)";
+ len = strlen(raw);
+
+ data = kstrdup(raw, GFP_KERNEL);
+ if (data == NULL)
+ return -ENOMEM;
+
+ data[len] = '\n';
+ len = simple_read_from_buffer(buf, count, ppos, data, len + 1);
+ kfree(data);
+
+ return len;
+}
+
+static const struct file_operations present_ops = {
+ .read = present_read,
+ .llseek = generic_file_llseek,
+};
+#endif /* CONFIG_SECURITY */
+
static struct kobject *security_kobj;
static int __init securityfs_init(void)
@@ -226,9 +293,17 @@ static int __init securityfs_init(void)
return -EINVAL;
retval = register_filesystem(&fs_type);
- if (retval)
+ if (retval) {
kobject_put(security_kobj);
- return retval;
+ return retval;
+ }
+#ifdef CONFIG_SECURITY
+ lsm_dentry = securityfs_create_file("lsm", S_IRUGO, NULL, NULL,
+ &lsm_ops);
+ present_dentry = securityfs_create_file("present", S_IRUGO, NULL, NULL,
+ &present_ops);
+#endif /* CONFIG_SECURITY */
+ return 0;
}
core_initcall(securityfs_init);
diff --git a/security/security.c b/security/security.c
index 67e435b..86147c4 100644
--- a/security/security.c
+++ b/security/security.c
@@ -25,32 +25,331 @@
#include <linux/personality.h>
#include <linux/backing-dev.h>
#include <net/flow.h>
+#include <linux/lsm.h>
+#include <linux/shm.h>
+#include <linux/string.h>
+#ifdef CONFIG_NETLABEL_LSM
+#include <net/netlabel.h>
+#endif
#define MAX_LSM_EVM_XATTR 2
+#define PRESENT_FIRST "FIRSTLSM"
/* Boot-time LSM user choice */
-static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
- CONFIG_DEFAULT_SECURITY;
-struct security_operations *security_ops;
-EXPORT_SYMBOL(security_ops);
+static __initdata int lsm_order_set;
+static __initdata char specified_lsms[COMPOSER_MAX][SECURITY_NAME_MAX + 1];
+static __initdata char allowed_lsms[COMPOSER_NAMES_MAX];
+static __initdata char present_lsm[SECURITY_NAME_MAX + 1] =
+ CONFIG_PRESENT_SECURITY;
+
+struct list_head lsm_hooks[LSM_MAX_HOOKS];
+struct security_operations *lsm_present;
+struct security_operations *lsm_secmark_ops;
+EXPORT_SYMBOL(lsm_secmark_ops);
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+struct security_operations *lsm_xfrm_ops;
+EXPORT_SYMBOL(lsm_xfrm_ops);
+#endif
+
+static int (*present_getprocattr)
+ (struct task_struct *p, char *name, char **value);
+static int (*present_setprocattr)
+ (struct task_struct *p, char *name, void *value, size_t size);
-static struct security_operations default_security_ops = {
- .name = "default",
-};
+static int lsm_count;
-static inline int __init verify(struct security_operations *ops)
+#define for_each_hook(SOP, HOOK) \
+ list_for_each_entry(SOP, &lsm_hooks[lsm_##HOOK], list[lsm_##HOOK])
+
+/*
+ * Add an entry to a list of security operation vectors.
+ * The "interesting" logic is included here rather than in the
+ * caller to reduce the volume of the calling code.
+ */
+static void __init lsm_enlist(struct security_operations *ops,
+ const enum lsm_hooks_index index,
+ void *interesting)
{
- /* verify the security_operations structure exists */
- if (!ops)
- return -EINVAL;
- security_fixup_ops(ops);
- return 0;
+ struct security_operations *sop;
+
+ if (!interesting) {
+ INIT_LIST_HEAD(&ops->list[index]);
+ return;
+ }
+
+ if (list_empty(&lsm_hooks[index])) {
+ list_add_rcu(&ops->list[index], &lsm_hooks[index]);
+ return;
+ }
+
+ list_for_each_entry(sop, &lsm_hooks[index], list[index]) {
+ if (ops->order < sop->order) {
+ list_add_tail_rcu(&ops->list[index], &sop->list[index]);
+ return;
+ }
+ if (list_is_last(&sop->list[index], &lsm_hooks[index])) {
+ list_add_rcu(&ops->list[index], &sop->list[index]);
+ return;
+ }
+ }
+}
+
+static void __init lsm_enlist_ops(struct security_operations *sop)
+{
+ lsm_enlist(sop, lsm_ptrace_access_check, sop->ptrace_access_check);
+ lsm_enlist(sop, lsm_ptrace_traceme, sop->ptrace_traceme);
+ lsm_enlist(sop, lsm_capget, sop->capget);
+ lsm_enlist(sop, lsm_capset, sop->capset);
+ lsm_enlist(sop, lsm_capable, sop->capable);
+ lsm_enlist(sop, lsm_quotactl, sop->quotactl);
+ lsm_enlist(sop, lsm_quota_on, sop->quota_on);
+ lsm_enlist(sop, lsm_syslog, sop->syslog);
+ lsm_enlist(sop, lsm_settime, sop->settime);
+ lsm_enlist(sop, lsm_vm_enough_memory, sop->vm_enough_memory);
+ lsm_enlist(sop, lsm_bprm_set_creds, sop->bprm_set_creds);
+ lsm_enlist(sop, lsm_bprm_check_security, sop->bprm_check_security);
+ lsm_enlist(sop, lsm_bprm_committing_creds, sop->bprm_committing_creds);
+ lsm_enlist(sop, lsm_bprm_committed_creds, sop->bprm_committed_creds);
+ lsm_enlist(sop, lsm_bprm_secureexec, sop->bprm_secureexec);
+ lsm_enlist(sop, lsm_sb_alloc_security, sop->sb_alloc_security);
+ lsm_enlist(sop, lsm_sb_free_security, sop->sb_free_security);
+ lsm_enlist(sop, lsm_sb_copy_data, sop->sb_copy_data);
+ lsm_enlist(sop, lsm_sb_remount, sop->sb_remount);
+ lsm_enlist(sop, lsm_sb_kern_mount, sop->sb_kern_mount);
+ lsm_enlist(sop, lsm_sb_show_options, sop->sb_show_options);
+ lsm_enlist(sop, lsm_sb_statfs, sop->sb_statfs);
+ lsm_enlist(sop, lsm_sb_mount, sop->sb_mount);
+ lsm_enlist(sop, lsm_sb_umount, sop->sb_umount);
+ lsm_enlist(sop, lsm_sb_pivotroot, sop->sb_pivotroot);
+ lsm_enlist(sop, lsm_sb_set_mnt_opts, sop->sb_set_mnt_opts);
+ lsm_enlist(sop, lsm_sb_clone_mnt_opts, sop->sb_clone_mnt_opts);
+ lsm_enlist(sop, lsm_sb_parse_opts_str, sop->sb_parse_opts_str);
+ lsm_enlist(sop, lsm_inode_alloc_security, sop->inode_alloc_security);
+ lsm_enlist(sop, lsm_inode_free_security, sop->inode_free_security);
+ lsm_enlist(sop, lsm_inode_init_security, sop->inode_init_security);
+#ifdef CONFIG_SECURITY_PATH
+ lsm_enlist(sop, lsm_path_mknod, sop->path_mknod);
+ lsm_enlist(sop, lsm_path_mkdir, sop->path_mkdir);
+ lsm_enlist(sop, lsm_path_rmdir, sop->path_rmdir);
+ lsm_enlist(sop, lsm_path_unlink, sop->path_unlink);
+ lsm_enlist(sop, lsm_path_symlink, sop->path_symlink);
+ lsm_enlist(sop, lsm_path_link, sop->path_link);
+ lsm_enlist(sop, lsm_path_rename, sop->path_rename);
+ lsm_enlist(sop, lsm_path_truncate, sop->path_truncate);
+ lsm_enlist(sop, lsm_path_chmod, sop->path_chmod);
+ lsm_enlist(sop, lsm_path_chown, sop->path_chown);
+ lsm_enlist(sop, lsm_path_chroot, sop->path_chroot);
+#endif
+ lsm_enlist(sop, lsm_inode_create, sop->inode_create);
+ lsm_enlist(sop, lsm_inode_link, sop->inode_link);
+ lsm_enlist(sop, lsm_inode_unlink, sop->inode_unlink);
+ lsm_enlist(sop, lsm_inode_symlink, sop->inode_symlink);
+ lsm_enlist(sop, lsm_inode_mkdir, sop->inode_mkdir);
+ lsm_enlist(sop, lsm_inode_rmdir, sop->inode_rmdir);
+ lsm_enlist(sop, lsm_inode_mknod, sop->inode_mknod);
+ lsm_enlist(sop, lsm_inode_rename, sop->inode_rename);
+ lsm_enlist(sop, lsm_inode_readlink, sop->inode_readlink);
+ lsm_enlist(sop, lsm_inode_follow_link, sop->inode_follow_link);
+ lsm_enlist(sop, lsm_inode_permission, sop->inode_permission);
+ lsm_enlist(sop, lsm_inode_setattr, sop->inode_setattr);
+ lsm_enlist(sop, lsm_inode_getattr, sop->inode_getattr);
+ lsm_enlist(sop, lsm_inode_setxattr, sop->inode_setxattr);
+ lsm_enlist(sop, lsm_inode_post_setxattr, sop->inode_post_setxattr);
+ lsm_enlist(sop, lsm_inode_getxattr, sop->inode_getxattr);
+ lsm_enlist(sop, lsm_inode_listxattr, sop->inode_listxattr);
+ lsm_enlist(sop, lsm_inode_removexattr, sop->inode_removexattr);
+ lsm_enlist(sop, lsm_inode_need_killpriv, sop->inode_need_killpriv);
+ lsm_enlist(sop, lsm_inode_killpriv, sop->inode_killpriv);
+ lsm_enlist(sop, lsm_inode_getsecurity, sop->inode_getsecurity);
+ lsm_enlist(sop, lsm_inode_setsecurity, sop->inode_setsecurity);
+ lsm_enlist(sop, lsm_inode_listsecurity, sop->inode_listsecurity);
+ lsm_enlist(sop, lsm_inode_getsecid, sop->inode_getsecid);
+ lsm_enlist(sop, lsm_file_permission, sop->file_permission);
+ lsm_enlist(sop, lsm_file_alloc_security, sop->file_alloc_security);
+ lsm_enlist(sop, lsm_file_free_security, sop->file_free_security);
+ lsm_enlist(sop, lsm_file_ioctl, sop->file_ioctl);
+ lsm_enlist(sop, lsm_mmap_file, sop->mmap_file);
+ lsm_enlist(sop, lsm_mmap_addr, sop->mmap_addr);
+ lsm_enlist(sop, lsm_file_mprotect, sop->file_mprotect);
+ lsm_enlist(sop, lsm_file_lock, sop->file_lock);
+ lsm_enlist(sop, lsm_file_fcntl, sop->file_fcntl);
+ lsm_enlist(sop, lsm_file_set_fowner, sop->file_set_fowner);
+ lsm_enlist(sop, lsm_file_send_sigiotask, sop->file_send_sigiotask);
+ lsm_enlist(sop, lsm_file_receive, sop->file_receive);
+ lsm_enlist(sop, lsm_file_open, sop->file_open);
+ lsm_enlist(sop, lsm_task_create, sop->task_create);
+ lsm_enlist(sop, lsm_task_free, sop->task_free);
+ lsm_enlist(sop, lsm_cred_alloc_blank, sop->cred_alloc_blank);
+ lsm_enlist(sop, lsm_cred_free, sop->cred_free);
+ lsm_enlist(sop, lsm_cred_prepare, sop->cred_prepare);
+ lsm_enlist(sop, lsm_cred_transfer, sop->cred_transfer);
+ lsm_enlist(sop, lsm_kernel_act_as, sop->kernel_act_as);
+ lsm_enlist(sop, lsm_kernel_create_files_as,
+ sop->kernel_create_files_as);
+ lsm_enlist(sop, lsm_kernel_module_request, sop->kernel_module_request);
+ lsm_enlist(sop, lsm_kernel_module_from_file,
+ sop->kernel_module_from_file);
+ lsm_enlist(sop, lsm_task_fix_setuid, sop->task_fix_setuid);
+ lsm_enlist(sop, lsm_task_setpgid, sop->task_setpgid);
+ lsm_enlist(sop, lsm_task_getpgid, sop->task_getpgid);
+ lsm_enlist(sop, lsm_task_getsid, sop->task_getsid);
+ lsm_enlist(sop, lsm_task_getsecid, sop->task_getsecid);
+ lsm_enlist(sop, lsm_task_setnice, sop->task_setnice);
+ lsm_enlist(sop, lsm_task_setioprio, sop->task_setioprio);
+ lsm_enlist(sop, lsm_task_getioprio, sop->task_getioprio);
+ lsm_enlist(sop, lsm_task_setrlimit, sop->task_setrlimit);
+ lsm_enlist(sop, lsm_task_setscheduler, sop->task_setscheduler);
+ lsm_enlist(sop, lsm_task_getscheduler, sop->task_getscheduler);
+ lsm_enlist(sop, lsm_task_movememory, sop->task_movememory);
+ lsm_enlist(sop, lsm_task_kill, sop->task_kill);
+ lsm_enlist(sop, lsm_task_wait, sop->task_wait);
+ lsm_enlist(sop, lsm_task_prctl, sop->task_prctl);
+ lsm_enlist(sop, lsm_task_to_inode, sop->task_to_inode);
+ lsm_enlist(sop, lsm_ipc_permission, sop->ipc_permission);
+ lsm_enlist(sop, lsm_ipc_getsecid, sop->ipc_getsecid);
+ lsm_enlist(sop, lsm_msg_msg_alloc_security,
+ sop->msg_msg_alloc_security);
+ lsm_enlist(sop, lsm_msg_msg_free_security, sop->msg_msg_free_security);
+ lsm_enlist(sop, lsm_msg_queue_alloc_security,
+ sop->msg_queue_alloc_security);
+ lsm_enlist(sop, lsm_msg_queue_free_security,
+ sop->msg_queue_free_security);
+ lsm_enlist(sop, lsm_msg_queue_associate, sop->msg_queue_associate);
+ lsm_enlist(sop, lsm_msg_queue_msgctl, sop->msg_queue_msgctl);
+ lsm_enlist(sop, lsm_msg_queue_msgsnd, sop->msg_queue_msgsnd);
+ lsm_enlist(sop, lsm_msg_queue_msgrcv, sop->msg_queue_msgrcv);
+ lsm_enlist(sop, lsm_shm_alloc_security, sop->shm_alloc_security);
+ lsm_enlist(sop, lsm_shm_free_security, sop->shm_free_security);
+ lsm_enlist(sop, lsm_shm_associate, sop->shm_associate);
+ lsm_enlist(sop, lsm_shm_shmctl, sop->shm_shmctl);
+ lsm_enlist(sop, lsm_shm_shmat, sop->shm_shmat);
+ lsm_enlist(sop, lsm_sem_alloc_security, sop->sem_alloc_security);
+ lsm_enlist(sop, lsm_sem_free_security, sop->sem_free_security);
+ lsm_enlist(sop, lsm_sem_associate, sop->sem_associate);
+ lsm_enlist(sop, lsm_sem_semctl, sop->sem_semctl);
+ lsm_enlist(sop, lsm_sem_semop, sop->sem_semop);
+ lsm_enlist(sop, lsm_d_instantiate, sop->d_instantiate);
+ lsm_enlist(sop, lsm_getprocattr, sop->getprocattr);
+ lsm_enlist(sop, lsm_setprocattr, sop->setprocattr);
+ lsm_enlist(sop, lsm_netlink_send, sop->netlink_send);
+ lsm_enlist(sop, lsm_secid_to_secctx, sop->secid_to_secctx);
+ lsm_enlist(sop, lsm_secctx_to_secid, sop->secctx_to_secid);
+ lsm_enlist(sop, lsm_release_secctx, sop->release_secctx);
+ lsm_enlist(sop, lsm_inode_notifysecctx, sop->inode_notifysecctx);
+ lsm_enlist(sop, lsm_inode_setsecctx, sop->inode_setsecctx);
+ lsm_enlist(sop, lsm_inode_getsecctx, sop->inode_getsecctx);
+#ifdef CONFIG_SECURITY_NETWORK
+ lsm_enlist(sop, lsm_unix_stream_connect, sop->unix_stream_connect);
+ lsm_enlist(sop, lsm_unix_may_send, sop->unix_may_send);
+ lsm_enlist(sop, lsm_socket_create, sop->socket_create);
+ lsm_enlist(sop, lsm_socket_post_create, sop->socket_post_create);
+ lsm_enlist(sop, lsm_socket_bind, sop->socket_bind);
+ lsm_enlist(sop, lsm_socket_connect, sop->socket_connect);
+ lsm_enlist(sop, lsm_socket_listen, sop->socket_listen);
+ lsm_enlist(sop, lsm_socket_accept, sop->socket_accept);
+ lsm_enlist(sop, lsm_socket_sendmsg, sop->socket_sendmsg);
+ lsm_enlist(sop, lsm_socket_recvmsg, sop->socket_recvmsg);
+ lsm_enlist(sop, lsm_socket_getsockname, sop->socket_getsockname);
+ lsm_enlist(sop, lsm_socket_getpeername, sop->socket_getpeername);
+ lsm_enlist(sop, lsm_socket_getsockopt, sop->socket_getsockopt);
+ lsm_enlist(sop, lsm_socket_setsockopt, sop->socket_setsockopt);
+ lsm_enlist(sop, lsm_socket_shutdown, sop->socket_shutdown);
+ lsm_enlist(sop, lsm_socket_sock_rcv_skb, sop->socket_sock_rcv_skb);
+ lsm_enlist(sop, lsm_socket_getpeersec_stream,
+ sop->socket_getpeersec_stream);
+ lsm_enlist(sop, lsm_socket_getpeersec_dgram,
+ sop->socket_getpeersec_dgram);
+ lsm_enlist(sop, lsm_sk_alloc_security, sop->sk_alloc_security);
+ lsm_enlist(sop, lsm_sk_free_security, sop->sk_free_security);
+ lsm_enlist(sop, lsm_sk_clone_security, sop->sk_clone_security);
+ lsm_enlist(sop, lsm_req_classify_flow, sop->req_classify_flow);
+ lsm_enlist(sop, lsm_sock_graft, sop->sock_graft);
+ lsm_enlist(sop, lsm_inet_conn_request, sop->inet_conn_request);
+ lsm_enlist(sop, lsm_inet_csk_clone, sop->inet_csk_clone);
+ lsm_enlist(sop, lsm_inet_conn_established, sop->inet_conn_established);
+ lsm_enlist(sop, lsm_secmark_relabel_packet,
+ sop->secmark_relabel_packet);
+ lsm_enlist(sop, lsm_secmark_refcount_inc, sop->secmark_refcount_inc);
+ lsm_enlist(sop, lsm_secmark_refcount_dec, sop->secmark_refcount_dec);
+ lsm_enlist(sop, lsm_tun_dev_create, sop->tun_dev_create);
+ lsm_enlist(sop, lsm_tun_dev_attach, sop->tun_dev_attach);
+ lsm_enlist(sop, lsm_skb_owned_by, sop->skb_owned_by);
+#endif
+#ifdef CONFIG_SECURITY_NETWORK_XFRM
+ lsm_enlist(sop, lsm_xfrm_policy_alloc_security,
+ sop->xfrm_policy_alloc_security);
+ lsm_enlist(sop, lsm_xfrm_policy_clone_security,
+ sop->xfrm_policy_clone_security);
+ lsm_enlist(sop, lsm_xfrm_policy_free_security,
+ sop->xfrm_policy_free_security);
+ lsm_enlist(sop, lsm_xfrm_policy_delete_security,
+ sop->xfrm_policy_delete_security);
+ lsm_enlist(sop, lsm_xfrm_state_alloc_security,
+ sop->xfrm_state_alloc_security);
+ lsm_enlist(sop, lsm_xfrm_state_delete_security,
+ sop->xfrm_state_delete_security);
+ lsm_enlist(sop, lsm_xfrm_state_free_security,
+ sop->xfrm_state_free_security);
+ lsm_enlist(sop, lsm_xfrm_policy_lookup, sop->xfrm_policy_lookup);
+ lsm_enlist(sop, lsm_xfrm_state_pol_flow_match,
+ sop->xfrm_state_pol_flow_match);
+ lsm_enlist(sop, lsm_xfrm_decode_session, sop->xfrm_decode_session);
+#endif
+#ifdef CONFIG_KEYS
+ lsm_enlist(sop, lsm_key_alloc, sop->key_alloc);
+ lsm_enlist(sop, lsm_key_free, sop->key_free);
+ lsm_enlist(sop, lsm_key_permission, sop->key_permission);
+ lsm_enlist(sop, lsm_key_getsecurity, sop->key_getsecurity);
+#endif
+#ifdef CONFIG_AUDIT
+ lsm_enlist(sop, lsm_audit_rule_init, sop->audit_rule_init);
+ lsm_enlist(sop, lsm_audit_rule_known, sop->audit_rule_known);
+ lsm_enlist(sop, lsm_audit_rule_free, sop->audit_rule_free);
+ lsm_enlist(sop, lsm_audit_rule_match, sop->audit_rule_match);
+#endif
+
+ lsm_enlist(sop, lsm_name, sop->name);
+}
+
+/* Save user chosen LSM(s) */
+static int __init choose_lsm(char *str)
+{
+ char *cp;
+ char *ep;
+ int i;
+
+ if (lsm_order_set)
+ return 1;
+ if (!strcmp(str, "ALL"))
+ return 1;
+ lsm_order_set = 1;
+ pr_info("LSM order requested is \"%s\".\n", str);
+
+ strncpy(allowed_lsms, str, COMPOSER_NAMES_MAX);
+ cp = allowed_lsms;
+
+ for (i = 0; i < COMPOSER_MAX; i++) {
+ ep = strchr(cp, ',');
+ if (ep != NULL)
+ *ep = '\0';
+ if (strlen(cp) > SECURITY_NAME_MAX)
+ pr_warn("LSM \"%s\" is invalid and ignored.\n", cp);
+ else
+ strncpy(specified_lsms[i], cp, SECURITY_NAME_MAX);
+ if (ep == NULL)
+ break;
+ cp = ep + 1;
+ }
+
+ return 1;
}
+__setup("security=", choose_lsm);
static void __init do_security_initcalls(void)
{
initcall_t *call;
+
call = __security_initcall_start;
while (call < __security_initcall_end) {
(*call) ();
@@ -65,93 +364,368 @@ static void __init do_security_initcalls(void)
*/
int __init security_init(void)
{
- printk(KERN_INFO "Security Framework initialized\n");
+ enum lsm_hooks_index i;
+
+ for (i = 0; i < LSM_MAX_HOOKS; i++)
+ INIT_LIST_HEAD(&lsm_hooks[i]);
+
+ (void) choose_lsm(CONFIG_DEFAULT_SECURITY);
+ pr_info("Security Framework initialized\n");
- security_fixup_ops(&default_security_ops);
- security_ops = &default_security_ops;
do_security_initcalls();
return 0;
}
-void reset_security_ops(void)
+/*
+ * Only SELinux calls security_module_disable.
+ */
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+
+static void lsm_delist_ops(struct security_operations *sop)
{
- security_ops = &default_security_ops;
+ enum lsm_hooks_index i;
+
+ for (i = 0; i < LSM_MAX_HOOKS; i++)
+ if (sop->list[i].next && !list_empty(&sop->list[i]))
+ list_del_rcu(&sop->list[i]);
+ return;
}
-/* Save user chosen LSM */
-static int __init choose_lsm(char *str)
+/**
+ * security_module_disable - Remove hooks for an LSM
+ *
+ * @ops: the security operations for the LSM
+ *
+ * Remove the hooks for the LSM from the lists of security operations.
+ * This is not sufficient to "unregister" an LSM. The LSM will still
+ * have a slot in the lsm_blob and as the hooks that implement freeing
+ * of LSM data are removed memory leakage is almost certain to occur
+ * if the module uses security blobs.
+ */
+void security_module_disable(struct security_operations *ops)
{
- strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
- return 1;
+ /*
+ * This LSM is configured to own /proc/.../attr.
+ */
+ if (lsm_present == ops)
+ lsm_present = NULL;
+
+ lsm_delist_ops(ops);
}
-__setup("security=", choose_lsm);
+
+#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
/**
* security_module_enable - Load given security module on boot ?
* @ops: a pointer to the struct security_operations that is to be checked.
*
+ * returns 0 on success, -EINVAL -ENOENT -EBUSY as appropriate
+ *
* Each LSM must pass this method before registering its own operations
* to avoid security registration races. This method may also be used
* to check if your LSM is currently loaded during kernel initialization.
*
- * Return true if:
- * -The passed LSM is the one chosen by user at boot time,
- * -or the passed LSM is configured as the default and the user did not
- * choose an alternate LSM at boot time.
- * Otherwise, return false.
*/
int __init security_module_enable(struct security_operations *ops)
{
- return !strcmp(ops->name, chosen_lsm);
-}
+ struct security_operations *sop;
+ int i;
-/**
- * register_security - registers a security framework with the kernel
- * @ops: a pointer to the struct security_options that is to be registered
- *
- * This function allows a security module to register itself with the
- * kernel security subsystem. Some rudimentary checking is done on the @ops
- * value passed to this function. You'll need to check first if your LSM
- * is allowed to register its @ops by calling security_module_enable(@ops).
- *
- * If there is already a security module registered with the kernel,
- * an error will be returned. Otherwise %0 is returned on success.
- */
-int __init register_security(struct security_operations *ops)
-{
- if (verify(ops)) {
- printk(KERN_DEBUG "%s could not verify "
- "security_operations structure.\n", __func__);
+ /*
+ * Set up the operation vector early, but only once.
+ * This allows LSM specific file systems to check to see if they
+ * should come on line.
+ */
+ if (ops == NULL) {
+ pr_debug("%s could not verify security_operations.\n",
+ __func__);
return -EINVAL;
}
+ /*
+ * Return success if the LSM is already registered
+ */
+ for_each_hook(sop, name)
+ if (sop == ops)
+ return 0;
+
+ /*
+ * This LSM has not yet been ordered.
+ */
+ ops->order = -1;
+
+ if (lsm_count >= COMPOSER_MAX) {
+ pr_warn("Too many security modules. %s not loaded.\n",
+ ops->name);
+ return -EBUSY;
+ }
- if (security_ops != &default_security_ops)
- return -EAGAIN;
+ if (lsm_order_set) {
+ for (i = 0; specified_lsms[i][0] != '\0'; i++) {
+ if (strcmp(ops->name, specified_lsms[i]) == 0) {
+ ops->order = i;
+ break;
+ }
+ }
+ if (ops->order == -1) {
+ pr_notice("LSM %s declined by boot options.\n",
+ ops->name);
+ return -ENOENT;
+ }
+ }
+ /*
+ * The order will already be set if the command line
+ * includes "security=" or CONFIG_DEFAULT_SECURITY was set.
+ * Do this before the enlisting.
+ */
+ if (ops->order == -1)
+ ops->order = lsm_count;
+ lsm_count++;
- security_ops = ops;
+ /*
+ * Use the LSM specified by CONFIG_SECURITY_PRESENT for
+ * [gs]etprocattr. If the LSM specified is PRESENT_FIRST
+ * use the first LSM to register that has the hooks.
+ * If the specified LSM lacks the hooks treat it as if
+ * there is no LSM registered that supplied them.
+ */
+ if (ops->getprocattr && ops->setprocattr &&
+ (!strcmp(ops->name, present_lsm) ||
+ (!lsm_present && !strcmp(PRESENT_FIRST, present_lsm)))) {
+ lsm_present = ops;
+ present_getprocattr = ops->getprocattr;
+ present_setprocattr = ops->setprocattr;
+ pr_info("Security Module %s is presented in /proc.\n",
+ ops->name);
+ }
+#ifdef CONFIG_NETLABEL_LSM
+ /*
+ * Reserve the netlabel subsystem for the specified LSM.
+ */
+ if (!strcmp(ops->name, CONFIG_NETLABEL_LSM)) {
+ i = netlbl_register_lsm(ops);
+ pr_info("Security Module %s %s Netlabel network labeling.\n",
+ ops->name, i ? "denied" : "uses");
+ }
+#endif
+#ifdef CONFIG_XFRM_LSM
+ /*
+ * Reserve the XFRM subsystem for the specified LSM.
+ */
+ if (!strcmp(ops->name, CONFIG_XFRM_LSM)) {
+ lsm_xfrm_ops = ops;
+ pr_info("Security Module %s uses XFRM network labeling.\n",
+ ops->name);
+ }
+#endif
+ /*
+ * Reserve the networking secmark for the specified LSM.
+ */
+ if (!strcmp(ops->name, CONFIG_SECMARK_LSM)) {
+ lsm_secmark_ops = ops;
+ pr_info("Security Module %s uses secmark network labeling.\n",
+ ops->name);
+ }
+ /*
+ * Return success after registering the LSM.
+ */
+ lsm_enlist_ops(ops);
return 0;
}
/* Security operations */
+/*
+ * Because so many of the cases are treated the same it
+ * cleans things up to use these macros instead of having
+ * duplicate text all over the place.
+ *
+ * call_void_hook:
+ * This is a hook that does not return a value.
+ *
+ * call_int_hook:
+ * This is a hook that returns a value. Return the last
+ * non-zero return.
+ *
+ * call_int_must:
+ * Returns 1 if any LSMs actually had hooks and one
+ * or more got called. The return value goes into RC.
+ *
+ * call_int_cap_first:
+ * Like cap_int_hook, but call the cap_hook first and
+ * bail on fail.
+ *
+ * call_int_cap_last:
+ * Like cap_int_cap_first, but call the cap_hook last.
+ *
+ * call_alloc_hook:
+ * Allocate not only the LSM security blobs, but a blob
+ * to hold pointers to all of them as well.
+ *
+ */
+#define call_void_hook(FUNC, ...) \
+ do { \
+ struct security_operations *sop; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) \
+ sop->FUNC(__VA_ARGS__); \
+ } while (0) \
+
+#define call_int_hook(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ rc = thisrc; \
+ } \
+ } while (0); \
+ rc; \
+})
+
+#define call_int_must(RC, FUNC, ...) ({ \
+ int called = 0; \
+ RC = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ RC = thisrc; \
+ called = 1; \
+ } \
+ } while (0); \
+ called; \
+})
+
+#define call_int_cap_first(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ thisrc = cap_##FUNC(__VA_ARGS__); \
+ if (thisrc) { \
+ rc = thisrc; \
+ break; \
+ } \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ rc = thisrc; \
+ } \
+ } while (0); \
+ rc; \
+})
+
+#define call_int_cap_last(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ int thisrc; \
+ \
+ list_for_each_entry(sop, &lsm_hooks[lsm_##FUNC], \
+ list[lsm_##FUNC]) { \
+ thisrc = sop->FUNC(__VA_ARGS__); \
+ if (thisrc) \
+ rc = thisrc; \
+ } \
+ \
+ if (!rc) \
+ rc = cap_##FUNC(__VA_ARGS__); \
+ } while (0); \
+ rc; \
+})
+
+
+#define call_alloc_hook(ALLOC, FREE, FIELD, GFP, ARG) ({ \
+ int rc = 0; \
+ do { \
+ struct security_operations *sop; \
+ struct security_operations *note[COMPOSER_MAX]; \
+ struct lsm_blob tblob; \
+ struct lsm_blob *bp = NULL; \
+ int successes = 0; \
+ \
+ memset(&tblob, 0, sizeof(tblob)); \
+ FIELD = &tblob; \
+ for_each_hook(sop, ALLOC) { \
+ rc = sop->ALLOC(ARG); \
+ if (rc) \
+ break; \
+ note[successes++] = sop; \
+ } \
+ if (tblob.lsm_setcount != 0) { \
+ if (rc == 0) \
+ bp = kmemdup(&tblob, sizeof(tblob), GFP); \
+ if (bp == NULL) { \
+ if (rc == 0) \
+ rc = -ENOMEM; \
+ while (successes > 0) \
+ note[--successes]->FREE(ARG); \
+ } \
+ } \
+ FIELD = bp; \
+ } while (0); \
+ rc; \
+})
+
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
{
- return security_ops->ptrace_access_check(child, mode);
+ return call_int_cap_first(ptrace_access_check, child, mode);
}
int security_ptrace_traceme(struct task_struct *parent)
{
- return security_ops->ptrace_traceme(parent);
+ return call_int_cap_first(ptrace_traceme, parent);
}
+/*
+ * Odd duck hook handling.
+ * This hook returns the set of capabilities available to
+ * the "target" task. Apparmor restricts the capabilities
+ * based on profile and SELinux may deny the ability to
+ * look and see what they are. cap_capget never fails.
+ */
int security_capget(struct task_struct *target,
kernel_cap_t *effective,
kernel_cap_t *inheritable,
kernel_cap_t *permitted)
{
- return security_ops->capget(target, effective, inheritable, permitted);
+ struct security_operations *sop;
+ kernel_cap_t cap[3];
+ kernel_cap_t this[3];
+ int rc;
+ int i;
+
+ rc = cap_capget(target, &cap[0], &cap[1], &cap[2]);
+ if (rc != 0)
+ return rc;
+
+ for_each_hook(sop, capget) {
+ rc = sop->capget(target, &this[0], &this[1], &this[2]);
+ if (rc != 0)
+ return rc;
+ for (i = 0; i < 3; i++)
+ cap[i] = cap_intersect(cap[i], this[i]);
+ }
+
+ *effective = cap[0];
+ *inheritable = cap[1];
+ *permitted = cap[2];
+
+ return 0;
}
int security_capset(struct cred *new, const struct cred *old,
@@ -159,195 +733,225 @@ int security_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *inheritable,
const kernel_cap_t *permitted)
{
- return security_ops->capset(new, old,
- effective, inheritable, permitted);
+ return call_int_cap_first(capset, new, old, effective,
+ inheritable, permitted);
}
int security_capable(const struct cred *cred, struct user_namespace *ns,
int cap)
{
- return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT);
+ return call_int_cap_first(capable, cred, ns, cap, SECURITY_CAP_AUDIT);
}
int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
int cap)
{
- return security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT);
+ return call_int_cap_first(capable, cred, ns, cap, SECURITY_CAP_NOAUDIT);
}
int security_quotactl(int cmds, int type, int id, struct super_block *sb)
{
- return security_ops->quotactl(cmds, type, id, sb);
+ return call_int_hook(quotactl, cmds, type, id, sb);
}
int security_quota_on(struct dentry *dentry)
{
- return security_ops->quota_on(dentry);
+ return call_int_hook(quota_on, dentry);
}
int security_syslog(int type)
{
- return security_ops->syslog(type);
+ return call_int_hook(syslog, type);
}
int security_settime(const struct timespec *ts, const struct timezone *tz)
{
- return security_ops->settime(ts, tz);
+ return call_int_cap_first(settime, ts, tz);
}
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
{
- return security_ops->vm_enough_memory(mm, pages);
+ return call_int_cap_first(vm_enough_memory, mm, pages);
}
int security_bprm_set_creds(struct linux_binprm *bprm)
{
- return security_ops->bprm_set_creds(bprm);
+ return call_int_cap_first(bprm_set_creds, bprm);
}
int security_bprm_check(struct linux_binprm *bprm)
{
- int ret;
+ int rc = call_int_hook(bprm_check_security, bprm);
+
+ if (rc)
+ return rc;
- ret = security_ops->bprm_check_security(bprm);
- if (ret)
- return ret;
return ima_bprm_check(bprm);
}
+
void security_bprm_committing_creds(struct linux_binprm *bprm)
{
- security_ops->bprm_committing_creds(bprm);
+ call_void_hook(bprm_committing_creds, bprm);
}
void security_bprm_committed_creds(struct linux_binprm *bprm)
{
- security_ops->bprm_committed_creds(bprm);
+ call_void_hook(bprm_committed_creds, bprm);
}
int security_bprm_secureexec(struct linux_binprm *bprm)
{
- return security_ops->bprm_secureexec(bprm);
+ return call_int_cap_last(bprm_secureexec, bprm);
}
int security_sb_alloc(struct super_block *sb)
{
- return security_ops->sb_alloc_security(sb);
+ return call_alloc_hook(sb_alloc_security, sb_free_security,
+ sb->s_security, GFP_KERNEL, sb);
}
void security_sb_free(struct super_block *sb)
{
- security_ops->sb_free_security(sb);
+ call_void_hook(sb_free_security, sb);
+
+ kfree(sb->s_security);
+ sb->s_security = NULL;
}
int security_sb_copy_data(char *orig, char *copy)
{
- return security_ops->sb_copy_data(orig, copy);
+ return call_int_hook(sb_copy_data, orig, copy);
}
EXPORT_SYMBOL(security_sb_copy_data);
int security_sb_remount(struct super_block *sb, void *data)
{
- return security_ops->sb_remount(sb, data);
+ return call_int_hook(sb_remount, sb, data);
}
int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
{
- return security_ops->sb_kern_mount(sb, flags, data);
+ return call_int_hook(sb_kern_mount, sb, flags, data);
}
int security_sb_show_options(struct seq_file *m, struct super_block *sb)
{
- return security_ops->sb_show_options(m, sb);
+ return call_int_hook(sb_show_options, m, sb);
}
int security_sb_statfs(struct dentry *dentry)
{
- return security_ops->sb_statfs(dentry);
+ return call_int_hook(sb_statfs, dentry);
}
int security_sb_mount(const char *dev_name, struct path *path,
const char *type, unsigned long flags, void *data)
{
- return security_ops->sb_mount(dev_name, path, type, flags, data);
+ return call_int_hook(sb_mount, dev_name, path, type, flags, data);
}
int security_sb_umount(struct vfsmount *mnt, int flags)
{
- return security_ops->sb_umount(mnt, flags);
+ return call_int_hook(sb_umount, mnt, flags);
}
int security_sb_pivotroot(struct path *old_path, struct path *new_path)
{
- return security_ops->sb_pivotroot(old_path, new_path);
+ return call_int_hook(sb_pivotroot, old_path, new_path);
}
int security_sb_set_mnt_opts(struct super_block *sb,
struct security_mnt_opts *opts)
{
- return security_ops->sb_set_mnt_opts(sb, opts);
+ int rc;
+
+ if (call_int_must(rc, sb_set_mnt_opts, sb, opts))
+ return rc;
+
+ if (unlikely(opts->num_mnt_opts))
+ return -EOPNOTSUPP;
+ return 0;
}
EXPORT_SYMBOL(security_sb_set_mnt_opts);
void security_sb_clone_mnt_opts(const struct super_block *oldsb,
struct super_block *newsb)
{
- security_ops->sb_clone_mnt_opts(oldsb, newsb);
+ call_void_hook(sb_clone_mnt_opts, oldsb, newsb);
}
EXPORT_SYMBOL(security_sb_clone_mnt_opts);
int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
{
- return security_ops->sb_parse_opts_str(options, opts);
+ return call_int_hook(sb_parse_opts_str, options, opts);
}
EXPORT_SYMBOL(security_sb_parse_opts_str);
int security_inode_alloc(struct inode *inode)
{
- inode->i_security = NULL;
- return security_ops->inode_alloc_security(inode);
+ return call_alloc_hook(inode_alloc_security, inode_free_security,
+ inode->i_security, GFP_KERNEL, inode);
}
void security_inode_free(struct inode *inode)
{
integrity_inode_free(inode);
- security_ops->inode_free_security(inode);
+
+ call_void_hook(inode_free_security, inode);
+
+ kfree(inode->i_security);
+ inode->i_security = NULL;
}
int security_inode_init_security(struct inode *inode, struct inode *dir,
const struct qstr *qstr,
const initxattrs initxattrs, void *fs_data)
{
+ struct security_operations *sop;
struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1];
- struct xattr *lsm_xattr, *evm_xattr, *xattr;
- int ret;
+ struct xattr *lsm_xattr = new_xattrs;
+ struct xattr *evm_xattr;
+ struct xattr *xattr;
+ int thisrc;
+ int rc = 0;
+ int supported = 0;
if (unlikely(IS_PRIVATE(inode)))
return 0;
- memset(new_xattrs, 0, sizeof new_xattrs);
if (!initxattrs)
- return security_ops->inode_init_security(inode, dir, qstr,
- NULL, NULL, NULL);
- lsm_xattr = new_xattrs;
- ret = security_ops->inode_init_security(inode, dir, qstr,
- &lsm_xattr->name,
- &lsm_xattr->value,
- &lsm_xattr->value_len);
- if (ret)
- goto out;
-
- evm_xattr = lsm_xattr + 1;
- ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
- if (ret)
- goto out;
- ret = initxattrs(inode, new_xattrs, fs_data);
-out:
- for (xattr = new_xattrs; xattr->name != NULL; xattr++) {
- kfree(xattr->name);
- kfree(xattr->value);
+ return call_int_hook(inode_init_security, inode, dir, qstr,
+ NULL, NULL, NULL);
+
+ memset(new_xattrs, 0, sizeof new_xattrs);
+
+ for_each_hook(sop, inode_init_security) {
+ thisrc = sop->inode_init_security(inode, dir, qstr,
+ &lsm_xattr->name, &lsm_xattr->value,
+ &lsm_xattr->value_len);
+ if (thisrc != 0) {
+ if (thisrc != -EOPNOTSUPP) {
+ supported = 1;
+ rc = thisrc;
+ }
+ continue;
+ }
+ supported = 1;
+ evm_xattr = lsm_xattr + 1;
+ thisrc = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
+ if (thisrc == 0)
+ thisrc = initxattrs(inode, new_xattrs, fs_data);
+ if (thisrc != 0)
+ rc = thisrc;
+ for (xattr = new_xattrs; xattr->name != NULL; xattr++) {
+ kfree(xattr->name);
+ kfree(xattr->value);
+ }
}
- return (ret == -EOPNOTSUPP) ? 0 : ret;
+ if (supported)
+ return rc;
+ return 0;
}
EXPORT_SYMBOL(security_inode_init_security);
@@ -357,8 +961,9 @@ int security_old_inode_init_security(struct inode *inode, struct inode *dir,
{
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
- return security_ops->inode_init_security(inode, dir, qstr, name, value,
- len);
+
+ return call_int_hook(inode_init_security, inode, dir, qstr, name,
+ value, len);
}
EXPORT_SYMBOL(security_old_inode_init_security);
@@ -368,7 +973,8 @@ int security_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode,
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_mknod(dir, dentry, mode, dev);
+
+ return call_int_hook(path_mknod, dir, dentry, mode, dev);
}
EXPORT_SYMBOL(security_path_mknod);
@@ -376,7 +982,8 @@ int security_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode)
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_mkdir(dir, dentry, mode);
+
+ return call_int_hook(path_mkdir, dir, dentry, mode);
}
EXPORT_SYMBOL(security_path_mkdir);
@@ -384,14 +991,16 @@ int security_path_rmdir(struct path *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_rmdir(dir, dentry);
+
+ return call_int_hook(path_rmdir, dir, dentry);
}
int security_path_unlink(struct path *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_unlink(dir, dentry);
+
+ return call_int_hook(path_unlink, dir, dentry);
}
EXPORT_SYMBOL(security_path_unlink);
@@ -400,7 +1009,8 @@ int security_path_symlink(struct path *dir, struct dentry *dentry,
{
if (unlikely(IS_PRIVATE(dir->dentry->d_inode)))
return 0;
- return security_ops->path_symlink(dir, dentry, old_name);
+
+ return call_int_hook(path_symlink, dir, dentry, old_name);
}
int security_path_link(struct dentry *old_dentry, struct path *new_dir,
@@ -408,7 +1018,8 @@ int security_path_link(struct dentry *old_dentry, struct path *new_dir,
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
return 0;
- return security_ops->path_link(old_dentry, new_dir, new_dentry);
+
+ return call_int_hook(path_link, old_dentry, new_dir, new_dentry);
}
int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
@@ -417,8 +1028,9 @@ int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
- return security_ops->path_rename(old_dir, old_dentry, new_dir,
- new_dentry);
+
+ return call_int_hook(path_rename, old_dir, old_dentry, new_dir,
+ new_dentry);
}
EXPORT_SYMBOL(security_path_rename);
@@ -426,26 +1038,29 @@ int security_path_truncate(struct path *path)
{
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
return 0;
- return security_ops->path_truncate(path);
+
+ return call_int_hook(path_truncate, path);
}
int security_path_chmod(struct path *path, umode_t mode)
{
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
return 0;
- return security_ops->path_chmod(path, mode);
+
+ return call_int_hook(path_chmod, path, mode);
}
int security_path_chown(struct path *path, kuid_t uid, kgid_t gid)
{
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
return 0;
- return security_ops->path_chown(path, uid, gid);
+
+ return call_int_hook(path_chown, path, uid, gid);
}
int security_path_chroot(struct path *path)
{
- return security_ops->path_chroot(path);
+ return call_int_hook(path_chroot, path);
}
#endif
@@ -453,7 +1068,8 @@ int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_create(dir, dentry, mode);
+
+ return call_int_hook(inode_create, dir, dentry, mode);
}
EXPORT_SYMBOL_GPL(security_inode_create);
@@ -462,14 +1078,16 @@ int security_inode_link(struct dentry *old_dentry, struct inode *dir,
{
if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
return 0;
- return security_ops->inode_link(old_dentry, dir, new_dentry);
+
+ return call_int_hook(inode_link, old_dentry, dir, new_dentry);
}
int security_inode_unlink(struct inode *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_unlink(dir, dentry);
+
+ return call_int_hook(inode_unlink, dir, dentry);
}
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
@@ -477,14 +1095,16 @@ int security_inode_symlink(struct inode *dir, struct dentry *dentry,
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_symlink(dir, dentry, old_name);
+
+ return call_int_hook(inode_symlink, dir, dentry, old_name);
}
int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_mkdir(dir, dentry, mode);
+
+ return call_int_hook(inode_mkdir, dir, dentry, mode);
}
EXPORT_SYMBOL_GPL(security_inode_mkdir);
@@ -492,14 +1112,16 @@ int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_rmdir(dir, dentry);
+
+ return call_int_hook(inode_rmdir, dir, dentry);
}
int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
- return security_ops->inode_mknod(dir, dentry, mode, dev);
+
+ return call_int_hook(inode_mknod, dir, dentry, mode, dev);
}
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
@@ -508,40 +1130,45 @@ int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
- return security_ops->inode_rename(old_dir, old_dentry,
- new_dir, new_dentry);
+
+ return call_int_hook(inode_rename, old_dir, old_dentry, new_dir,
+ new_dentry);
}
int security_inode_readlink(struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_readlink(dentry);
+
+ return call_int_hook(inode_readlink, dentry);
}
int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_follow_link(dentry, nd);
+
+ return call_int_hook(inode_follow_link, dentry, nd);
}
int security_inode_permission(struct inode *inode, int mask)
{
if (unlikely(IS_PRIVATE(inode)))
return 0;
- return security_ops->inode_permission(inode, mask);
+
+ return call_int_hook(inode_permission, inode, mask);
}
int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
{
- int ret;
+ int rc;
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- ret = security_ops->inode_setattr(dentry, attr);
- if (ret)
- return ret;
+
+ rc = call_int_hook(inode_setattr, dentry, attr);
+ if (rc)
+ return rc;
return evm_inode_setattr(dentry, attr);
}
EXPORT_SYMBOL_GPL(security_inode_setattr);
@@ -550,22 +1177,25 @@ int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_getattr(mnt, dentry);
+
+ return call_int_hook(inode_getattr, mnt, dentry);
}
int security_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
- int ret;
+ int rc;
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- ret = security_ops->inode_setxattr(dentry, name, value, size, flags);
- if (ret)
- return ret;
- ret = ima_inode_setxattr(dentry, name, value, size);
- if (ret)
- return ret;
+
+ rc = call_int_hook(inode_setxattr, dentry, name, value, size, flags);
+
+ if (rc)
+ return rc;
+ rc = ima_inode_setxattr(dentry, name, value, size);
+ if (rc)
+ return rc;
return evm_inode_setxattr(dentry, name, value, size);
}
@@ -574,7 +1204,9 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name,
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return;
- security_ops->inode_post_setxattr(dentry, name, value, size, flags);
+
+ call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
+
evm_inode_post_setxattr(dentry, name, value, size);
}
@@ -582,93 +1214,154 @@ int security_inode_getxattr(struct dentry *dentry, const char *name)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_getxattr(dentry, name);
+
+ return call_int_hook(inode_getxattr, dentry, name);
}
int security_inode_listxattr(struct dentry *dentry)
{
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- return security_ops->inode_listxattr(dentry);
+
+ return call_int_hook(inode_listxattr, dentry);
}
int security_inode_removexattr(struct dentry *dentry, const char *name)
{
- int ret;
+ int rc;
if (unlikely(IS_PRIVATE(dentry->d_inode)))
return 0;
- ret = security_ops->inode_removexattr(dentry, name);
- if (ret)
- return ret;
- ret = ima_inode_removexattr(dentry, name);
- if (ret)
- return ret;
+
+ if (!call_int_must(rc, inode_removexattr, dentry, name))
+ rc = cap_inode_removexattr(dentry, name);
+
+ if (rc)
+ return rc;
+
+ rc = ima_inode_removexattr(dentry, name);
+ if (rc)
+ return rc;
return evm_inode_removexattr(dentry, name);
}
int security_inode_need_killpriv(struct dentry *dentry)
{
- return security_ops->inode_need_killpriv(dentry);
+ return call_int_cap_first(inode_need_killpriv, dentry);
}
int security_inode_killpriv(struct dentry *dentry)
{
- return security_ops->inode_killpriv(dentry);
+ return call_int_cap_first(inode_killpriv, dentry);
}
-int security_inode_getsecurity(const struct inode *inode, const char *name,
- void **buffer, bool alloc,
- struct security_operations **secops)
+int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc, struct security_operations **secops)
{
+ struct security_operations *sop;
+ int rc;
+
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
- return security_ops->inode_getsecurity(inode, name, buffer, alloc);
+
+ /*
+ * Only one LSM will supply a given "name".
+ * -EOPNOTSUPP is an indication that the LSM does not
+ * provide a value for the provided name.
+ */
+ for_each_hook(sop, inode_getsecurity) {
+ rc = sop->inode_getsecurity(inode, name, buffer, alloc);
+ if (rc != -EOPNOTSUPP) {
+ *secops = sop;
+ return rc;
+ }
+ }
+ return -EOPNOTSUPP;
}
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
{
+ struct security_operations *sop;
+ int rc;
+
if (unlikely(IS_PRIVATE(inode)))
return -EOPNOTSUPP;
- return security_ops->inode_setsecurity(inode, name, value, size, flags);
+
+ /*
+ * Only one LSM will set a given "name".
+ * -EOPNOTSUPP is an indication that the LSM does not
+ * set a value for the provided name.
+ */
+ for_each_hook(sop, inode_setsecurity) {
+ rc = sop->inode_setsecurity(inode, name, value, size, flags);
+ if (rc != -EOPNOTSUPP)
+ return rc;
+ }
+ return -EOPNOTSUPP;
}
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
{
+ struct security_operations *sop;
+ int rc = 0;
+ int thisrc;
+
if (unlikely(IS_PRIVATE(inode)))
return 0;
- return security_ops->inode_listsecurity(inode, buffer, buffer_size);
+
+ /*
+ * inode_listsecurity hooks never return negative values.
+ */
+ for_each_hook(sop, inode_listsecurity) {
+ thisrc = sop->inode_listsecurity(inode, buffer, buffer_size);
+ if (buffer != NULL)
+ buffer += thisrc;
+ buffer_size -= thisrc;
+ rc += thisrc;
+ }
+ return rc;
}
void security_inode_getsecid(const struct inode *inode, struct secids *secid)
{
- security_ops->inode_getsecid(inode, &secid->si_lsm[0]);
+ struct security_operations *sop;
+
+ memset(secid, 0, sizeof(*secid));
+
+ for_each_hook(sop, inode_getsecid) {
+ sop->inode_getsecid(inode, &secid->si_lsm[sop->order]);
+ secid->si_count++;
+ }
}
int security_file_permission(struct file *file, int mask)
{
- int ret;
+ int rc;
- ret = security_ops->file_permission(file, mask);
- if (ret)
- return ret;
+ rc = call_int_hook(file_permission, file, mask);
+
+ if (rc)
+ return rc;
return fsnotify_perm(file, mask);
}
int security_file_alloc(struct file *file)
{
- return security_ops->file_alloc_security(file);
+ return call_alloc_hook(file_alloc_security, file_free_security,
+ file->f_security, GFP_KERNEL, file);
}
void security_file_free(struct file *file)
{
- security_ops->file_free_security(file);
+ call_void_hook(file_free_security, file);
+
+ kfree(file->f_security);
+ file->f_security = NULL;
}
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
- return security_ops->file_ioctl(file, cmd, arg);
+ return call_int_hook(file_ioctl, file, cmd, arg);
}
static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
@@ -708,366 +1401,813 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
int security_mmap_file(struct file *file, unsigned long prot,
unsigned long flags)
{
- int ret;
- ret = security_ops->mmap_file(file, prot,
- mmap_prot(file, prot), flags);
- if (ret)
- return ret;
+ int rc;
+
+ rc = call_int_hook(mmap_file, file, prot, mmap_prot(file, prot),
+ flags);
+
+ if (rc)
+ return rc;
return ima_file_mmap(file, prot);
}
int security_mmap_addr(unsigned long addr)
{
- return security_ops->mmap_addr(addr);
+ return call_int_cap_last(mmap_addr, addr);
}
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
unsigned long prot)
{
- return security_ops->file_mprotect(vma, reqprot, prot);
+ return call_int_hook(file_mprotect, vma, reqprot, prot);
}
int security_file_lock(struct file *file, unsigned int cmd)
{
- return security_ops->file_lock(file, cmd);
+ return call_int_hook(file_lock, file, cmd);
}
int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
{
- return security_ops->file_fcntl(file, cmd, arg);
+ return call_int_hook(file_fcntl, file, cmd, arg);
}
int security_file_set_fowner(struct file *file)
{
- return security_ops->file_set_fowner(file);
+ return call_int_hook(file_set_fowner, file);
}
int security_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int sig)
{
- return security_ops->file_send_sigiotask(tsk, fown, sig);
+ return call_int_hook(file_send_sigiotask, tsk, fown, sig);
}
int security_file_receive(struct file *file)
{
- return security_ops->file_receive(file);
+ return call_int_hook(file_receive, file);
}
int security_file_open(struct file *file, const struct cred *cred)
{
- int ret;
+ int rc;
- ret = security_ops->file_open(file, cred);
- if (ret)
- return ret;
+ rc = call_int_hook(file_open, file, cred);
+
+ if (rc)
+ return rc;
return fsnotify_perm(file, MAY_OPEN);
}
int security_task_create(unsigned long clone_flags)
{
- return security_ops->task_create(clone_flags);
+ return call_int_hook(task_create, clone_flags);
}
void security_task_free(struct task_struct *task)
{
- security_ops->task_free(task);
+ call_void_hook(task_free, task);
}
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
- return security_ops->cred_alloc_blank(cred, gfp);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+ cred->security = &tblob;
+
+ for_each_hook(sop, cred_alloc_blank) {
+ rc = sop->cred_alloc_blank(cred, gfp);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), gfp);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->cred_free(cred);
+ }
+ }
+ cred->security = bp;
+ return rc;
}
void security_cred_free(struct cred *cred)
{
- security_ops->cred_free(cred);
+ call_void_hook(cred_free, cred);
+
+ if (cred->security == NULL)
+ return;
+
+ kfree(cred->security);
+ cred->security = NULL;
}
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
{
- return security_ops->cred_prepare(new, old, gfp);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ /*
+ * new->security will be NULL on entry.
+ */
+ memset(&tblob, 0, sizeof(tblob));
+ new->security = &tblob;
+
+ for_each_hook(sop, cred_prepare) {
+ rc = sop->cred_prepare(new, old, gfp);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), gfp);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->cred_free(new);
+ }
+ }
+ new->security = bp;
+ return rc;
}
void security_transfer_creds(struct cred *new, const struct cred *old)
{
- security_ops->cred_transfer(new, old);
+ call_void_hook(cred_transfer, new, old);
}
int security_kernel_act_as(struct cred *new, struct secids *secid)
{
- return security_ops->kernel_act_as(new, secid->si_lsm[0]);
+ struct security_operations *sop;
+ int thisrc;
+ int rc = 0;
+
+ for_each_hook(sop, kernel_act_as) {
+ thisrc = sop->kernel_act_as(new, secid->si_lsm[sop->order]);
+ if (thisrc)
+ rc = thisrc;
+ }
+ return rc;
}
int security_kernel_create_files_as(struct cred *new, struct inode *inode)
{
- return security_ops->kernel_create_files_as(new, inode);
+ return call_int_hook(kernel_create_files_as, new, inode);
}
int security_kernel_module_request(char *kmod_name)
{
- return security_ops->kernel_module_request(kmod_name);
+ return call_int_hook(kernel_module_request, kmod_name);
}
int security_kernel_module_from_file(struct file *file)
{
- int ret;
+ int rc;
- ret = security_ops->kernel_module_from_file(file);
- if (ret)
- return ret;
+ rc = call_int_hook(kernel_module_from_file, file);
+ if (rc)
+ return rc;
return ima_module_check(file);
}
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags)
{
- return security_ops->task_fix_setuid(new, old, flags);
+ return call_int_cap_first(task_fix_setuid, new, old, flags);
}
int security_task_setpgid(struct task_struct *p, pid_t pgid)
{
- return security_ops->task_setpgid(p, pgid);
+ return call_int_hook(task_setpgid, p, pgid);
}
int security_task_getpgid(struct task_struct *p)
{
- return security_ops->task_getpgid(p);
+ return call_int_hook(task_getpgid, p);
}
int security_task_getsid(struct task_struct *p)
{
- return security_ops->task_getsid(p);
+ return call_int_hook(task_getsid, p);
}
void security_task_getsecid(struct task_struct *p, struct secids *secid)
{
- security_ops->task_getsecid(p, &secid->si_lsm[0]);
+ struct security_operations *sop;
+
+ memset(secid, 0, sizeof(*secid));
+
+ for_each_hook(sop, task_getsecid) {
+ sop->task_getsecid(p, &secid->si_lsm[sop->order]);
+ secid->si_count++;
+ }
}
EXPORT_SYMBOL(security_task_getsecid);
int security_task_setnice(struct task_struct *p, int nice)
{
- return security_ops->task_setnice(p, nice);
+ return call_int_cap_first(task_setnice, p, nice);
}
int security_task_setioprio(struct task_struct *p, int ioprio)
{
- return security_ops->task_setioprio(p, ioprio);
+ return call_int_cap_first(task_setioprio, p, ioprio);
}
int security_task_getioprio(struct task_struct *p)
{
- return security_ops->task_getioprio(p);
+ return call_int_hook(task_getioprio, p);
}
int security_task_setrlimit(struct task_struct *p, unsigned int resource,
struct rlimit *new_rlim)
{
- return security_ops->task_setrlimit(p, resource, new_rlim);
+ return call_int_hook(task_setrlimit, p, resource, new_rlim);
}
int security_task_setscheduler(struct task_struct *p)
{
- return security_ops->task_setscheduler(p);
+ return call_int_cap_first(task_setscheduler, p);
}
int security_task_getscheduler(struct task_struct *p)
{
- return security_ops->task_getscheduler(p);
+ return call_int_hook(task_getscheduler, p);
}
int security_task_movememory(struct task_struct *p)
{
- return security_ops->task_movememory(p);
+ return call_int_hook(task_movememory, p);
}
int security_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, const struct cred *ocred)
+ int sig, const struct cred *cred)
{
- return security_ops->task_kill(p, info, sig, ocred);
+ return call_int_hook(task_kill, p, info, sig, cred);
}
int security_task_wait(struct task_struct *p)
{
- return security_ops->task_wait(p);
+ return call_int_hook(task_wait, p);
}
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
- return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
+ struct security_operations *sop;
+ int rc;
+
+ rc = cap_task_prctl(option, arg2, arg3, arg4, arg5);
+ if (rc != -ENOSYS)
+ return rc;
+
+ for_each_hook(sop, task_prctl) {
+ rc = sop->task_prctl(option, arg2, arg3, arg4, arg5);
+ /*
+ * -ENOSYS returned if the lsm doesn't handle that control.
+ * If the LSM does handle the control return the result.
+ * The assumption for the time being is that no two LSMs
+ * will handle a control.
+ */
+ if (rc != -ENOSYS)
+ return rc;
+ }
+ return -ENOSYS;
}
void security_task_to_inode(struct task_struct *p, struct inode *inode)
{
- security_ops->task_to_inode(p, inode);
+ call_void_hook(task_to_inode, p, inode);
}
int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
{
- return security_ops->ipc_permission(ipcp, flag);
+ return call_int_hook(ipc_permission, ipcp, flag);
}
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct secids *secid)
{
- security_ops->ipc_getsecid(ipcp, &secid->si_lsm[0]);
+ struct security_operations *sop;
+
+ memset(secid, 0, sizeof(*secid));
+
+ for_each_hook(sop, ipc_getsecid) {
+ sop->ipc_getsecid(ipcp, &secid->si_lsm[sop->order]);
+ secid->si_count++;
+ }
}
int security_msg_msg_alloc(struct msg_msg *msg)
{
- return security_ops->msg_msg_alloc_security(msg);
+ return call_alloc_hook(msg_msg_alloc_security, msg_msg_free_security,
+ msg->security, GFP_KERNEL, msg);
}
void security_msg_msg_free(struct msg_msg *msg)
{
- security_ops->msg_msg_free_security(msg);
+ call_void_hook(msg_msg_free_security, msg);
+
+ kfree(msg->security);
+ msg->security = NULL;
}
int security_msg_queue_alloc(struct msg_queue *msq)
{
- return security_ops->msg_queue_alloc_security(msq);
+ struct kern_ipc_perm *kp = &msq->q_perm;
+
+ return call_alloc_hook(msg_queue_alloc_security,
+ msg_queue_free_security, kp->security, GFP_KERNEL,
+ msq);
}
void security_msg_queue_free(struct msg_queue *msq)
{
- security_ops->msg_queue_free_security(msq);
+ call_void_hook(msg_queue_free_security, msq);
+
+ kfree(msq->q_perm.security);
+ msq->q_perm.security = NULL;
}
int security_msg_queue_associate(struct msg_queue *msq, int msqflg)
{
- return security_ops->msg_queue_associate(msq, msqflg);
+ return call_int_hook(msg_queue_associate, msq, msqflg);
}
int security_msg_queue_msgctl(struct msg_queue *msq, int cmd)
{
- return security_ops->msg_queue_msgctl(msq, cmd);
+ return call_int_hook(msg_queue_msgctl, msq, cmd);
}
int security_msg_queue_msgsnd(struct msg_queue *msq,
struct msg_msg *msg, int msqflg)
{
- return security_ops->msg_queue_msgsnd(msq, msg, msqflg);
+ return call_int_hook(msg_queue_msgsnd, msq, msg, msqflg);
}
int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
struct task_struct *target, long type, int mode)
{
- return security_ops->msg_queue_msgrcv(msq, msg, target, type, mode);
+ return call_int_hook(msg_queue_msgrcv, msq, msg, target, type, mode);
}
int security_shm_alloc(struct shmid_kernel *shp)
{
- return security_ops->shm_alloc_security(shp);
+ struct kern_ipc_perm *kp = &shp->shm_perm;
+
+ return call_alloc_hook(shm_alloc_security, shm_free_security,
+ kp->security, GFP_KERNEL, shp);
}
void security_shm_free(struct shmid_kernel *shp)
{
- security_ops->shm_free_security(shp);
+ call_void_hook(shm_free_security, shp);
+
+ kfree(shp->shm_perm.security);
+ shp->shm_perm.security = NULL;
}
int security_shm_associate(struct shmid_kernel *shp, int shmflg)
{
- return security_ops->shm_associate(shp, shmflg);
+ return call_int_hook(shm_associate, shp, shmflg);
}
int security_shm_shmctl(struct shmid_kernel *shp, int cmd)
{
- return security_ops->shm_shmctl(shp, cmd);
+ return call_int_hook(shm_shmctl, shp, cmd);
}
int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg)
{
- return security_ops->shm_shmat(shp, shmaddr, shmflg);
+ return call_int_hook(shm_shmat, shp, shmaddr, shmflg);
}
int security_sem_alloc(struct sem_array *sma)
{
- return security_ops->sem_alloc_security(sma);
+ struct kern_ipc_perm *kp = &sma->sem_perm;
+
+ return call_alloc_hook(sem_alloc_security, sem_free_security,
+ kp->security, GFP_KERNEL, sma);
}
void security_sem_free(struct sem_array *sma)
{
- security_ops->sem_free_security(sma);
+ call_void_hook(sem_free_security, sma);
+
+ kfree(sma->sem_perm.security);
+ sma->sem_perm.security = NULL;
}
int security_sem_associate(struct sem_array *sma, int semflg)
{
- return security_ops->sem_associate(sma, semflg);
+ return call_int_hook(sem_associate, sma, semflg);
}
int security_sem_semctl(struct sem_array *sma, int cmd)
{
- return security_ops->sem_semctl(sma, cmd);
+ return call_int_hook(sem_semctl, sma, cmd);
}
int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
unsigned nsops, int alter)
{
- return security_ops->sem_semop(sma, sops, nsops, alter);
+ return call_int_hook(sem_semop, sma, sops, nsops, alter);
}
void security_d_instantiate(struct dentry *dentry, struct inode *inode)
{
if (unlikely(inode && IS_PRIVATE(inode)))
return;
- security_ops->d_instantiate(dentry, inode);
+
+ call_void_hook(d_instantiate, dentry, inode);
}
EXPORT_SYMBOL(security_d_instantiate);
int security_getprocattr(struct task_struct *p, char *name, char **value)
{
- return security_ops->getprocattr(p, name, value);
+ struct security_operations *sop;
+ struct secids secid;
+ char *lsm;
+ int lsmlen;
+ int rc;
+
+ /*
+ * Names will either be in the legacy form containing
+ * no periods (".") or they will be the LSM name followed
+ * by the legacy suffix. "current" or "selinux.current"
+ * The exception is "context", which gets all of the LSMs.
+ *
+ * Legacy names are handled by the presenting LSM.
+ * Suffixed names are handled by the named LSM.
+ */
+ if (strcmp(name, "context") == 0) {
+ security_task_getsecid(p, &secid);
+ rc = security_secid_to_secctx(&secid, &lsm, &lsmlen, &sop);
+ if (rc == 0) {
+ *value = kstrdup(lsm, GFP_KERNEL);
+ if (*value == NULL)
+ rc = -ENOMEM;
+ else
+ rc = strlen(*value);
+ security_release_secctx(lsm, lsmlen, sop);
+ }
+ return rc;
+ }
+
+ if (lsm_present && !strchr(name, '.'))
+ return present_getprocattr(p, name, value);
+
+ for_each_hook(sop, getprocattr) {
+ lsm = sop->name;
+ lsmlen = strlen(lsm);
+ if (!strncmp(name, lsm, lsmlen) && name[lsmlen] == '.')
+ return sop->getprocattr(p, name + lsmlen + 1, value);
+ }
+ return -EINVAL;
}
-int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size)
+int security_setprocattr(struct task_struct *p, char *name, void *value,
+ size_t size)
{
- return security_ops->setprocattr(p, name, value, size);
+ struct security_operations *sop;
+ char *lsm;
+ int lsmlen;
+
+ /*
+ * Names will either be in the legacy form containing
+ * no periods (".") or they will be the LSM name followed
+ * by the legacy suffix.
+ * "current" or "selinux.current"
+ *
+ * Legacy names are handled by the presenting LSM.
+ * Suffixed names are handled by the named LSM.
+ */
+ if (lsm_present && !strchr(name, '.'))
+ return present_setprocattr(p, name, value, size);
+
+ for_each_hook(sop, setprocattr) {
+ lsm = sop->name;
+ lsmlen = strlen(lsm);
+ if (!strncmp(name, lsm, lsmlen) && name[lsmlen] == '.')
+ return sop->setprocattr(p, name + lsmlen + 1, value,
+ size);
+ }
+ return -EINVAL;
}
int security_netlink_send(struct sock *sk, struct sk_buff *skb)
{
- return security_ops->netlink_send(sk, skb);
+ return call_int_cap_first(netlink_send, sk, skb);
}
int security_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen,
struct security_operations **secops)
{
- return security_ops->secid_to_secctx(secid->si_lsm[0], secdata, seclen);
+ struct security_operations *sop;
+ struct security_operations *gotthis = NULL;
+ char *data;
+ char *cp;
+ char *thisdata[COMPOSER_MAX];
+ u32 thislen[COMPOSER_MAX];
+ int thisrc[COMPOSER_MAX];
+ int gotmany = 0;
+ int ord;
+ u32 lenmany = 2;
+ int rc = 0;
+
+ for_each_hook(sop, secid_to_secctx) {
+ ord = sop->order;
+ if (secdata == NULL)
+ thisrc[ord] = sop->secid_to_secctx(secid->si_lsm[ord],
+ NULL, &thislen[ord]);
+ else
+ thisrc[ord] = sop->secid_to_secctx(secid->si_lsm[ord],
+ &thisdata[ord], &thislen[ord]);
+ if (thisrc[ord] == 0) {
+ if (gotthis == NULL)
+ gotthis = sop;
+ else
+ gotmany = 1;
+ lenmany += thislen[ord] + strlen(sop->name) + 3;
+ } else
+ rc = thisrc[ord];
+ }
+ if (gotthis == NULL) {
+ if (rc == 0)
+ return -EOPNOTSUPP;
+ return rc;
+ }
+ if (!gotmany) {
+ if (secdata != NULL)
+ *secdata = thisdata[gotthis->order];
+ *seclen = thislen[gotthis->order];
+ *secops = gotthis;
+ return 0;
+ }
+ if (secdata == NULL) {
+ *seclen = lenmany;
+ *secops = NULL;
+ return 0;
+ }
+
+ data = kzalloc(lenmany, GFP_KERNEL);
+ if (data != NULL) {
+ cp = data;
+ for_each_hook(sop, secid_to_secctx) {
+ ord = sop->order;
+ if (thisrc[ord] == 0)
+ cp += sprintf(cp, "%s='%s'", sop->name,
+ thisdata[ord]);
+ }
+ *secdata = data;
+ *seclen = lenmany;
+ *secops = NULL;
+ rc = 0;
+ } else
+ rc = -ENOMEM;
+
+ for_each_hook(sop, secid_to_secctx) {
+ ord = sop->order;
+ sop->release_secctx(thisdata[ord], thislen[ord]);
+ }
+
+ return rc;
}
EXPORT_SYMBOL(security_secid_to_secctx);
+static int lsm_specific_ctx(const char *secdata, char *lsm, char *ctx)
+{
+ char fmt[SECURITY_NAME_MAX + 10];
+ char *cp;
+ int rc;
+
+ sprintf(fmt, "%s='", lsm);
+ cp = strstr(secdata, fmt);
+ if (cp == NULL)
+ return 0;
+
+ sprintf(fmt, "%s='%%[^']'", lsm);
+ rc = sscanf(cp, fmt, ctx);
+
+ return rc;
+}
+
int security_secctx_to_secid(const char *secdata, u32 seclen,
struct secids *secid)
{
- return security_ops->secctx_to_secid(secdata, seclen,
- &secid->si_lsm[0]);
+ struct security_operations *sop;
+ char *cp;
+ char *thisdata;
+ int thisrc;
+ int gotten = 0;
+ int rc = 0;
+
+ memset(secid, 0, sizeof(*secid));
+
+ cp = strnstr(secdata, "='", seclen);
+ if (cp == NULL) {
+ for_each_hook(sop, secctx_to_secid) {
+ thisrc = sop->secctx_to_secid(secdata, seclen,
+ &secid->si_lsm[sop->order]);
+ if (thisrc)
+ rc = thisrc;
+ else
+ gotten = 1;
+ }
+ } else {
+ thisdata = kzalloc(seclen, GFP_KERNEL);
+ if (thisdata == NULL)
+ return -ENOMEM;
+
+ for_each_hook(sop, secctx_to_secid) {
+ thisrc = lsm_specific_ctx(secdata, sop->name, thisdata);
+ if (thisrc == 0)
+ continue;
+ thisrc = sop->secctx_to_secid(thisdata, seclen,
+ &secid->si_lsm[sop->order]);
+ if (thisrc)
+ rc = thisrc;
+ else
+ gotten = 1;
+ }
+ kfree(thisdata);
+ }
+ if (gotten)
+ return 0;
+ return rc;
}
EXPORT_SYMBOL(security_secctx_to_secid);
void security_release_secctx(char *secdata, u32 seclen,
struct security_operations *sop)
{
- security_ops->release_secctx(secdata, seclen);
+ if (sop)
+ sop->release_secctx(secdata, seclen);
+ else
+ kfree(secdata);
}
EXPORT_SYMBOL(security_release_secctx);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
{
- return security_ops->inode_notifysecctx(inode, ctx, ctxlen);
+ struct security_operations *sop;
+ char *thisdata = NULL;
+ int thisrc;
+ int rc = 0;
+
+ if (ctx != NULL)
+ thisdata = strnstr(ctx, "='", ctxlen);
+ if (thisdata == NULL) {
+ for_each_hook(sop, inode_notifysecctx) {
+ thisrc = sop->inode_notifysecctx(inode, ctx, ctxlen);
+ if (thisrc)
+ rc = thisrc;
+ }
+ return rc;
+ }
+
+ thisdata = kzalloc(ctxlen, GFP_KERNEL);
+ if (thisdata == NULL)
+ return -ENOMEM;
+
+ for_each_hook(sop, inode_setsecctx) {
+ thisrc = lsm_specific_ctx(ctx, sop->name, thisdata);
+ if (thisrc == 0)
+ continue;
+ thisrc = sop->inode_notifysecctx(inode, thisdata, ctxlen);
+ if (thisrc)
+ rc = thisrc;
+ }
+ kfree(thisdata);
+ return rc;
}
EXPORT_SYMBOL(security_inode_notifysecctx);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
{
- return security_ops->inode_setsecctx(dentry, ctx, ctxlen);
+ struct security_operations *sop;
+ char *thisdata = NULL;
+ int thisrc;
+ int rc = 0;
+
+ if (ctx != NULL)
+ thisdata = strnstr(ctx, "='", ctxlen);
+ if (thisdata == NULL) {
+ for_each_hook(sop, inode_setsecctx) {
+ thisrc = sop->inode_setsecctx(dentry, ctx, ctxlen);
+ if (thisrc)
+ rc = thisrc;
+ }
+ return rc;
+ }
+
+ thisdata = kzalloc(ctxlen, GFP_KERNEL);
+ if (thisdata == NULL)
+ return -ENOMEM;
+
+ for_each_hook(sop, inode_setsecctx) {
+ thisrc = lsm_specific_ctx(ctx, sop->name, thisdata);
+ if (thisrc == 0)
+ continue;
+ thisrc = sop->inode_setsecctx(dentry, thisdata, ctxlen);
+ if (thisrc)
+ rc = thisrc;
+ }
+ kfree(thisdata);
+ return rc;
}
EXPORT_SYMBOL(security_inode_setsecctx);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen,
struct security_operations **secops)
{
- return security_ops->inode_getsecctx(inode, ctx, ctxlen);
+ struct security_operations *sop;
+ struct security_operations *gotthis = NULL;
+ void *data;
+ char *cp;
+ void *thisdata[COMPOSER_MAX];
+ u32 thislen[COMPOSER_MAX];
+ int thisrc[COMPOSER_MAX];
+ int gotmany = 0;
+ int ord;
+ u32 len = 2;
+ int rc = 0;
+
+ for_each_hook(sop, inode_getsecctx) {
+ ord = sop->order;
+ if (ctx == NULL)
+ thisrc[ord] = sop->inode_getsecctx(inode,
+ NULL, &thislen[ord]);
+ else
+ thisrc[ord] = sop->inode_getsecctx(inode,
+ &thisdata[ord], &thislen[ord]);
+ if (thisrc[ord] == 0) {
+ if (gotthis == NULL)
+ gotthis = sop;
+ else
+ gotmany = 1;
+ len += thislen[ord] + strlen(sop->name) + 3;
+ } else
+ rc = thisrc[ord];
+ }
+ if (gotthis == NULL) {
+ if (rc == 0)
+ return -EOPNOTSUPP;
+ return rc;
+ }
+ if (!gotmany) {
+ if (ctx != NULL)
+ *ctx = thisdata[gotthis->order];
+ *ctxlen = thislen[gotthis->order];
+ *secops = gotthis;
+ return 0;
+ }
+ if (ctx == NULL) {
+ *ctxlen = len;
+ *secops = NULL;
+ return 0;
+ }
+
+ data = kzalloc(len, GFP_KERNEL);
+ if (data != NULL) {
+ cp = (char *)data;
+ for_each_hook(sop, inode_getsecctx) {
+ ord = sop->order;
+ if (thisrc[ord] == 0)
+ cp += sprintf(cp, "%s='%s'", sop->name,
+ (char *)thisdata[ord]);
+ }
+ *ctx = data;
+ *ctxlen = len;
+ *secops = NULL;
+ rc = 0;
+ } else
+ rc = -ENOMEM;
+
+ for_each_hook(sop, inode_getsecctx) {
+ ord = sop->order;
+ sop->release_secctx(thisdata[ord], thislen[ord]);
+ }
+
+ return rc;
}
EXPORT_SYMBOL(security_inode_getsecctx);
@@ -1075,246 +2215,352 @@ EXPORT_SYMBOL(security_inode_getsecctx);
int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)
{
- return security_ops->unix_stream_connect(sock, other, newsk);
+ return call_int_hook(unix_stream_connect, sock, other, newsk);
}
EXPORT_SYMBOL(security_unix_stream_connect);
int security_unix_may_send(struct socket *sock, struct socket *other)
{
- return security_ops->unix_may_send(sock, other);
+ return call_int_hook(unix_may_send, sock, other);
}
EXPORT_SYMBOL(security_unix_may_send);
int security_socket_create(int family, int type, int protocol, int kern)
{
- return security_ops->socket_create(family, type, protocol, kern);
+ return call_int_hook(socket_create, family, type, protocol, kern);
}
int security_socket_post_create(struct socket *sock, int family,
int type, int protocol, int kern)
{
- return security_ops->socket_post_create(sock, family, type,
+ return call_int_hook(socket_post_create, sock, family, type,
protocol, kern);
}
int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
{
- return security_ops->socket_bind(sock, address, addrlen);
+ return call_int_hook(socket_bind, sock, address, addrlen);
}
int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
- return security_ops->socket_connect(sock, address, addrlen);
+ return call_int_hook(socket_connect, sock, address, addrlen);
}
int security_socket_listen(struct socket *sock, int backlog)
{
- return security_ops->socket_listen(sock, backlog);
+ return call_int_hook(socket_listen, sock, backlog);
}
int security_socket_accept(struct socket *sock, struct socket *newsock)
{
- return security_ops->socket_accept(sock, newsock);
+ return call_int_hook(socket_accept, sock, newsock);
}
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
- return security_ops->socket_sendmsg(sock, msg, size);
+ return call_int_hook(socket_sendmsg, sock, msg, size);
}
int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
int size, int flags)
{
- return security_ops->socket_recvmsg(sock, msg, size, flags);
+ return call_int_hook(socket_recvmsg, sock, msg, size, flags);
}
int security_socket_getsockname(struct socket *sock)
{
- return security_ops->socket_getsockname(sock);
+ return call_int_hook(socket_getsockname, sock);
}
int security_socket_getpeername(struct socket *sock)
{
- return security_ops->socket_getpeername(sock);
+ return call_int_hook(socket_getpeername, sock);
}
int security_socket_getsockopt(struct socket *sock, int level, int optname)
{
- return security_ops->socket_getsockopt(sock, level, optname);
+ return call_int_hook(socket_getsockopt, sock, level, optname);
}
int security_socket_setsockopt(struct socket *sock, int level, int optname)
{
- return security_ops->socket_setsockopt(sock, level, optname);
+ return call_int_hook(socket_setsockopt, sock, level, optname);
}
int security_socket_shutdown(struct socket *sock, int how)
{
- return security_ops->socket_shutdown(sock, how);
+ return call_int_hook(socket_shutdown, sock, how);
}
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
- return security_ops->socket_sock_rcv_skb(sk, skb);
+ return call_int_hook(socket_sock_rcv_skb, sk, skb);
}
EXPORT_SYMBOL(security_sock_rcv_skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len)
{
- return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
+ struct security_operations *sop;
+ char __user *thisval = optval;
+ int thisrc;
+ int called = 0;
+ int rc = -ENOPROTOOPT;
+
+ for_each_hook(sop, socket_getpeersec_stream) {
+ if (called) {
+ thisrc = copy_to_user(thisval++, " ", 1);
+ if (thisrc) {
+ rc = -EFAULT;
+ break;
+ }
+ len--;
+ }
+ thisrc = sop->socket_getpeersec_stream(sock, thisval,
+ optlen, len);
+ if (thisrc == -ENOPROTOOPT)
+ continue;
+ if (thisrc == 0) {
+ rc = 0;
+ thisval += *optlen;
+ len -= *optlen;
+ }
+ else if (rc != 0)
+ rc = thisrc;
+ called = 1;
+ }
+ if (called) {
+ if (rc == 0) {
+ len = strlen(optval) + 1;
+ if (put_user(len, optlen) != 0)
+ rc = -EFAULT;
+ }
+ }
+ return rc;
}
int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
struct secids *secid)
{
- return security_ops->socket_getpeersec_dgram(sock, skb,
- &secid->si_lsm[0]);
+ struct security_operations *sop;
+ int thisrc;
+ int rc = -ENOPROTOOPT;
+
+ memset(secid, 0, sizeof(*secid));
+
+ for_each_hook(sop, socket_getpeersec_dgram) {
+ thisrc = sop->socket_getpeersec_dgram(sock, skb,
+ &secid->si_lsm[sop->order]);
+ if (thisrc == -ENOPROTOOPT)
+ continue;
+ if (!thisrc) {
+ rc = 0;
+ secid->si_count++;
+ }
+ }
+ return rc;
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
{
- return security_ops->sk_alloc_security(sk, family, priority);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+ sk->sk_security = &tblob;
+
+ for_each_hook(sop, sk_alloc_security) {
+ rc = sop->sk_alloc_security(sk, family, priority);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), priority);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->sk_free_security(sk);
+ }
+ }
+ sk->sk_security = bp;
+ return rc;
}
void security_sk_free(struct sock *sk)
{
- security_ops->sk_free_security(sk);
+ call_void_hook(sk_free_security, sk);
+
+ kfree(sk->sk_security);
+ sk->sk_security = NULL;
}
void security_sk_clone(const struct sock *sk, struct sock *newsk)
{
- security_ops->sk_clone_security(sk, newsk);
+ call_void_hook(sk_clone_security, sk, newsk);
}
EXPORT_SYMBOL(security_sk_clone);
void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
{
- security_ops->sk_getsecid(sk, &fl->flowi_secid);
+ call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
}
EXPORT_SYMBOL(security_sk_classify_flow);
void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
{
- security_ops->req_classify_flow(req, fl);
+ call_void_hook(req_classify_flow, req, fl);
}
EXPORT_SYMBOL(security_req_classify_flow);
void security_sock_graft(struct sock *sk, struct socket *parent)
{
- security_ops->sock_graft(sk, parent);
+ call_void_hook(sock_graft, sk, parent);
}
EXPORT_SYMBOL(security_sock_graft);
int security_inet_conn_request(struct sock *sk,
struct sk_buff *skb, struct request_sock *req)
{
- return security_ops->inet_conn_request(sk, skb, req);
+ return call_int_hook(inet_conn_request, sk, skb, req);
}
EXPORT_SYMBOL(security_inet_conn_request);
void security_inet_csk_clone(struct sock *newsk,
const struct request_sock *req)
{
- security_ops->inet_csk_clone(newsk, req);
+ call_void_hook(inet_csk_clone, newsk, req);
}
void security_inet_conn_established(struct sock *sk,
struct sk_buff *skb)
{
- security_ops->inet_conn_established(sk, skb);
+ call_void_hook(inet_conn_established, sk, skb);
}
int security_secmark_relabel_packet(u32 secid)
{
- return security_ops->secmark_relabel_packet(secid);
+ if (lsm_secmark_ops)
+ return lsm_secmark_ops->secmark_relabel_packet(secid);
+ return 0;
}
EXPORT_SYMBOL(security_secmark_relabel_packet);
void security_secmark_refcount_inc(void)
{
- security_ops->secmark_refcount_inc();
+ if (lsm_secmark_ops)
+ lsm_secmark_ops->secmark_refcount_inc();
}
EXPORT_SYMBOL(security_secmark_refcount_inc);
void security_secmark_refcount_dec(void)
{
- security_ops->secmark_refcount_dec();
+ if (lsm_secmark_ops)
+ lsm_secmark_ops->secmark_refcount_dec();
}
EXPORT_SYMBOL(security_secmark_refcount_dec);
int security_tun_dev_alloc_security(void **security)
{
- return security_ops->tun_dev_alloc_security(security);
+ return call_int_hook(tun_dev_alloc_security, security);
}
EXPORT_SYMBOL(security_tun_dev_alloc_security);
void security_tun_dev_free_security(void *security)
{
- security_ops->tun_dev_free_security(security);
+ call_void_hook(tun_dev_free_security, security);
}
EXPORT_SYMBOL(security_tun_dev_free_security);
int security_tun_dev_create(void)
{
- return security_ops->tun_dev_create();
+ return call_int_hook(tun_dev_create);
}
EXPORT_SYMBOL(security_tun_dev_create);
int security_tun_dev_attach_queue(void *security)
{
- return security_ops->tun_dev_attach_queue(security);
+ return call_int_hook(tun_dev_attach_queue, security);
}
EXPORT_SYMBOL(security_tun_dev_attach_queue);
int security_tun_dev_attach(struct sock *sk, void *security)
{
- return security_ops->tun_dev_attach(sk, security);
+ return call_int_hook(tun_dev_attach, sk, security);
}
EXPORT_SYMBOL(security_tun_dev_attach);
int security_tun_dev_open(void *security)
{
- return security_ops->tun_dev_open(security);
+ return call_int_hook(tun_dev_open, security);
}
EXPORT_SYMBOL(security_tun_dev_open);
void security_skb_owned_by(struct sk_buff *skb, struct sock *sk)
{
- security_ops->skb_owned_by(skb, sk);
+ call_void_hook(skb_owned_by, skb, sk);
}
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
+/*
+ * The xfrm hooks present special issues for composition
+ * as they don't use the usual scheme for passing in blobs.
+ * LSM registration checks ensure that only one xfrm using
+ * security module is loaded at a time.
+ * This shouldn't be much of an issue since SELinux is the
+ * only security module ever expected to use xfrm.
+ */
+#define call_xfrm_int_hook(FUNC, ...) ({ \
+ int rc = 0; \
+ do { \
+ if (!lsm_xfrm_ops) \
+ break; \
+ if (!lsm_xfrm_ops->FUNC) \
+ break; \
+ rc = lsm_xfrm_ops->FUNC(__VA_ARGS__); \
+ } while (0); \
+ rc; \
+})
int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx)
{
- return security_ops->xfrm_policy_alloc_security(ctxp, sec_ctx);
+ return call_xfrm_int_hook(xfrm_policy_alloc_security, ctxp, sec_ctx);
}
EXPORT_SYMBOL(security_xfrm_policy_alloc);
int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
struct xfrm_sec_ctx **new_ctxp)
{
- return security_ops->xfrm_policy_clone_security(old_ctx, new_ctxp);
+ return call_xfrm_int_hook(xfrm_policy_clone_security, old_ctx,
+ new_ctxp);
}
void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
- security_ops->xfrm_policy_free_security(ctx);
+ if (lsm_xfrm_ops && lsm_xfrm_ops->xfrm_policy_free_security)
+ lsm_xfrm_ops->xfrm_policy_free_security(ctx);
}
EXPORT_SYMBOL(security_xfrm_policy_free);
int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
- return security_ops->xfrm_policy_delete_security(ctx);
+ return call_xfrm_int_hook(xfrm_policy_delete_security, ctx);
}
int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
{
- return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0);
+ return call_xfrm_int_hook(xfrm_state_alloc_security, x, sec_ctx, 0);
}
EXPORT_SYMBOL(security_xfrm_state_alloc);
@@ -1327,42 +2573,46 @@ int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
* We want the context to be taken from secid which is usually
* from the sock.
*/
- return security_ops->xfrm_state_alloc_security(x, NULL, secid);
+ return call_xfrm_int_hook(xfrm_state_alloc_security, x, NULL, secid);
}
int security_xfrm_state_delete(struct xfrm_state *x)
{
- return security_ops->xfrm_state_delete_security(x);
+ return call_xfrm_int_hook(xfrm_state_delete_security, x);
}
EXPORT_SYMBOL(security_xfrm_state_delete);
void security_xfrm_state_free(struct xfrm_state *x)
{
- security_ops->xfrm_state_free_security(x);
+ if (lsm_xfrm_ops && lsm_xfrm_ops->xfrm_state_free_security)
+ lsm_xfrm_ops->xfrm_state_free_security(x);
}
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
- return security_ops->xfrm_policy_lookup(ctx, fl_secid, dir);
+ return call_xfrm_int_hook(xfrm_policy_lookup, ctx, fl_secid, dir);
}
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp,
const struct flowi *fl)
{
- return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
+ if (lsm_xfrm_ops && lsm_xfrm_ops->xfrm_state_pol_flow_match)
+ return lsm_xfrm_ops->xfrm_state_pol_flow_match(x, xp, fl);
+
+ return 1;
}
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
{
- return security_ops->xfrm_decode_session(skb, secid, 1);
+ return call_xfrm_int_hook(xfrm_decode_session, skb, secid, 1);
}
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
{
- int rc = security_ops->xfrm_decode_session(skb, &fl->flowi_secid, 0);
+ int rc;
- BUG_ON(rc);
+ rc = call_xfrm_int_hook(xfrm_decode_session, skb, &fl->flowi_secid, 0);
}
EXPORT_SYMBOL(security_skb_classify_flow);
@@ -1373,23 +2623,60 @@ EXPORT_SYMBOL(security_skb_classify_flow);
int security_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags)
{
- return security_ops->key_alloc(key, cred, flags);
+ struct security_operations *sop;
+ struct security_operations *note[COMPOSER_MAX];
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int rc = 0;
+ int successes = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+ key->security = &tblob;
+
+ for_each_hook(sop, key_alloc) {
+ rc = sop->key_alloc(key, cred, flags);
+ if (rc)
+ break;
+ note[successes++] = sop;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ if (rc == 0)
+ bp = kmemdup(&tblob, sizeof(tblob), GFP_KERNEL);
+ if (bp == NULL) {
+ if (rc == 0)
+ rc = -ENOMEM;
+ while (successes > 0)
+ note[--successes]->key_free(key);
+ }
+ }
+
+ key->security = bp;
+ return rc;
}
void security_key_free(struct key *key)
{
- security_ops->key_free(key);
+ call_void_hook(key_free, key);
+
+ kfree(key->security);
+ key->security = NULL;
}
int security_key_permission(key_ref_t key_ref,
const struct cred *cred, key_perm_t perm)
{
- return security_ops->key_permission(key_ref, cred, perm);
+ return call_int_hook(key_permission, key_ref, cred, perm);
}
int security_key_getsecurity(struct key *key, char **_buffer)
{
- return security_ops->key_getsecurity(key, _buffer);
+ int rc;
+
+ if (call_int_must(rc, key_getsecurity, key, _buffer))
+ return rc;
+ *_buffer = NULL;
+ return 0;
}
#endif /* CONFIG_KEYS */
@@ -1398,24 +2685,86 @@ int security_key_getsecurity(struct key *key, char **_buffer)
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
- return security_ops->audit_rule_init(field, op, rulestr, lsmrule);
+ struct security_operations *sop;
+ struct lsm_blob tblob;
+ struct lsm_blob *bp = NULL;
+ int thisrc;
+ int rc = 0;
+
+ memset(&tblob, 0, sizeof(tblob));
+
+ for_each_hook(sop, audit_rule_init) {
+ thisrc = sop->audit_rule_init(field, op, rulestr,
+ &tblob.lsm_blobs[sop->order]);
+ if (thisrc == 0)
+ tblob.lsm_setcount++;
+ else if (thisrc == -EINVAL) {
+ tblob.lsm_setcount++;
+ pr_warn("audit rule \"%s\" is invalid for %s.\n",
+ rulestr, sop->name);
+ } else
+ rc = thisrc;
+ }
+
+ if (tblob.lsm_setcount != 0) {
+ bp = kmemdup(&tblob, sizeof(tblob), GFP_KERNEL);
+ if (bp == NULL) {
+ rc = -ENOMEM;
+ for_each_hook(sop, audit_rule_free)
+ sop->audit_rule_free(
+ tblob.lsm_blobs[sop->order]);
+ }
+ }
+
+ *lsmrule = bp;
+ return rc;
}
int security_audit_rule_known(struct audit_krule *krule)
{
- return security_ops->audit_rule_known(krule);
+ struct security_operations *sop;
+
+ for_each_hook(sop, audit_rule_free)
+ if (sop->audit_rule_known(krule))
+ return 1;
+ return 0;
}
void security_audit_rule_free(void *lsmrule)
{
- security_ops->audit_rule_free(lsmrule);
+ struct security_operations *sop;
+ struct lsm_blob *bp = lsmrule;
+
+ if (bp == NULL)
+ return;
+
+ for_each_hook(sop, audit_rule_free)
+ sop->audit_rule_free(bp->lsm_blobs[sop->order]);
+
+ kfree(bp);
}
-int security_audit_rule_match(struct secids *secid, u32 field, u32 op, void *lsmrule,
- struct audit_context *actx)
+int security_audit_rule_match(struct secids *secid, u32 field, u32 op,
+ void *lsmrule, struct audit_context *actx)
{
- return security_ops->audit_rule_match(secid->si_lsm[0], field, op,
- lsmrule, actx);
+ struct security_operations *sop;
+ struct lsm_blob *bp = lsmrule;
+ int order;
+ int rc;
+
+ if (lsmrule == NULL)
+ return 0;
+
+ for_each_hook(sop, audit_rule_match) {
+ order = sop->order;
+ if (bp->lsm_blobs[order] != NULL) {
+ rc = sop->audit_rule_match(secid->si_lsm[order], field,
+ op, bp->lsm_blobs[order], actx);
+ if (rc)
+ return rc;
+ }
+ }
+ return 0;
}
#endif /* CONFIG_AUDIT */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7104c6b..434adb0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1815,12 +1815,6 @@ static inline u32 open_file_to_av(struct file *file)
static int selinux_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- int rc;
-
- rc = cap_ptrace_access_check(child, mode);
- if (rc)
- return rc;
-
if (mode & PTRACE_MODE_READ) {
u32 sid = current_sid();
u32 csid = task_sid(child);
@@ -1832,12 +1826,6 @@ static int selinux_ptrace_access_check(struct task_struct *child,
static int selinux_ptrace_traceme(struct task_struct *parent)
{
- int rc;
-
- rc = cap_ptrace_traceme(parent);
- if (rc)
- return rc;
-
return task_has_perm(parent, current, PROCESS__PTRACE);
}
@@ -1858,13 +1846,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *inheritable,
const kernel_cap_t *permitted)
{
- int error;
-
- error = cap_capset(new, old, effective, inheritable, permitted);
-
- if (error)
- return error;
-
return cred_has_perm(old, new, PROCESS__SETCAP);
}
@@ -1881,12 +1862,6 @@ static int selinux_capset(struct cred *new, const struct cred *old,
static int selinux_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit)
{
- int rc;
-
- rc = cap_capable(cred, ns, cap, audit);
- if (rc)
- return rc;
-
return cred_has_capability(cred, cap, audit);
}
@@ -1983,10 +1958,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
struct inode *inode = file_inode(bprm->file);
int rc;
- rc = cap_bprm_set_creds(bprm);
- if (rc)
- return rc;
-
/* SELinux context only depends on initial program or script and not
* the script interpreter */
if (bprm->cred_prepared)
@@ -2110,7 +2081,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm)
PROCESS__NOATSECURE, NULL);
}
- return (atsecure || cap_bprm_secureexec(bprm));
+ return atsecure;
}
static int match_file(const void *p, struct file *file, unsigned fd)
@@ -3414,23 +3385,11 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
static int selinux_task_setnice(struct task_struct *p, int nice)
{
- int rc;
-
- rc = cap_task_setnice(p, nice);
- if (rc)
- return rc;
-
return current_has_perm(p, PROCESS__SETSCHED);
}
static int selinux_task_setioprio(struct task_struct *p, int ioprio)
{
- int rc;
-
- rc = cap_task_setioprio(p, ioprio);
- if (rc)
- return rc;
-
return current_has_perm(p, PROCESS__SETSCHED);
}
@@ -3456,12 +3415,6 @@ static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
static int selinux_task_setscheduler(struct task_struct *p)
{
- int rc;
-
- rc = cap_task_setscheduler(p);
- if (rc)
- return rc;
-
return current_has_perm(p, PROCESS__SETSCHED);
}
@@ -4806,12 +4759,6 @@ static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
{
- int err;
-
- err = cap_netlink_send(sk, skb);
- if (err)
- return err;
-
return selinux_nlmsg_perm(sk, skb);
}
@@ -5748,14 +5695,13 @@ struct security_operations selinux_ops = {
static __init int selinux_init(void)
{
-
- if (!security_module_enable(&selinux_ops)) {
- selinux_enabled = 0;
+ if (!selinux_enabled) {
+ pr_info("SELinux: Disabled at boot.\n");
return 0;
}
- if (!selinux_enabled) {
- printk(KERN_INFO "SELinux: Disabled at boot.\n");
+ if (security_module_enable(&selinux_ops)) {
+ selinux_enabled = 0;
return 0;
}
@@ -5771,9 +5717,6 @@ static __init int selinux_init(void)
0, SLAB_PANIC, NULL);
avc_init();
- if (register_security(&selinux_ops))
- panic("SELinux: Unable to register with kernel.\n");
-
if (selinux_enforcing)
printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
else
@@ -5907,13 +5850,13 @@ int selinux_disable(void)
return -EINVAL;
}
+ security_module_disable(&selinux_ops);
+
printk(KERN_INFO "SELinux: Disabled at runtime.\n");
selinux_disabled = 1;
selinux_enabled = 0;
- reset_security_ops();
-
/* Try to destroy the avc node cache */
avc_disable();
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7473498..2f7e736 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -171,14 +171,9 @@ static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,
*/
static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
{
- int rc;
struct smk_audit_info ad;
char *tsp;
- rc = cap_ptrace_access_check(ctp, mode);
- if (rc != 0)
- return rc;
-
tsp = smk_of_task(task_security(ctp));
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, ctp);
@@ -196,14 +191,9 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
*/
static int smack_ptrace_traceme(struct task_struct *ptp)
{
- int rc;
struct smk_audit_info ad;
char *tsp;
- rc = cap_ptrace_traceme(ptp);
- if (rc != 0)
- return rc;
-
tsp = smk_of_task(task_security(ptp));
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
smk_ad_setfield_u_tsk(&ad, ptp);
@@ -469,11 +459,6 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
struct inode *inode = file_inode(bprm->file);
struct task_smack *bsp = lsm_get_cred(bprm->cred, &smack_ops);
struct inode_smack *isp;
- int rc;
-
- rc = cap_bprm_set_creds(bprm);
- if (rc != 0)
- return rc;
if (bprm->cred_prepared)
return 0;
@@ -514,12 +499,8 @@ static void smack_bprm_committing_creds(struct linux_binprm *bprm)
static int smack_bprm_secureexec(struct linux_binprm *bprm)
{
struct task_smack *tsp = lsm_get_cred(current_cred(), &smack_ops);
- int ret = cap_bprm_secureexec(bprm);
- if (!ret && (tsp->smk_task != tsp->smk_forked))
- ret = 1;
-
- return ret;
+ return (tsp->smk_task != tsp->smk_forked);
}
/*
@@ -1583,12 +1564,7 @@ static void smack_task_getsecid(struct task_struct *p, u32 *secid)
*/
static int smack_task_setnice(struct task_struct *p, int nice)
{
- int rc;
-
- rc = cap_task_setnice(p, nice);
- if (rc == 0)
- rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
- return rc;
+ return smk_curacc_on_task(p, MAY_WRITE, __func__);
}
/**
@@ -1600,12 +1576,7 @@ static int smack_task_setnice(struct task_struct *p, int nice)
*/
static int smack_task_setioprio(struct task_struct *p, int ioprio)
{
- int rc;
-
- rc = cap_task_setioprio(p, ioprio);
- if (rc == 0)
- rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
- return rc;
+ return smk_curacc_on_task(p, MAY_WRITE, __func__);
}
/**
@@ -1629,12 +1600,7 @@ static int smack_task_getioprio(struct task_struct *p)
*/
static int smack_task_setscheduler(struct task_struct *p)
{
- int rc;
-
- rc = cap_task_setscheduler(p);
- if (rc == 0)
- rc = smk_curacc_on_task(p, MAY_WRITE, __func__);
- return rc;
+ return smk_curacc_on_task(p, MAY_WRITE, __func__);
}
/**
@@ -3591,7 +3557,7 @@ static __init int smack_init(void)
struct cred *cred;
struct task_smack *tsp;
- if (!security_module_enable(&smack_ops))
+ if (security_module_enable(&smack_ops))
return 0;
tsp = new_task_smack(smack_known_floor.smk_known,
@@ -3613,12 +3579,6 @@ static __init int smack_init(void)
/* initialize the smack_known_list */
init_smack_known_list();
- /*
- * Register with LSM
- */
- if (register_security(&smack_ops))
- panic("smack: Unable to register with kernel.\n");
-
return 0;
}
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index f51f98f..aefe8e7 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -2217,7 +2217,7 @@ static int __init init_smk_fs(void)
int err;
int rc;
- if (!security_module_enable(&smack_ops))
+ if (security_module_enable(&smack_ops))
return 0;
err = smk_init_sysfs();
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 2b4cade..bfe54d6 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -78,12 +78,6 @@ static void tomoyo_cred_free(struct cred *cred)
*/
static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
{
- int rc;
-
- rc = cap_bprm_set_creds(bprm);
- if (rc)
- return rc;
-
/*
* Do only if this function is called for the first time of an execve
* operation.
@@ -556,7 +550,7 @@ static int __init tomoyo_init(void)
struct cred *cred = (struct cred *) current_cred();
/* register ourselves with the security framework */
- if (!security_module_enable(&tomoyo_security_ops))
+ if (security_module_enable(&tomoyo_security_ops))
return 0;
if (init_srcu_struct(&tomoyo_ss))
diff --git a/security/yama/Kconfig b/security/yama/Kconfig
index 51d6709..a99aa1d 100644
--- a/security/yama/Kconfig
+++ b/security/yama/Kconfig
@@ -11,3 +11,4 @@ config SECURITY_YAMA
Further information can be found in Documentation/security/Yama.txt.
If you are unsure how to answer this question, answer N.
+
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 63ad9bb..4958e68 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -154,13 +154,9 @@ void yama_task_free(struct task_struct *task)
int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
- int rc;
+ int rc = -ENOSYS;
struct task_struct *myself = current;
- rc = cap_task_prctl(option, arg2, arg3, arg4, arg5);
- if (rc != -ENOSYS)
- return rc;
-
switch (option) {
case PR_SET_PTRACER:
/* Since a thread can call prctl(), find the group leader
@@ -282,14 +278,7 @@ static int ptracer_exception_found(struct task_struct *tracer,
int yama_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
- int rc;
-
- /* If standard caps disallows it, so does Yama. We should
- * only tighten restrictions further.
- */
- rc = cap_ptrace_access_check(child, mode);
- if (rc)
- return rc;
+ int rc = 0;
/* require ptrace target be a child of ptracer on attach */
if (mode == PTRACE_MODE_ATTACH) {
@@ -335,14 +324,7 @@ int yama_ptrace_access_check(struct task_struct *child,
*/
int yama_ptrace_traceme(struct task_struct *parent)
{
- int rc;
-
- /* If standard caps disallows it, so does Yama. We should
- * only tighten restrictions further.
- */
- rc = cap_ptrace_traceme(parent);
- if (rc)
- return rc;
+ int rc = 0;
/* Only disallow PTRACE_TRACEME on more aggressive settings. */
switch (ptrace_scope) {
@@ -364,6 +346,14 @@ int yama_ptrace_traceme(struct task_struct *parent)
return rc;
}
+static struct security_operations yama_ops = {
+ .name = "yama",
+
+ .ptrace_access_check = yama_ptrace_access_check,
+ .ptrace_traceme = yama_ptrace_traceme,
+ .task_prctl = yama_task_prctl,
+ .task_free = yama_task_free,
+};
#ifdef CONFIG_SYSCTL
static int yama_dointvec_minmax(struct ctl_table *table, int write,
@@ -410,6 +400,8 @@ static struct ctl_table yama_sysctl_table[] = {
static __init int yama_init(void)
{
+ if (security_module_enable(&yama_ops))
+ return 0;
printk(KERN_INFO "Yama: becoming mindful.\n");
^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH v13 9/9] LSM: Documentation and cleanup
[not found] <5176ABB7.5080300@schaufler-ca.com>
` (8 preceding siblings ...)
2013-04-23 16:04 ` [PATCH v13 8/9] LSM: Hook list management Casey Schaufler
@ 2013-04-23 16:05 ` Casey Schaufler
2013-04-23 19:02 ` Randy Dunlap
9 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2013-04-23 16:05 UTC (permalink / raw)
To: LSM, LKLM, SE Linux, James Morris
Cc: John Johansen, Eric Paris, Tetsuo Handa, Kees Cook,
Casey Schaufler
Subject: [PATCH v13 9/9] LSM: Documentation and cleanup
Add a description of the ways secuirty modules work now.
Remove security/capability.c as it is no longer used.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
Documentation/security/LSM.txt | 39 +-
security/Makefile | 3 +-
security/capability.c | 1104 ----------------------------------------
3 files changed, 31 insertions(+), 1115 deletions(-)
diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt
index c335a76..f979e00 100644
--- a/Documentation/security/LSM.txt
+++ b/Documentation/security/LSM.txt
@@ -9,18 +9,39 @@ CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the
"security=..." kernel command line argument, in the case where multiple
LSMs were built into a given kernel.
+Both CONFIG_DEFAULT_SECURITY and the "security=" option take a comma
+separated list of LSM names. The LSM hooks are invoked in the order
+specified. All hooks provided are invoked regardless of the outcome
+of preceeding hooks. Hooks the return success or failure results
+return success if all of the LSM provided hooks succeed and the error
+code of the last failing hook on error.
+
+The /proc filesystem attribute interface supports files from a time
+when only one LSM could be used at a time. CONFIG_PRESENT_SECURITY
+defines which LSM uses these interfaces. There are also LSM identified
+interfaces which should be used in preference to the undifferentiated
+interfaces.
+
+The three networking mechanisms supporting LSM attributes are
+restricted to providing those attributes for a single LSM each.
+CONFIG_SECMARK_LSM specifies which LSM will provide hooks for the
+secmark mechanism. CONFIG_NETLABEL_LSM specifies which LSM hooks
+are used by NetLabel to provide IPv4 CIPSO headers. CONFIG_XFRM_LSM
+specifies the LSM providing xfrm hooks.
+
+The Linux capabilities system is used in conjunction with any LSMs.
+LSM hooks are called after the capability checks in most cases,
+but after in a small number of cases. All LSM hooks need to be aware
+of the potential interactions with the capability system. For more
+details on capabilities, see capabilities(7) in the Linux man-pages
+project.
+
The primary users of the LSM interface are Mandatory Access Control
(MAC) extensions which provide a comprehensive security policy. Examples
include SELinux, Smack, Tomoyo, and AppArmor. In addition to the larger
-MAC extensions, other extensions can be built using the LSM to provide
-specific changes to system operation when these tweaks are not available
-in the core functionality of Linux itself.
-
-Without a specific LSM built into the kernel, the default LSM will be the
-Linux capabilities system. Most LSMs choose to extend the capabilities
-system, building their checks on top of the defined capability hooks.
-For more details on capabilities, see capabilities(7) in the Linux
-man-pages project.
+MAC extensions, other extensions such as Yama can be built using the LSM
+to provide specific changes to system operation when these tweaks are not
+available in the core functionality of Linux itself.
Based on http://kerneltrap.org/Linux/Documenting_Security_Module_Intent,
a new LSM is accepted into the kernel when its intent (a description of
diff --git a/security/Makefile b/security/Makefile
index c26c81e..b1875b1 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -14,9 +14,8 @@ obj-y += commoncap.o
obj-$(CONFIG_MMU) += min_addr.o
# Object file lists
-obj-$(CONFIG_SECURITY) += security.o capability.o
+obj-$(CONFIG_SECURITY) += security.o
obj-$(CONFIG_SECURITYFS) += inode.o
-# Must precede capability.o in order to stack properly.
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
obj-$(CONFIG_AUDIT) += lsm_audit.o
diff --git a/security/capability.c b/security/capability.c
deleted file mode 100644
index d7b2a38..0000000
--- a/security/capability.c
+++ /dev/null
@@ -1,1104 +0,0 @@
-/*
- * Capabilities Linux Security Module
- *
- * This is the default security module in case no other module is loaded.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- */
-
-#include <linux/security.h>
-
-static int cap_syslog(int type)
-{
- return 0;
-}
-
-static int cap_quotactl(int cmds, int type, int id, struct super_block *sb)
-{
- return 0;
-}
-
-static int cap_quota_on(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_bprm_check_security(struct linux_binprm *bprm)
-{
- return 0;
-}
-
-static void cap_bprm_committing_creds(struct linux_binprm *bprm)
-{
-}
-
-static void cap_bprm_committed_creds(struct linux_binprm *bprm)
-{
-}
-
-static int cap_sb_alloc_security(struct super_block *sb)
-{
- return 0;
-}
-
-static void cap_sb_free_security(struct super_block *sb)
-{
-}
-
-static int cap_sb_copy_data(char *orig, char *copy)
-{
- return 0;
-}
-
-static int cap_sb_remount(struct super_block *sb, void *data)
-{
- return 0;
-}
-
-static int cap_sb_kern_mount(struct super_block *sb, int flags, void *data)
-{
- return 0;
-}
-
-static int cap_sb_show_options(struct seq_file *m, struct super_block *sb)
-{
- return 0;
-}
-
-static int cap_sb_statfs(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_sb_mount(const char *dev_name, struct path *path,
- const char *type, unsigned long flags, void *data)
-{
- return 0;
-}
-
-static int cap_sb_umount(struct vfsmount *mnt, int flags)
-{
- return 0;
-}
-
-static int cap_sb_pivotroot(struct path *old_path, struct path *new_path)
-{
- return 0;
-}
-
-static int cap_sb_set_mnt_opts(struct super_block *sb,
- struct security_mnt_opts *opts)
-{
- if (unlikely(opts->num_mnt_opts))
- return -EOPNOTSUPP;
- return 0;
-}
-
-static void cap_sb_clone_mnt_opts(const struct super_block *oldsb,
- struct super_block *newsb)
-{
-}
-
-static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
-{
- return 0;
-}
-
-static int cap_inode_alloc_security(struct inode *inode)
-{
- return 0;
-}
-
-static void cap_inode_free_security(struct inode *inode)
-{
-}
-
-static int cap_inode_init_security(struct inode *inode, struct inode *dir,
- const struct qstr *qstr, char **name,
- void **value, size_t *len)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_inode_create(struct inode *inode, struct dentry *dentry,
- umode_t mask)
-{
- return 0;
-}
-
-static int cap_inode_link(struct dentry *old_dentry, struct inode *inode,
- struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_inode_unlink(struct inode *inode, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_symlink(struct inode *inode, struct dentry *dentry,
- const char *name)
-{
- return 0;
-}
-
-static int cap_inode_mkdir(struct inode *inode, struct dentry *dentry,
- umode_t mask)
-{
- return 0;
-}
-
-static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_mknod(struct inode *inode, struct dentry *dentry,
- umode_t mode, dev_t dev)
-{
- return 0;
-}
-
-static int cap_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
- struct inode *new_inode, struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_inode_readlink(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_follow_link(struct dentry *dentry,
- struct nameidata *nameidata)
-{
- return 0;
-}
-
-static int cap_inode_permission(struct inode *inode, int mask)
-{
- return 0;
-}
-
-static int cap_inode_setattr(struct dentry *dentry, struct iattr *iattr)
-{
- return 0;
-}
-
-static int cap_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
-{
- return 0;
-}
-
-static void cap_inode_post_setxattr(struct dentry *dentry, const char *name,
- const void *value, size_t size, int flags)
-{
-}
-
-static int cap_inode_getxattr(struct dentry *dentry, const char *name)
-{
- return 0;
-}
-
-static int cap_inode_listxattr(struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_inode_getsecurity(const struct inode *inode, const char *name,
- void **buffer, bool alloc)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_inode_setsecurity(struct inode *inode, const char *name,
- const void *value, size_t size, int flags)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_inode_listsecurity(struct inode *inode, char *buffer,
- size_t buffer_size)
-{
- return 0;
-}
-
-static void cap_inode_getsecid(const struct inode *inode, u32 *secid)
-{
- *secid = 0;
-}
-
-#ifdef CONFIG_SECURITY_PATH
-static int cap_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode,
- unsigned int dev)
-{
- return 0;
-}
-
-static int cap_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode)
-{
- return 0;
-}
-
-static int cap_path_rmdir(struct path *dir, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_path_unlink(struct path *dir, struct dentry *dentry)
-{
- return 0;
-}
-
-static int cap_path_symlink(struct path *dir, struct dentry *dentry,
- const char *old_name)
-{
- return 0;
-}
-
-static int cap_path_link(struct dentry *old_dentry, struct path *new_dir,
- struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_path_rename(struct path *old_path, struct dentry *old_dentry,
- struct path *new_path, struct dentry *new_dentry)
-{
- return 0;
-}
-
-static int cap_path_truncate(struct path *path)
-{
- return 0;
-}
-
-static int cap_path_chmod(struct path *path, umode_t mode)
-{
- return 0;
-}
-
-static int cap_path_chown(struct path *path, kuid_t uid, kgid_t gid)
-{
- return 0;
-}
-
-static int cap_path_chroot(struct path *root)
-{
- return 0;
-}
-#endif
-
-static int cap_file_permission(struct file *file, int mask)
-{
- return 0;
-}
-
-static int cap_file_alloc_security(struct file *file)
-{
- return 0;
-}
-
-static void cap_file_free_security(struct file *file)
-{
-}
-
-static int cap_file_ioctl(struct file *file, unsigned int command,
- unsigned long arg)
-{
- return 0;
-}
-
-static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
- unsigned long prot)
-{
- return 0;
-}
-
-static int cap_file_lock(struct file *file, unsigned int cmd)
-{
- return 0;
-}
-
-static int cap_file_fcntl(struct file *file, unsigned int cmd,
- unsigned long arg)
-{
- return 0;
-}
-
-static int cap_file_set_fowner(struct file *file)
-{
- return 0;
-}
-
-static int cap_file_send_sigiotask(struct task_struct *tsk,
- struct fown_struct *fown, int sig)
-{
- return 0;
-}
-
-static int cap_file_receive(struct file *file)
-{
- return 0;
-}
-
-static int cap_file_open(struct file *file, const struct cred *cred)
-{
- return 0;
-}
-
-static int cap_task_create(unsigned long clone_flags)
-{
- return 0;
-}
-
-static void cap_task_free(struct task_struct *task)
-{
-}
-
-static int cap_cred_alloc_blank(struct cred *cred, gfp_t gfp)
-{
- return 0;
-}
-
-static void cap_cred_free(struct cred *cred)
-{
-}
-
-static int cap_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp)
-{
- return 0;
-}
-
-static void cap_cred_transfer(struct cred *new, const struct cred *old)
-{
-}
-
-static int cap_kernel_act_as(struct cred *new, u32 secid)
-{
- return 0;
-}
-
-static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
-{
- return 0;
-}
-
-static int cap_kernel_module_request(char *kmod_name)
-{
- return 0;
-}
-
-static int cap_kernel_module_from_file(struct file *file)
-{
- return 0;
-}
-
-static int cap_task_setpgid(struct task_struct *p, pid_t pgid)
-{
- return 0;
-}
-
-static int cap_task_getpgid(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_getsid(struct task_struct *p)
-{
- return 0;
-}
-
-static void cap_task_getsecid(struct task_struct *p, u32 *secid)
-{
- *secid = 0;
-}
-
-static int cap_task_getioprio(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_setrlimit(struct task_struct *p, unsigned int resource,
- struct rlimit *new_rlim)
-{
- return 0;
-}
-
-static int cap_task_getscheduler(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_movememory(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_wait(struct task_struct *p)
-{
- return 0;
-}
-
-static int cap_task_kill(struct task_struct *p, struct siginfo *info,
- int sig, const struct cred *ucred)
-{
- return 0;
-}
-
-static void cap_task_to_inode(struct task_struct *p, struct inode *inode)
-{
-}
-
-static int cap_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
-{
- return 0;
-}
-
-static void cap_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
-{
- *secid = 0;
-}
-
-static int cap_msg_msg_alloc_security(struct msg_msg *msg)
-{
- return 0;
-}
-
-static void cap_msg_msg_free_security(struct msg_msg *msg)
-{
-}
-
-static int cap_msg_queue_alloc_security(struct msg_queue *msq)
-{
- return 0;
-}
-
-static void cap_msg_queue_free_security(struct msg_queue *msq)
-{
-}
-
-static int cap_msg_queue_associate(struct msg_queue *msq, int msqflg)
-{
- return 0;
-}
-
-static int cap_msg_queue_msgctl(struct msg_queue *msq, int cmd)
-{
- return 0;
-}
-
-static int cap_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
- int msgflg)
-{
- return 0;
-}
-
-static int cap_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
- struct task_struct *target, long type, int mode)
-{
- return 0;
-}
-
-static int cap_shm_alloc_security(struct shmid_kernel *shp)
-{
- return 0;
-}
-
-static void cap_shm_free_security(struct shmid_kernel *shp)
-{
-}
-
-static int cap_shm_associate(struct shmid_kernel *shp, int shmflg)
-{
- return 0;
-}
-
-static int cap_shm_shmctl(struct shmid_kernel *shp, int cmd)
-{
- return 0;
-}
-
-static int cap_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
- int shmflg)
-{
- return 0;
-}
-
-static int cap_sem_alloc_security(struct sem_array *sma)
-{
- return 0;
-}
-
-static void cap_sem_free_security(struct sem_array *sma)
-{
-}
-
-static int cap_sem_associate(struct sem_array *sma, int semflg)
-{
- return 0;
-}
-
-static int cap_sem_semctl(struct sem_array *sma, int cmd)
-{
- return 0;
-}
-
-static int cap_sem_semop(struct sem_array *sma, struct sembuf *sops,
- unsigned nsops, int alter)
-{
- return 0;
-}
-
-#ifdef CONFIG_SECURITY_NETWORK
-static int cap_unix_stream_connect(struct sock *sock, struct sock *other,
- struct sock *newsk)
-{
- return 0;
-}
-
-static int cap_unix_may_send(struct socket *sock, struct socket *other)
-{
- return 0;
-}
-
-static int cap_socket_create(int family, int type, int protocol, int kern)
-{
- return 0;
-}
-
-static int cap_socket_post_create(struct socket *sock, int family, int type,
- int protocol, int kern)
-{
- return 0;
-}
-
-static int cap_socket_bind(struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int cap_socket_connect(struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int cap_socket_listen(struct socket *sock, int backlog)
-{
- return 0;
-}
-
-static int cap_socket_accept(struct socket *sock, struct socket *newsock)
-{
- return 0;
-}
-
-static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
-{
- return 0;
-}
-
-static int cap_socket_recvmsg(struct socket *sock, struct msghdr *msg,
- int size, int flags)
-{
- return 0;
-}
-
-static int cap_socket_getsockname(struct socket *sock)
-{
- return 0;
-}
-
-static int cap_socket_getpeername(struct socket *sock)
-{
- return 0;
-}
-
-static int cap_socket_setsockopt(struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int cap_socket_getsockopt(struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int cap_socket_shutdown(struct socket *sock, int how)
-{
- return 0;
-}
-
-static int cap_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
-{
- return 0;
-}
-
-static int cap_socket_getpeersec_stream(struct socket *sock,
- char __user *optval,
- int __user *optlen, unsigned len)
-{
- return -ENOPROTOOPT;
-}
-
-static int cap_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb, u32 *secid)
-{
- return -ENOPROTOOPT;
-}
-
-static int cap_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
-{
- return 0;
-}
-
-static void cap_sk_free_security(struct sock *sk)
-{
-}
-
-static void cap_sk_clone_security(const struct sock *sk, struct sock *newsk)
-{
-}
-
-static void cap_sk_getsecid(struct sock *sk, u32 *secid)
-{
-}
-
-static void cap_sock_graft(struct sock *sk, struct socket *parent)
-{
-}
-
-static int cap_inet_conn_request(struct sock *sk, struct sk_buff *skb,
- struct request_sock *req)
-{
- return 0;
-}
-
-static void cap_inet_csk_clone(struct sock *newsk,
- const struct request_sock *req)
-{
-}
-
-static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb)
-{
-}
-
-static int cap_secmark_relabel_packet(u32 secid)
-{
- return 0;
-}
-
-static void cap_secmark_refcount_inc(void)
-{
-}
-
-static void cap_secmark_refcount_dec(void)
-{
-}
-
-static void cap_req_classify_flow(const struct request_sock *req,
- struct flowi *fl)
-{
-}
-
-static int cap_tun_dev_alloc_security(void **security)
-{
- return 0;
-}
-
-static void cap_tun_dev_free_security(void *security)
-{
-}
-
-static int cap_tun_dev_create(void)
-{
- return 0;
-}
-
-static int cap_tun_dev_attach_queue(void *security)
-{
- return 0;
-}
-
-static int cap_tun_dev_attach(struct sock *sk, void *security)
-{
- return 0;
-}
-
-static int cap_tun_dev_open(void *security)
-{
- return 0;
-}
-
-static void cap_skb_owned_by(struct sk_buff *skb, struct sock *sk)
-{
-}
-
-#endif /* CONFIG_SECURITY_NETWORK */
-
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
-static int cap_xfrm_policy_alloc_security(struct xfrm_sec_ctx **ctxp,
- struct xfrm_user_sec_ctx *sec_ctx)
-{
- return 0;
-}
-
-static int cap_xfrm_policy_clone_security(struct xfrm_sec_ctx *old_ctx,
- struct xfrm_sec_ctx **new_ctxp)
-{
- return 0;
-}
-
-static void cap_xfrm_policy_free_security(struct xfrm_sec_ctx *ctx)
-{
-}
-
-static int cap_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx)
-{
- return 0;
-}
-
-static int cap_xfrm_state_alloc_security(struct xfrm_state *x,
- struct xfrm_user_sec_ctx *sec_ctx,
- u32 secid)
-{
- return 0;
-}
-
-static void cap_xfrm_state_free_security(struct xfrm_state *x)
-{
-}
-
-static int cap_xfrm_state_delete_security(struct xfrm_state *x)
-{
- return 0;
-}
-
-static int cap_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 sk_sid, u8 dir)
-{
- return 0;
-}
-
-static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x,
- struct xfrm_policy *xp,
- const struct flowi *fl)
-{
- return 1;
-}
-
-static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
-{
- return 0;
-}
-
-#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-static void cap_d_instantiate(struct dentry *dentry, struct inode *inode)
-{
-}
-
-static int cap_getprocattr(struct task_struct *p, char *name, char **value)
-{
- return -EINVAL;
-}
-
-static int cap_setprocattr(struct task_struct *p, char *name, void *value,
- size_t size)
-{
- return -EINVAL;
-}
-
-static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
-{
- return -EOPNOTSUPP;
-}
-
-static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
-{
- *secid = 0;
- return 0;
-}
-
-static void cap_release_secctx(char *secdata, u32 seclen)
-{
-}
-
-static int cap_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
-{
- return 0;
-}
-
-static int cap_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
-{
- return 0;
-}
-
-static int cap_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
-{
- return 0;
-}
-#ifdef CONFIG_KEYS
-static int cap_key_alloc(struct key *key, const struct cred *cred,
- unsigned long flags)
-{
- return 0;
-}
-
-static void cap_key_free(struct key *key)
-{
-}
-
-static int cap_key_permission(key_ref_t key_ref, const struct cred *cred,
- key_perm_t perm)
-{
- return 0;
-}
-
-static int cap_key_getsecurity(struct key *key, char **_buffer)
-{
- *_buffer = NULL;
- return 0;
-}
-
-#endif /* CONFIG_KEYS */
-
-#ifdef CONFIG_AUDIT
-static int cap_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
-{
- return 0;
-}
-
-static int cap_audit_rule_known(struct audit_krule *krule)
-{
- return 0;
-}
-
-static int cap_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
- struct audit_context *actx)
-{
- return 0;
-}
-
-static void cap_audit_rule_free(void *lsmrule)
-{
-}
-#endif /* CONFIG_AUDIT */
-
-#define set_to_cap_if_null(ops, function) \
- do { \
- if (!ops->function) { \
- ops->function = cap_##function; \
- pr_debug("Had to override the " #function \
- " security operation with the default.\n");\
- } \
- } while (0)
-
-void __init security_fixup_ops(struct security_operations *ops)
-{
- set_to_cap_if_null(ops, ptrace_access_check);
- set_to_cap_if_null(ops, ptrace_traceme);
- set_to_cap_if_null(ops, capget);
- set_to_cap_if_null(ops, capset);
- set_to_cap_if_null(ops, capable);
- set_to_cap_if_null(ops, quotactl);
- set_to_cap_if_null(ops, quota_on);
- set_to_cap_if_null(ops, syslog);
- set_to_cap_if_null(ops, settime);
- set_to_cap_if_null(ops, vm_enough_memory);
- set_to_cap_if_null(ops, bprm_set_creds);
- set_to_cap_if_null(ops, bprm_committing_creds);
- set_to_cap_if_null(ops, bprm_committed_creds);
- set_to_cap_if_null(ops, bprm_check_security);
- set_to_cap_if_null(ops, bprm_secureexec);
- set_to_cap_if_null(ops, sb_alloc_security);
- set_to_cap_if_null(ops, sb_free_security);
- set_to_cap_if_null(ops, sb_copy_data);
- set_to_cap_if_null(ops, sb_remount);
- set_to_cap_if_null(ops, sb_kern_mount);
- set_to_cap_if_null(ops, sb_show_options);
- set_to_cap_if_null(ops, sb_statfs);
- set_to_cap_if_null(ops, sb_mount);
- set_to_cap_if_null(ops, sb_umount);
- set_to_cap_if_null(ops, sb_pivotroot);
- set_to_cap_if_null(ops, sb_set_mnt_opts);
- set_to_cap_if_null(ops, sb_clone_mnt_opts);
- set_to_cap_if_null(ops, sb_parse_opts_str);
- set_to_cap_if_null(ops, inode_alloc_security);
- set_to_cap_if_null(ops, inode_free_security);
- set_to_cap_if_null(ops, inode_init_security);
- set_to_cap_if_null(ops, inode_create);
- set_to_cap_if_null(ops, inode_link);
- set_to_cap_if_null(ops, inode_unlink);
- set_to_cap_if_null(ops, inode_symlink);
- set_to_cap_if_null(ops, inode_mkdir);
- set_to_cap_if_null(ops, inode_rmdir);
- set_to_cap_if_null(ops, inode_mknod);
- set_to_cap_if_null(ops, inode_rename);
- set_to_cap_if_null(ops, inode_readlink);
- set_to_cap_if_null(ops, inode_follow_link);
- set_to_cap_if_null(ops, inode_permission);
- set_to_cap_if_null(ops, inode_setattr);
- set_to_cap_if_null(ops, inode_getattr);
- set_to_cap_if_null(ops, inode_setxattr);
- set_to_cap_if_null(ops, inode_post_setxattr);
- set_to_cap_if_null(ops, inode_getxattr);
- set_to_cap_if_null(ops, inode_listxattr);
- set_to_cap_if_null(ops, inode_removexattr);
- set_to_cap_if_null(ops, inode_need_killpriv);
- set_to_cap_if_null(ops, inode_killpriv);
- set_to_cap_if_null(ops, inode_getsecurity);
- set_to_cap_if_null(ops, inode_setsecurity);
- set_to_cap_if_null(ops, inode_listsecurity);
- set_to_cap_if_null(ops, inode_getsecid);
-#ifdef CONFIG_SECURITY_PATH
- set_to_cap_if_null(ops, path_mknod);
- set_to_cap_if_null(ops, path_mkdir);
- set_to_cap_if_null(ops, path_rmdir);
- set_to_cap_if_null(ops, path_unlink);
- set_to_cap_if_null(ops, path_symlink);
- set_to_cap_if_null(ops, path_link);
- set_to_cap_if_null(ops, path_rename);
- set_to_cap_if_null(ops, path_truncate);
- set_to_cap_if_null(ops, path_chmod);
- set_to_cap_if_null(ops, path_chown);
- set_to_cap_if_null(ops, path_chroot);
-#endif
- set_to_cap_if_null(ops, file_permission);
- set_to_cap_if_null(ops, file_alloc_security);
- set_to_cap_if_null(ops, file_free_security);
- set_to_cap_if_null(ops, file_ioctl);
- set_to_cap_if_null(ops, mmap_addr);
- set_to_cap_if_null(ops, file_mprotect);
- set_to_cap_if_null(ops, file_lock);
- set_to_cap_if_null(ops, file_fcntl);
- set_to_cap_if_null(ops, file_set_fowner);
- set_to_cap_if_null(ops, file_send_sigiotask);
- set_to_cap_if_null(ops, file_receive);
- set_to_cap_if_null(ops, file_open);
- set_to_cap_if_null(ops, task_create);
- set_to_cap_if_null(ops, task_free);
- set_to_cap_if_null(ops, cred_alloc_blank);
- set_to_cap_if_null(ops, cred_free);
- set_to_cap_if_null(ops, cred_prepare);
- set_to_cap_if_null(ops, cred_transfer);
- set_to_cap_if_null(ops, kernel_act_as);
- set_to_cap_if_null(ops, kernel_create_files_as);
- set_to_cap_if_null(ops, kernel_module_request);
- set_to_cap_if_null(ops, kernel_module_from_file);
- set_to_cap_if_null(ops, task_fix_setuid);
- set_to_cap_if_null(ops, task_setpgid);
- set_to_cap_if_null(ops, task_getpgid);
- set_to_cap_if_null(ops, task_getsid);
- set_to_cap_if_null(ops, task_getsecid);
- set_to_cap_if_null(ops, task_setnice);
- set_to_cap_if_null(ops, task_setioprio);
- set_to_cap_if_null(ops, task_getioprio);
- set_to_cap_if_null(ops, task_setrlimit);
- set_to_cap_if_null(ops, task_setscheduler);
- set_to_cap_if_null(ops, task_getscheduler);
- set_to_cap_if_null(ops, task_movememory);
- set_to_cap_if_null(ops, task_wait);
- set_to_cap_if_null(ops, task_kill);
- set_to_cap_if_null(ops, task_prctl);
- set_to_cap_if_null(ops, task_to_inode);
- set_to_cap_if_null(ops, ipc_permission);
- set_to_cap_if_null(ops, ipc_getsecid);
- set_to_cap_if_null(ops, msg_msg_alloc_security);
- set_to_cap_if_null(ops, msg_msg_free_security);
- set_to_cap_if_null(ops, msg_queue_alloc_security);
- set_to_cap_if_null(ops, msg_queue_free_security);
- set_to_cap_if_null(ops, msg_queue_associate);
- set_to_cap_if_null(ops, msg_queue_msgctl);
- set_to_cap_if_null(ops, msg_queue_msgsnd);
- set_to_cap_if_null(ops, msg_queue_msgrcv);
- set_to_cap_if_null(ops, shm_alloc_security);
- set_to_cap_if_null(ops, shm_free_security);
- set_to_cap_if_null(ops, shm_associate);
- set_to_cap_if_null(ops, shm_shmctl);
- set_to_cap_if_null(ops, shm_shmat);
- set_to_cap_if_null(ops, sem_alloc_security);
- set_to_cap_if_null(ops, sem_free_security);
- set_to_cap_if_null(ops, sem_associate);
- set_to_cap_if_null(ops, sem_semctl);
- set_to_cap_if_null(ops, sem_semop);
- set_to_cap_if_null(ops, netlink_send);
- set_to_cap_if_null(ops, d_instantiate);
- set_to_cap_if_null(ops, getprocattr);
- set_to_cap_if_null(ops, setprocattr);
- set_to_cap_if_null(ops, secid_to_secctx);
- set_to_cap_if_null(ops, secctx_to_secid);
- set_to_cap_if_null(ops, release_secctx);
- set_to_cap_if_null(ops, inode_notifysecctx);
- set_to_cap_if_null(ops, inode_setsecctx);
- set_to_cap_if_null(ops, inode_getsecctx);
-#ifdef CONFIG_SECURITY_NETWORK
- set_to_cap_if_null(ops, unix_stream_connect);
- set_to_cap_if_null(ops, unix_may_send);
- set_to_cap_if_null(ops, socket_create);
- set_to_cap_if_null(ops, socket_post_create);
- set_to_cap_if_null(ops, socket_bind);
- set_to_cap_if_null(ops, socket_connect);
- set_to_cap_if_null(ops, socket_listen);
- set_to_cap_if_null(ops, socket_accept);
- set_to_cap_if_null(ops, socket_sendmsg);
- set_to_cap_if_null(ops, socket_recvmsg);
- set_to_cap_if_null(ops, socket_getsockname);
- set_to_cap_if_null(ops, socket_getpeername);
- set_to_cap_if_null(ops, socket_setsockopt);
- set_to_cap_if_null(ops, socket_getsockopt);
- set_to_cap_if_null(ops, socket_shutdown);
- set_to_cap_if_null(ops, socket_sock_rcv_skb);
- set_to_cap_if_null(ops, socket_getpeersec_stream);
- set_to_cap_if_null(ops, socket_getpeersec_dgram);
- set_to_cap_if_null(ops, sk_alloc_security);
- set_to_cap_if_null(ops, sk_free_security);
- set_to_cap_if_null(ops, sk_clone_security);
- set_to_cap_if_null(ops, sk_getsecid);
- set_to_cap_if_null(ops, sock_graft);
- set_to_cap_if_null(ops, inet_conn_request);
- set_to_cap_if_null(ops, inet_csk_clone);
- set_to_cap_if_null(ops, inet_conn_established);
- set_to_cap_if_null(ops, secmark_relabel_packet);
- set_to_cap_if_null(ops, secmark_refcount_inc);
- set_to_cap_if_null(ops, secmark_refcount_dec);
- set_to_cap_if_null(ops, req_classify_flow);
- set_to_cap_if_null(ops, tun_dev_alloc_security);
- set_to_cap_if_null(ops, tun_dev_free_security);
- set_to_cap_if_null(ops, tun_dev_create);
- set_to_cap_if_null(ops, tun_dev_open);
- set_to_cap_if_null(ops, tun_dev_attach_queue);
- set_to_cap_if_null(ops, tun_dev_attach);
- set_to_cap_if_null(ops, skb_owned_by);
-#endif /* CONFIG_SECURITY_NETWORK */
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
- set_to_cap_if_null(ops, xfrm_policy_alloc_security);
- set_to_cap_if_null(ops, xfrm_policy_clone_security);
- set_to_cap_if_null(ops, xfrm_policy_free_security);
- set_to_cap_if_null(ops, xfrm_policy_delete_security);
- set_to_cap_if_null(ops, xfrm_state_alloc_security);
- set_to_cap_if_null(ops, xfrm_state_free_security);
- set_to_cap_if_null(ops, xfrm_state_delete_security);
- set_to_cap_if_null(ops, xfrm_policy_lookup);
- set_to_cap_if_null(ops, xfrm_state_pol_flow_match);
- set_to_cap_if_null(ops, xfrm_decode_session);
-#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-#ifdef CONFIG_KEYS
- set_to_cap_if_null(ops, key_alloc);
- set_to_cap_if_null(ops, key_free);
- set_to_cap_if_null(ops, key_permission);
- set_to_cap_if_null(ops, key_getsecurity);
-#endif /* CONFIG_KEYS */
-#ifdef CONFIG_AUDIT
- set_to_cap_if_null(ops, audit_rule_init);
- set_to_cap_if_null(ops, audit_rule_known);
- set_to_cap_if_null(ops, audit_rule_match);
- set_to_cap_if_null(ops, audit_rule_free);
-#endif
-}
^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH v13 9/9] LSM: Documentation and cleanup
2013-04-23 16:05 ` [PATCH v13 9/9] LSM: Documentation and cleanup Casey Schaufler
@ 2013-04-23 19:02 ` Randy Dunlap
0 siblings, 0 replies; 27+ messages in thread
From: Randy Dunlap @ 2013-04-23 19:02 UTC (permalink / raw)
To: Casey Schaufler
Cc: LSM, LKLM, SE Linux, James Morris, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
On 04/23/13 09:05, Casey Schaufler wrote:
> Subject: [PATCH v13 9/9] LSM: Documentation and cleanup
>
> Add a description of the ways secuirty modules work now.
security
> Remove security/capability.c as it is no longer used.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> ---
> Documentation/security/LSM.txt | 39 +-
> security/Makefile | 3 +-
> security/capability.c | 1104 ----------------------------------------
> 3 files changed, 31 insertions(+), 1115 deletions(-)
>
> diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt
> index c335a76..f979e00 100644
> --- a/Documentation/security/LSM.txt
> +++ b/Documentation/security/LSM.txt
> @@ -9,18 +9,39 @@ CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the
> "security=..." kernel command line argument, in the case where multiple
> LSMs were built into a given kernel.
>
> +Both CONFIG_DEFAULT_SECURITY and the "security=" option take a comma
> +separated list of LSM names. The LSM hooks are invoked in the order
> +specified. All hooks provided are invoked regardless of the outcome
> +of preceeding hooks. Hooks the return success or failure results
preceding . ^^^confusing sentence structure^^^
> +return success if all of the LSM provided hooks succeed and the error
> +code of the last failing hook on error.
> +
> +The /proc filesystem attribute interface supports files from a time
> +when only one LSM could be used at a time. CONFIG_PRESENT_SECURITY
> +defines which LSM uses these interfaces. There are also LSM identified
> +interfaces which should be used in preference to the undifferentiated
> +interfaces.
--
~Randy
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 7/9] LSM: remove Yama special case stacking
2013-04-23 16:04 ` [PATCH v13 7/9] LSM: remove Yama special case stacking Casey Schaufler
@ 2013-04-23 20:12 ` Kees Cook
0 siblings, 0 replies; 27+ messages in thread
From: Kees Cook @ 2013-04-23 20:12 UTC (permalink / raw)
To: Casey Schaufler
Cc: LSM, LKLM, SE Linux, James Morris, John Johansen, Eric Paris,
Tetsuo Handa
On Tue, Apr 23, 2013 at 9:04 AM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> Subject: [PATCH v13 7/9] LSM: remove Yama special case stacking
>
> Remove the special case stacking for Yama.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> ---
> security/security.c | 21 ---------------------
> security/yama/Kconfig | 8 --------
> security/yama/yama_lsm.c | 19 -------------------
> 3 files changed, 48 deletions(-)
In the 8/9 patch, the Yama externs are removed from
include/linux/security.h. That change should likely be moved to this
one, since the calls to those are being removed from
security/security.c in this patch:
> diff --git a/security/security.c b/security/security.c
> index d0b768c..67e435b 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -138,23 +138,11 @@ int __init register_security(struct security_operations *ops)
>
> int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
> {
> -#ifdef CONFIG_SECURITY_YAMA_STACKED
> - int rc;
> - rc = yama_ptrace_access_check(child, mode);
> - if (rc)
> - return rc;
> -#endif
> return security_ops->ptrace_access_check(child, mode);
> }
>
> int security_ptrace_traceme(struct task_struct *parent)
> {
> -#ifdef CONFIG_SECURITY_YAMA_STACKED
> - int rc;
> - rc = yama_ptrace_traceme(parent);
> - if (rc)
> - return rc;
> -#endif
> return security_ops->ptrace_traceme(parent);
> }
>
> @@ -783,9 +771,6 @@ int security_task_create(unsigned long clone_flags)
>
> void security_task_free(struct task_struct *task)
> {
> -#ifdef CONFIG_SECURITY_YAMA_STACKED
> - yama_task_free(task);
> -#endif
> security_ops->task_free(task);
> }
>
> @@ -911,12 +896,6 @@ int security_task_wait(struct task_struct *p)
> int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
> unsigned long arg4, unsigned long arg5)
> {
> -#ifdef CONFIG_SECURITY_YAMA_STACKED
> - int rc;
> - rc = yama_task_prctl(option, arg2, arg3, arg4, arg5);
> - if (rc != -ENOSYS)
> - return rc;
> -#endif
> return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
> }
>
> diff --git a/security/yama/Kconfig b/security/yama/Kconfig
> index 20ef514..51d6709 100644
> --- a/security/yama/Kconfig
> +++ b/security/yama/Kconfig
> @@ -11,11 +11,3 @@ config SECURITY_YAMA
> Further information can be found in Documentation/security/Yama.txt.
>
> If you are unsure how to answer this question, answer N.
> -
> -config SECURITY_YAMA_STACKED
> - bool "Yama stacked with other LSMs"
> - depends on SECURITY_YAMA
> - default n
> - help
> - When Yama is built into the kernel, force it to stack with the
> - selected primary LSM.
Patch 8/9 removes a blank line from this Kconfig. It should probably
be moved to here.
> diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
> index 13c88fbc..63ad9bb 100644
> --- a/security/yama/yama_lsm.c
> +++ b/security/yama/yama_lsm.c
> @@ -364,16 +364,6 @@ int yama_ptrace_traceme(struct task_struct *parent)
> return rc;
> }
>
> -#ifndef CONFIG_SECURITY_YAMA_STACKED
> -static struct security_operations yama_ops = {
> - .name = "yama",
> -
> - .ptrace_access_check = yama_ptrace_access_check,
> - .ptrace_traceme = yama_ptrace_traceme,
> - .task_prctl = yama_task_prctl,
> - .task_free = yama_task_free,
> -};
> -#endif
The yama_ops (and the calls to security_module_enable and
register_security) shouldn't be removed (just the ifdefs). They're
added back in 8/9, so I think they should just stay in place. (Or
rather, they should stay in place in this patch, and 8/9 should only
remove the register_security call, as done with the others.)
>
> #ifdef CONFIG_SYSCTL
> static int yama_dointvec_minmax(struct ctl_table *table, int write,
> @@ -420,18 +410,9 @@ static struct ctl_table yama_sysctl_table[] = {
>
> static __init int yama_init(void)
> {
> -#ifndef CONFIG_SECURITY_YAMA_STACKED
> - if (!security_module_enable(&yama_ops))
> - return 0;
> -#endif
>
> printk(KERN_INFO "Yama: becoming mindful.\n");
>
> -#ifndef CONFIG_SECURITY_YAMA_STACKED
> - if (register_security(&yama_ops))
> - panic("Yama: kernel registration failed.\n");
> -#endif
> -
> #ifdef CONFIG_SYSCTL
> if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table))
> panic("Yama: sysctl registration failed.\n");
Regardless: yay! I'm looking forward to this series landing. :)
-Kees
--
Kees Cook
Chrome OS Security
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 5/9] LSM: Networking component isolation
2013-04-23 16:04 ` [PATCH v13 5/9] LSM: Networking component isolation Casey Schaufler
@ 2013-04-24 18:51 ` Paul Moore
2013-04-24 19:09 ` Casey Schaufler
0 siblings, 1 reply; 27+ messages in thread
From: Paul Moore @ 2013-04-24 18:51 UTC (permalink / raw)
To: Casey Schaufler
Cc: LSM, LKLM, SE Linux, James Morris, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
On Tuesday, April 23, 2013 09:04:31 AM Casey Schaufler wrote:
> Subject: [PATCH v13 5/9] LSM: Networking component isolation
>
> The NetLabel, XFRM and secmark networking mechanisms are
> limited to providing security information managed by one
> LSM. These changes interface the single LSM networking
> components with the multiple LSM system. Each of the
> networking components will identify the security ops
> vector of the LSM that will use it. There are various
> wrapper functions provided to make this obvious and
> painless.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
...
> diff --git a/include/net/netlabel.h b/include/net/netlabel.h
> index 2c95d55..c0cf965 100644
> --- a/include/net/netlabel.h
> +++ b/include/net/netlabel.h
> @@ -406,7 +406,8 @@ int netlbl_secattr_catmap_setrng(struct
> netlbl_lsm_secattr_catmap *catmap, /*
> * LSM protocol operations (NetLabel LSM/kernel API)
> */
> -int netlbl_enabled(void);
> +int netlbl_register_lsm(struct security_operations *lsmops);
Nit picky, but I'd prefer "netlbl_lsm_register()".
> +int netlbl_enabled(struct security_operations *lsmops);
> int netlbl_sock_setattr(struct sock *sk,
> u16 family,
> const struct netlbl_lsm_secattr *secattr);
...
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index 7c94aed..2881d48 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -607,23 +607,48 @@ int netlbl_secattr_catmap_setrng(struct
> netlbl_lsm_secattr_catmap *catmap, * LSM Functions
> */
>
> +struct security_operations *netlbl_active_lsm;
> +/**
> + * netlbl_register_lsm - Reserve the NetLabel subsystem for an LSM
> + *
> + * Description:
> + * To avoid potential conflicting views between LSMs over
> + * what should go in the network label reserve the Netlabel
> + * mechanism for use by one LSM. netlbl_enabled will return
> + * false for all other LSMs.
> + *
> + */
You need a description for the 'lsm' parameter in the comment header above.
Also, this is extremely nit picky but I'd like to see some vertical whitespace
between the netlbl_active_lsm declaration and the function header.
> +int netlbl_register_lsm(struct security_operations *lsm)
> +{
> + if (lsm == NULL)
> + return -EINVAL;
> +
> + if (netlbl_active_lsm == NULL)
> + netlbl_active_lsm = lsm;
> + else if (netlbl_active_lsm != lsm)
> + return -EBUSY;
> +
> + printk(KERN_INFO "NetLabel: Registered LSM \"%s\".\n", lsm->name);
> + return 0;
> +}
> +
> /**
> * netlbl_enabled - Determine if the NetLabel subsystem is enabled
> *
> * Description:
> * The LSM can use this function to determine if it should use NetLabel
> - * security attributes in it's enforcement mechanism. Currently, NetLabel
> - * considered to be enabled when it's configuration contains a valid
> + * security attributes in it's enforcement mechanism. NetLabel
> + * considered to be enabled when the LSM making the call is registered
> + * the netlabel configuration contains a valid setup for
> * at least one labeled protocol (i.e. NetLabel can understand incoming
> * labeled packets of at least one type); otherwise NetLabel is considered
> * be disabled.
> *
> */
Same thing, you need a description for the 'lsm' parameter in the comment
header above.
> -int netlbl_enabled(void)
> +int netlbl_enabled(struct security_operations *lsm)
> {
> - /* At some point we probably want to expose this mechanism to the user
> - * as well so that admins can toggle NetLabel regardless of the
> - * configuration */
It really doesn't matter if you remove that comment or not, but I believe it
still applies so long as we do the LSM check first.
> + if (netlbl_active_lsm != lsm)
> + return 0;
> return (atomic_read(&netlabel_mgmt_protocount) > 0);
> }
...
> diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
> index a6f1705..9990b24 100644
> --- a/net/netlabel/netlabel_user.h
> +++ b/net/netlabel/netlabel_user.h
> @@ -41,6 +41,65 @@
>
> /* NetLabel NETLINK helper functions */
>
> +extern struct security_operations *netlbl_active_lsm;
> +
> +/**
> + * netlbl_secid_to_secctx - call the registered secid_to_secctx LSM hook
> + * @secid - The secid to convert
> + * @secdata - Where to put the result
> + * @seclen - Where to put the length of the result
> + *
> + * Returns: the result of calling the hook.
> + */
> +static inline int netlbl_secid_to_secctx(u32 secid, char **secdata, u32
> *seclen) +{
> + if (netlbl_active_lsm == NULL)
> + return -EINVAL;
> + return netlbl_active_lsm->secid_to_secctx(secid, secdata, seclen);
> +}
> +
> +/**
> + * netlbl_release_secctx - call the registered release_secctx LSM hook
> + * @secdata - The security context to release
> + * @seclen - The size of the context to release
> + *
> + */
> +static inline void netlbl_release_secctx(char *secdata, u32 seclen)
> +{
> + if (netlbl_active_lsm != NULL)
> + netlbl_active_lsm->release_secctx(secdata, seclen);
> +}
> +
> +/**
> + * netlbl_secctx_to_secid - call the registered seccts_to_secid LSM hook
> + * @secdata - The security context
> + * @seclen - The size of the security context
> + * @secid - Where to put the result
> + *
> + * Returns: the result of calling the hook
> + */
> +static inline int netlbl_secctx_to_secid(const char *secdata, u32 seclen,
> + u32 *secid)
> +{
> + if (netlbl_active_lsm == NULL) {
> + *secid = 0;
> + return -EINVAL;
> + }
> + return netlbl_active_lsm->secctx_to_secid(secdata, seclen, secid);
> +}
> +
> +/**
> + * netlbl_task_getsecid - call the registered task_getsecid LSM hook
> + * @p - The task
> + * @secid - Where to put the secid
> + *
> + */
> +static inline void netlbl_task_getsecid(struct task_struct *p, u32 *secid)
> +{
> + if (netlbl_active_lsm)
> + netlbl_active_lsm->task_getsecid(p, secid);
> +}
Any particular reason you put all these functions in 'netlabel_user.h'? I ask
because this header is related to the NetLabel netlink interface, with some
minor audit stuff tossed in for good measure; it really has nothing to do with
the LSM secctx/secid stuff. I'd probably prefer these functions end up in
their own header file for the sake of better organization, maybe
'netlabel_secid.h'?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-23 16:04 ` [PATCH v13 0/9] LSM: Multiple concurrent LSMs Casey Schaufler
@ 2013-04-24 18:57 ` Paul Moore
2013-04-24 20:22 ` Casey Schaufler
0 siblings, 1 reply; 27+ messages in thread
From: Paul Moore @ 2013-04-24 18:57 UTC (permalink / raw)
To: Casey Schaufler
Cc: LSM, LKLM, SE Linux, James Morris, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
On Tuesday, April 23, 2013 09:04:06 AM Casey Schaufler wrote:
> Subject: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
>
> Change the infrastructure for Linux Security Modules (LSM)s from a
> single vector of hook handlers to a list based method for handling
> multiple concurrent modules.
>
> The "security=" boot option takes a comma separated list of LSMs,
> registering them in the order presented. The LSM hooks will be
> executed in the order registered. Hooks that return errors are
> not short circuited. All hooks are called even if one of the LSM
> hooks fails. The result returned will be that of the last LSM
> hook that failed.
...
> The NetLabel, XFRM and secmark facilities are restricted to use
> by one LSM at a time. This is due to limitations of the underlying
> networking mechanisms. The good news is that viable configurations
> can be created. The bad news is that the complexity of configuring
> a system is necessarily increased.
I know we had a good discussion about this a while back and I just wanted to
hear from you about this current patchset; how does the labeled networking LSM
assignment work? Is it first-come-first-served based on the 'security='
setting?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 5/9] LSM: Networking component isolation
2013-04-24 18:51 ` Paul Moore
@ 2013-04-24 19:09 ` Casey Schaufler
2013-04-24 21:04 ` Paul Moore
0 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2013-04-24 19:09 UTC (permalink / raw)
To: Paul Moore
Cc: LSM, LKLM, SE Linux, James Morris, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook, Casey Schaufler
On 4/24/2013 11:51 AM, Paul Moore wrote:
> On Tuesday, April 23, 2013 09:04:31 AM Casey Schaufler wrote:
>> Subject: [PATCH v13 5/9] LSM: Networking component isolation
>>
>> The NetLabel, XFRM and secmark networking mechanisms are
>> limited to providing security information managed by one
>> LSM. These changes interface the single LSM networking
>> components with the multiple LSM system. Each of the
>> networking components will identify the security ops
>> vector of the LSM that will use it. There are various
>> wrapper functions provided to make this obvious and
>> painless.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ...
>
>> diff --git a/include/net/netlabel.h b/include/net/netlabel.h
>> index 2c95d55..c0cf965 100644
>> --- a/include/net/netlabel.h
>> +++ b/include/net/netlabel.h
>> @@ -406,7 +406,8 @@ int netlbl_secattr_catmap_setrng(struct
>> netlbl_lsm_secattr_catmap *catmap, /*
>> * LSM protocol operations (NetLabel LSM/kernel API)
>> */
>> -int netlbl_enabled(void);
>> +int netlbl_register_lsm(struct security_operations *lsmops);
> Nit picky, but I'd prefer "netlbl_lsm_register()".
Not a problem. I will conform to your conventions.
>
>> +int netlbl_enabled(struct security_operations *lsmops);
>> int netlbl_sock_setattr(struct sock *sk,
>> u16 family,
>> const struct netlbl_lsm_secattr *secattr);
> ...
>
>> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
>> index 7c94aed..2881d48 100644
>> --- a/net/netlabel/netlabel_kapi.c
>> +++ b/net/netlabel/netlabel_kapi.c
>> @@ -607,23 +607,48 @@ int netlbl_secattr_catmap_setrng(struct
>> netlbl_lsm_secattr_catmap *catmap, * LSM Functions
>> */
>>
>> +struct security_operations *netlbl_active_lsm;
>> +/**
>> + * netlbl_register_lsm - Reserve the NetLabel subsystem for an LSM
>> + *
>> + * Description:
>> + * To avoid potential conflicting views between LSMs over
>> + * what should go in the network label reserve the Netlabel
>> + * mechanism for use by one LSM. netlbl_enabled will return
>> + * false for all other LSMs.
>> + *
>> + */
> You need a description for the 'lsm' parameter in the comment header above.
Thank you. I missed that.
> Also, this is extremely nit picky but I'd like to see some vertical whitespace
> between the netlbl_active_lsm declaration and the function header.
White space is easy.
>> +int netlbl_register_lsm(struct security_operations *lsm)
>> +{
>> + if (lsm == NULL)
>> + return -EINVAL;
>> +
>> + if (netlbl_active_lsm == NULL)
>> + netlbl_active_lsm = lsm;
>> + else if (netlbl_active_lsm != lsm)
>> + return -EBUSY;
>> +
>> + printk(KERN_INFO "NetLabel: Registered LSM \"%s\".\n", lsm->name);
>> + return 0;
>> +}
>> +
>> /**
>> * netlbl_enabled - Determine if the NetLabel subsystem is enabled
>> *
>> * Description:
>> * The LSM can use this function to determine if it should use NetLabel
>> - * security attributes in it's enforcement mechanism. Currently, NetLabel
>> - * considered to be enabled when it's configuration contains a valid
>> + * security attributes in it's enforcement mechanism. NetLabel
>> + * considered to be enabled when the LSM making the call is registered
>> + * the netlabel configuration contains a valid setup for
>> * at least one labeled protocol (i.e. NetLabel can understand incoming
>> * labeled packets of at least one type); otherwise NetLabel is considered
>> * be disabled.
>> *
>> */
> Same thing, you need a description for the 'lsm' parameter in the comment
> header above.
I'll add that.
>> -int netlbl_enabled(void)
>> +int netlbl_enabled(struct security_operations *lsm)
>> {
>> - /* At some point we probably want to expose this mechanism to the user
>> - * as well so that admins can toggle NetLabel regardless of the
>> - * configuration */
> It really doesn't matter if you remove that comment or not, but I believe it
> still applies so long as we do the LSM check first.
OK. I'll leave it alone.
>> + if (netlbl_active_lsm != lsm)
>> + return 0;
>> return (atomic_read(&netlabel_mgmt_protocount) > 0);
>> }
> ...
>
>> diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
>> index a6f1705..9990b24 100644
>> --- a/net/netlabel/netlabel_user.h
>> +++ b/net/netlabel/netlabel_user.h
>> @@ -41,6 +41,65 @@
>>
>> /* NetLabel NETLINK helper functions */
>>
>> +extern struct security_operations *netlbl_active_lsm;
>> +
>> +/**
>> + * netlbl_secid_to_secctx - call the registered secid_to_secctx LSM hook
>> + * @secid - The secid to convert
>> + * @secdata - Where to put the result
>> + * @seclen - Where to put the length of the result
>> + *
>> + * Returns: the result of calling the hook.
>> + */
>> +static inline int netlbl_secid_to_secctx(u32 secid, char **secdata, u32
>> *seclen) +{
>> + if (netlbl_active_lsm == NULL)
>> + return -EINVAL;
>> + return netlbl_active_lsm->secid_to_secctx(secid, secdata, seclen);
>> +}
>> +
>> +/**
>> + * netlbl_release_secctx - call the registered release_secctx LSM hook
>> + * @secdata - The security context to release
>> + * @seclen - The size of the context to release
>> + *
>> + */
>> +static inline void netlbl_release_secctx(char *secdata, u32 seclen)
>> +{
>> + if (netlbl_active_lsm != NULL)
>> + netlbl_active_lsm->release_secctx(secdata, seclen);
>> +}
>> +
>> +/**
>> + * netlbl_secctx_to_secid - call the registered seccts_to_secid LSM hook
>> + * @secdata - The security context
>> + * @seclen - The size of the security context
>> + * @secid - Where to put the result
>> + *
>> + * Returns: the result of calling the hook
>> + */
>> +static inline int netlbl_secctx_to_secid(const char *secdata, u32 seclen,
>> + u32 *secid)
>> +{
>> + if (netlbl_active_lsm == NULL) {
>> + *secid = 0;
>> + return -EINVAL;
>> + }
>> + return netlbl_active_lsm->secctx_to_secid(secdata, seclen, secid);
>> +}
>> +
>> +/**
>> + * netlbl_task_getsecid - call the registered task_getsecid LSM hook
>> + * @p - The task
>> + * @secid - Where to put the secid
>> + *
>> + */
>> +static inline void netlbl_task_getsecid(struct task_struct *p, u32 *secid)
>> +{
>> + if (netlbl_active_lsm)
>> + netlbl_active_lsm->task_getsecid(p, secid);
>> +}
> Any particular reason you put all these functions in 'netlabel_user.h'? I ask
> because this header is related to the NetLabel netlink interface, with some
> minor audit stuff tossed in for good measure; it really has nothing to do with
> the LSM secctx/secid stuff. I'd probably prefer these functions end up in
> their own header file for the sake of better organization, maybe
> 'netlabel_secid.h'?
I can put it anywhere you like. I'd prefer netlabel_lsm.h to netlabel_secid.h,
but if you have a strong preference I'll defer to your conventions.
Thank you.
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-24 18:57 ` Paul Moore
@ 2013-04-24 20:22 ` Casey Schaufler
2013-04-24 21:15 ` Paul Moore
0 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2013-04-24 20:22 UTC (permalink / raw)
To: Paul Moore
Cc: LSM, LKLM, SE Linux, James Morris, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
On 4/24/2013 11:57 AM, Paul Moore wrote:
> On Tuesday, April 23, 2013 09:04:06 AM Casey Schaufler wrote:
>> Subject: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
>>
>> Change the infrastructure for Linux Security Modules (LSM)s from a
>> single vector of hook handlers to a list based method for handling
>> multiple concurrent modules.
>>
>> The "security=" boot option takes a comma separated list of LSMs,
>> registering them in the order presented. The LSM hooks will be
>> executed in the order registered. Hooks that return errors are
>> not short circuited. All hooks are called even if one of the LSM
>> hooks fails. The result returned will be that of the last LSM
>> hook that failed.
> ...
>
>> The NetLabel, XFRM and secmark facilities are restricted to use
>> by one LSM at a time. This is due to limitations of the underlying
>> networking mechanisms. The good news is that viable configurations
>> can be created. The bad news is that the complexity of configuring
>> a system is necessarily increased.
> I know we had a good discussion about this a while back and I just wanted to
> hear from you about this current patchset; how does the labeled networking LSM
> assignment work? Is it first-come-first-served based on the 'security='
> setting?
It's explicitly set in security/Kconfig. The problem with
first-come-first-serve is that the LSMs don't actually register
in the order specified, either at build time or boot time.
Further, until the init phase is complete, you don't know which
LSMs are actually going to register. That, and I promised Tetsuo
I wouldn't go out of my way to prevent late module loading in
the future.
I could do order checking on module registration and take
the networking component away from an LSM that registered
earlier, but with a larger order number I suppose.
The default configuration gives xfrm and secmark to SELinux
and NetLabel to Smack. If Smack is not included NetLabel goes
to SELinux. When LSMs using any of these facilities are added
in the future we'll have to negotiate the defaults.
An interesting aside that may be relevant is that the error
condition behavior makes it advisable to have the LSM you care
about most go last. If the networking components were strictly
FCFS you might have to chose an ordering you might not want for
other reasons.
It would be possible to have a boot time specification for
the networking components if you think it's important. I do
worry about making it excessively complicated. I'd be much more
concerned if more LSMs used the networking components.
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 5/9] LSM: Networking component isolation
2013-04-24 19:09 ` Casey Schaufler
@ 2013-04-24 21:04 ` Paul Moore
0 siblings, 0 replies; 27+ messages in thread
From: Paul Moore @ 2013-04-24 21:04 UTC (permalink / raw)
To: Casey Schaufler
Cc: LSM, LKLM, SE Linux, James Morris, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
On Wednesday, April 24, 2013 12:09:50 PM Casey Schaufler wrote:
> On 4/24/2013 11:51 AM, Paul Moore wrote:
> > On Tuesday, April 23, 2013 09:04:31 AM Casey Schaufler wrote:
> >> Subject: [PATCH v13 5/9] LSM: Networking component isolation
> >>
> >> The NetLabel, XFRM and secmark networking mechanisms are
> >> limited to providing security information managed by one
> >> LSM. These changes interface the single LSM networking
> >> components with the multiple LSM system. Each of the
> >> networking components will identify the security ops
> >> vector of the LSM that will use it. There are various
> >> wrapper functions provided to make this obvious and
> >> painless.
> >>
> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> >
> > ...
> >
> >> diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
> >> index a6f1705..9990b24 100644
> >> --- a/net/netlabel/netlabel_user.h
> >> +++ b/net/netlabel/netlabel_user.h
> >> @@ -41,6 +41,65 @@
> >>
> >> /* NetLabel NETLINK helper functions */
> >>
> >> +extern struct security_operations *netlbl_active_lsm;
> >> +
> >> +/**
> >> + * netlbl_secid_to_secctx - call the registered secid_to_secctx LSM hook
> >> + * @secid - The secid to convert
> >> + * @secdata - Where to put the result
> >> + * @seclen - Where to put the length of the result
> >> + *
> >> + * Returns: the result of calling the hook.
> >> + */
> >> +static inline int netlbl_secid_to_secctx(u32 secid, char **secdata, u32
> >> *seclen) +{
> >> + if (netlbl_active_lsm == NULL)
> >> + return -EINVAL;
> >> + return netlbl_active_lsm->secid_to_secctx(secid, secdata, seclen);
> >> +}
> >> +
> >> +/**
> >> + * netlbl_release_secctx - call the registered release_secctx LSM hook
> >> + * @secdata - The security context to release
> >> + * @seclen - The size of the context to release
> >> + *
> >> + */
> >> +static inline void netlbl_release_secctx(char *secdata, u32 seclen)
> >> +{
> >> + if (netlbl_active_lsm != NULL)
> >> + netlbl_active_lsm->release_secctx(secdata, seclen);
> >> +}
> >> +
> >> +/**
> >> + * netlbl_secctx_to_secid - call the registered seccts_to_secid LSM hook
> >> + * @secdata - The security context
> >> + * @seclen - The size of the security context
> >> + * @secid - Where to put the result
> >> + *
> >> + * Returns: the result of calling the hook
> >> + */
> >> +static inline int netlbl_secctx_to_secid(const char *secdata, u32
> >> seclen,
> >> + u32 *secid)
> >> +{
> >> + if (netlbl_active_lsm == NULL) {
> >> + *secid = 0;
> >> + return -EINVAL;
> >> + }
> >> + return netlbl_active_lsm->secctx_to_secid(secdata, seclen, secid);
> >> +}
> >> +
> >> +/**
> >> + * netlbl_task_getsecid - call the registered task_getsecid LSM hook
> >> + * @p - The task
> >> + * @secid - Where to put the secid
> >> + *
> >> + */
> >> +static inline void netlbl_task_getsecid(struct task_struct *p, u32
> >> *secid)
> >> +{
> >> + if (netlbl_active_lsm)
> >> + netlbl_active_lsm->task_getsecid(p, secid);
> >> +}
> >
> > Any particular reason you put all these functions in 'netlabel_user.h'? I
> > ask because this header is related to the NetLabel netlink interface,
> > with some minor audit stuff tossed in for good measure; it really has
> > nothing to do with the LSM secctx/secid stuff. I'd probably prefer these
> > functions end up in their own header file for the sake of better
> > organization, maybe
> > 'netlabel_secid.h'?
>
> I can put it anywhere you like. I'd prefer netlabel_lsm.h to
> netlabel_secid.h, but if you have a strong preference I'll defer to your
> conventions.
That's fine too.
Thanks.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-24 20:22 ` Casey Schaufler
@ 2013-04-24 21:15 ` Paul Moore
2013-04-24 23:00 ` John Johansen
0 siblings, 1 reply; 27+ messages in thread
From: Paul Moore @ 2013-04-24 21:15 UTC (permalink / raw)
To: Casey Schaufler
Cc: LSM, LKLM, SE Linux, James Morris, John Johansen, Eric Paris,
Tetsuo Handa, Kees Cook
On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
> On 4/24/2013 11:57 AM, Paul Moore wrote:
> > I know we had a good discussion about this a while back and I just wanted
> > to hear from you about this current patchset; how does the labeled
> > networking LSM assignment work? Is it first-come-first-served based on
> > the 'security=' setting?
>
> It's explicitly set in security/Kconfig. The problem with
> first-come-first-serve is that the LSMs don't actually register
> in the order specified, either at build time or boot time.
> Further, until the init phase is complete, you don't know which
> LSMs are actually going to register. That, and I promised Tetsuo
> I wouldn't go out of my way to prevent late module loading in
> the future.
>
> I could do order checking on module registration and take
> the networking component away from an LSM that registered
> earlier, but with a larger order number I suppose.
Hmmm. How difficult would it be to enforce the order during LSM registration?
As discussed previously, I'm not a big fan of assigning the network controls
at compile time when the LSMs can be toggled at boot time.
The real solution is to just get the netdev folks to accept a security blob in
the sk_buff so we can fix this (and many other problems) once and for all. I
still haven't given up on this effort but I think it would be silly to hold up
the stacking effort for the sk_buff security blob.
> The default configuration gives xfrm and secmark to SELinux
> and NetLabel to Smack. If Smack is not included NetLabel goes
> to SELinux. When LSMs using any of these facilities are added
> in the future we'll have to negotiate the defaults.
The defaults are always going to be wrong for someone.
> An interesting aside that may be relevant is that the error
> condition behavior makes it advisable to have the LSM you care
> about most go last. If the networking components were strictly
> FCFS you might have to chose an ordering you might not want for
> other reasons.
Well, maybe not ... I think. If we take a FCFS approach to the network
controls then only one LSM is really ever going to throw an error on the
network hooks, yes?
> It would be possible to have a boot time specification for
> the networking components if you think it's important. I do
> worry about making it excessively complicated. I'd be much more
> concerned if more LSMs used the networking components.
I think the "excessively complicated" boat has already sailed :)
I'm still in favor of assigning the network hooks to the LSM at boot based on
the "security=" configuration.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-24 21:15 ` Paul Moore
@ 2013-04-24 23:00 ` John Johansen
2013-04-25 0:43 ` Casey Schaufler
0 siblings, 1 reply; 27+ messages in thread
From: John Johansen @ 2013-04-24 23:00 UTC (permalink / raw)
To: Paul Moore
Cc: Casey Schaufler, LSM, LKLM, SE Linux, James Morris, Eric Paris,
Tetsuo Handa, Kees Cook
On 04/24/2013 02:15 PM, Paul Moore wrote:
> On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
>> On 4/24/2013 11:57 AM, Paul Moore wrote:
>>> I know we had a good discussion about this a while back and I just wanted
>>> to hear from you about this current patchset; how does the labeled
>>> networking LSM assignment work? Is it first-come-first-served based on
>>> the 'security=' setting?
>>
>> It's explicitly set in security/Kconfig. The problem with
>> first-come-first-serve is that the LSMs don't actually register
>> in the order specified, either at build time or boot time.
>> Further, until the init phase is complete, you don't know which
>> LSMs are actually going to register. That, and I promised Tetsuo
>> I wouldn't go out of my way to prevent late module loading in
>> the future.
>>
>> I could do order checking on module registration and take
>> the networking component away from an LSM that registered
>> earlier, but with a larger order number I suppose.
>
> Hmmm. How difficult would it be to enforce the order during LSM registration?
> As discussed previously, I'm not a big fan of assigning the network controls
> at compile time when the LSMs can be toggled at boot time.
>
> The real solution is to just get the netdev folks to accept a security blob in
> the sk_buff so we can fix this (and many other problems) once and for all. I
> still haven't given up on this effort but I think it would be silly to hold up
> the stacking effort for the sk_buff security blob.
>
>> The default configuration gives xfrm and secmark to SELinux
>> and NetLabel to Smack. If Smack is not included NetLabel goes
>> to SELinux. When LSMs using any of these facilities are added
>> in the future we'll have to negotiate the defaults.
>
> The defaults are always going to be wrong for someone.
>
>> An interesting aside that may be relevant is that the error
>> condition behavior makes it advisable to have the LSM you care
>> about most go last. If the networking components were strictly
>> FCFS you might have to chose an ordering you might not want for
>> other reasons.
>
> Well, maybe not ... I think. If we take a FCFS approach to the network
> controls then only one LSM is really ever going to throw an error on the
> network hooks, yes?
>
>> It would be possible to have a boot time specification for
>> the networking components if you think it's important. I do
>> worry about making it excessively complicated. I'd be much more
>> concerned if more LSMs used the networking components.
>
> I think the "excessively complicated" boat has already sailed :)
>
> I'm still in favor of assigning the network hooks to the LSM at boot based on
> the "security=" configuration.
>
yeah dealing with selection at boot time is going to be needed
at some point, whether its now or later ...
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-24 23:00 ` John Johansen
@ 2013-04-25 0:43 ` Casey Schaufler
2013-04-25 14:16 ` Tetsuo Handa
2013-04-25 15:01 ` Paul Moore
0 siblings, 2 replies; 27+ messages in thread
From: Casey Schaufler @ 2013-04-25 0:43 UTC (permalink / raw)
To: John Johansen
Cc: Paul Moore, LSM, LKLM, SE Linux, James Morris, Eric Paris,
Tetsuo Handa, Kees Cook, Casey Schaufler
On 4/24/2013 4:00 PM, John Johansen wrote:
> On 04/24/2013 02:15 PM, Paul Moore wrote:
>> On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
>>> On 4/24/2013 11:57 AM, Paul Moore wrote:
>>>> I know we had a good discussion about this a while back and I just wanted
>>>> to hear from you about this current patchset; how does the labeled
>>>> networking LSM assignment work? Is it first-come-first-served based on
>>>> the 'security=' setting?
>>> It's explicitly set in security/Kconfig. The problem with
>>> first-come-first-serve is that the LSMs don't actually register
>>> in the order specified, either at build time or boot time.
>>> Further, until the init phase is complete, you don't know which
>>> LSMs are actually going to register. That, and I promised Tetsuo
>>> I wouldn't go out of my way to prevent late module loading in
>>> the future.
>>>
>>> I could do order checking on module registration and take
>>> the networking component away from an LSM that registered
>>> earlier, but with a larger order number I suppose.
>> Hmmm. How difficult would it be to enforce the order during LSM registration?
>> As discussed previously, I'm not a big fan of assigning the network controls
>> at compile time when the LSMs can be toggled at boot time.
>>
>> The real solution is to just get the netdev folks to accept a security blob in
>> the sk_buff so we can fix this (and many other problems) once and for all. I
>> still haven't given up on this effort but I think it would be silly to hold up
>> the stacking effort for the sk_buff security blob.
Fighting with hardcore networking people isn't my
idea of fun either. Waiting for them to approve of
a security facility has never been a winning strategy.
>>> The default configuration gives xfrm and secmark to SELinux
>>> and NetLabel to Smack. If Smack is not included NetLabel goes
>>> to SELinux. When LSMs using any of these facilities are added
>>> in the future we'll have to negotiate the defaults.
>> The defaults are always going to be wrong for someone.
>>
>>> An interesting aside that may be relevant is that the error
>>> condition behavior makes it advisable to have the LSM you care
>>> about most go last. If the networking components were strictly
>>> FCFS you might have to chose an ordering you might not want for
>>> other reasons.
>> Well, maybe not ... I think. If we take a FCFS approach to the network
>> controls then only one LSM is really ever going to throw an error on the
>> network hooks, yes?
You set up the order you want to get the networking handled
correctly and you could get filesystem hooks in the wrong order.
Not that that really ought to be a problem, but there are wonky
admin tools out there.
>>> It would be possible to have a boot time specification for
>>> the networking components if you think it's important. I do
>>> worry about making it excessively complicated. I'd be much more
>>> concerned if more LSMs used the networking components.
>> I think the "excessively complicated" boat has already sailed :)
Fair enough.
>> I'm still in favor of assigning the network hooks to the LSM at boot based on
>> the "security=" configuration.
>>
> yeah dealing with selection at boot time is going to be needed
> at some point, whether its now or later ...
I'll have a go at it then. What that would mean is that:
security=smack,selinux
gives Smack NetLabel and SELinux xfrm and secmark while
security=selinux,smack
gives SELinux all three. I would still like it to be possible to
explicitly configure the allocation at build time.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-25 0:43 ` Casey Schaufler
@ 2013-04-25 14:16 ` Tetsuo Handa
2013-04-25 15:01 ` Paul Moore
1 sibling, 0 replies; 27+ messages in thread
From: Tetsuo Handa @ 2013-04-25 14:16 UTC (permalink / raw)
To: casey, john.johansen
Cc: paul, linux-security-module, linux-kernel, selinux, jmorris,
eparis, keescook
Casey Schaufler wrote:
> >> I'm still in favor of assigning the network hooks to the LSM at boot based on
> >> the "security=" configuration.
> >>
> > yeah dealing with selection at boot time is going to be needed
> > at some point, whether its now or later ...
>
> I'll have a go at it then. What that would mean is that:
>
> security=smack,selinux
>
> gives Smack NetLabel and SELinux xfrm and secmark while
>
> security=selinux,smack
>
> gives SELinux all three. I would still like it to be possible to
> explicitly configure the allocation at build time.
The problem is that it is difficult to control the registration order since
each LSM module directly calls security_initcall() for registering themselves?
Then, what about replacing
static int __init foo_init()
{
register_security(&foo_security_ops);
return 0;
}
security_initcall(foo_init);
static int __init bar_init()
{
register_security(&bar_security_ops);
return 0;
}
security_initcall(bar_init);
with
static int __init foo_init()
{
register_security(&foo_security_ops);
return 0;
}
static int __init bar_init()
{
register_security(&bar_security_ops);
return 0;
}
static int __init add_foo(void) {
foo_security_ops.register = foo_init;
list_add_tail(&foo_security_ops.list[lsm_candidate], &lsm_hooks[lsm_candidate]);
return 0;
}
pure_initcall(add_foo);
static int __init add_bar(void) {
bar_security_ops.register = bar_init;
list_add_tail(&bar_security_ops.list[lsm_candidate], &lsm_hooks[lsm_candidate]);
return 0;
}
pure_initcall(add_bar);
and let security/security.c register in accordance with
security= parameter (or compile-time config if none given)?
static int __init register_lsms(void)
{
for_each_comma_separated_lsm_names_given() {
bool found = 0;
list_for_each_entry_safe(ops, tmp, &lsm_hooks[lsm_candidate]) {
if (!strcmp(ops->name, name)) {
if (ops->register() == 0)
list_del(&ops->list[lsm_candidate]);
found = 1;
break;
}
}
if (!found) {
printk("LSM module %s was not found\n", name);
}
}
list_for_each_entry_safe(ops, tmp, &lsm_hooks[lsm_candidate]) {
list_del(&ops->list[lsm_candidate]);
printk("LSM module %s was not enabled\n", ops->name);
}
}
security_initcall(register_lsms);
(Well, list_add_tail() in pure_initcall functions should be optimized
by statically embedding into security/security.c at compile time?)
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-25 0:43 ` Casey Schaufler
2013-04-25 14:16 ` Tetsuo Handa
@ 2013-04-25 15:01 ` Paul Moore
2013-04-25 18:09 ` Casey Schaufler
1 sibling, 1 reply; 27+ messages in thread
From: Paul Moore @ 2013-04-25 15:01 UTC (permalink / raw)
To: Casey Schaufler
Cc: John Johansen, LSM, LKLM, SE Linux, James Morris, Eric Paris,
Tetsuo Handa, Kees Cook
On Wednesday, April 24, 2013 05:43:08 PM Casey Schaufler wrote:
> On 4/24/2013 4:00 PM, John Johansen wrote:
> > On 04/24/2013 02:15 PM, Paul Moore wrote:
> >> On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
...
> >>> An interesting aside that may be relevant is that the error
> >>> condition behavior makes it advisable to have the LSM you care
> >>> about most go last. If the networking components were strictly
> >>> FCFS you might have to chose an ordering you might not want for
> >>> other reasons.
> >>
> >> Well, maybe not ... I think. If we take a FCFS approach to the network
> >> controls then only one LSM is really ever going to throw an error on the
> >> network hooks, yes?
>
> You set up the order you want to get the networking handled
> correctly and you could get filesystem hooks in the wrong order.
> Not that that really ought to be a problem, but there are wonky
> admin tools out there.
I don't quite follow; can you be a bit more explicit about getting the
filesystem hooks in the wrong order?
> >> I'm still in favor of assigning the network hooks to the LSM at boot
> >> based on the "security=" configuration.
> >
> > yeah dealing with selection at boot time is going to be needed
> > at some point, whether its now or later ...
>
> I'll have a go at it then. What that would mean is that:
>
> security=smack,selinux
>
> gives Smack NetLabel and SELinux xfrm and secmark while
>
> security=selinux,smack
>
> gives SELinux all three.
That seems reasonable, it also keeps the door open for adding a specific
network hook ordering option, e.g. "security_net=", at a later date if
necessary.
> I would still like it to be possible to explicitly configure the allocation
> at build time.
I suppose I have no object to that, I would just place my vote to have the
dynamic FCFS (or LCFS if that makes more sense) assignment be the Kconfig
default.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-25 15:01 ` Paul Moore
@ 2013-04-25 18:09 ` Casey Schaufler
2013-04-25 19:14 ` Paul Moore
0 siblings, 1 reply; 27+ messages in thread
From: Casey Schaufler @ 2013-04-25 18:09 UTC (permalink / raw)
To: Paul Moore
Cc: John Johansen, LSM, LKLM, SE Linux, James Morris, Eric Paris,
Tetsuo Handa, Kees Cook, Casey Schaufler
On 4/25/2013 8:01 AM, Paul Moore wrote:
> On Wednesday, April 24, 2013 05:43:08 PM Casey Schaufler wrote:
>> On 4/24/2013 4:00 PM, John Johansen wrote:
>>> On 04/24/2013 02:15 PM, Paul Moore wrote:
>>>> On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
> ...
>
>>>>> An interesting aside that may be relevant is that the error
>>>>> condition behavior makes it advisable to have the LSM you care
>>>>> about most go last. If the networking components were strictly
>>>>> FCFS you might have to chose an ordering you might not want for
>>>>> other reasons.
>>>> Well, maybe not ... I think. If we take a FCFS approach to the network
>>>> controls then only one LSM is really ever going to throw an error on the
>>>> network hooks, yes?
>> You set up the order you want to get the networking handled
>> correctly and you could get filesystem hooks in the wrong order.
>> Not that that really ought to be a problem, but there are wonky
>> admin tools out there.
> I don't quite follow; can you be a bit more explicit about getting the
> filesystem hooks in the wrong order?
Let's assume that there's a case for the stat() system call that
would get EPERM from SELinux and EACCES from Smack. A carefully
crafted admin tool might take different actions based on the return
code. If Smack ahead of SELinux in the list the tool will respond
one way, whereas if SELinux is ahead it will behave the other way.
If this tool came with Fedora it will likely expect the SELinux
error code. Thus, it will be somewhat important that Smack precede
SELinux in the LSM ordering. That will grant Smack the NetLabel
component. If you want SELinux to use NetLabel you'll have to
explicitly configure that.
It's probably not going to be an issue that often. Making the
ordering implications clear to those who may be affected by them
is probably the best choice and biggest challenge. It would be
nice to keep them to a minimum. I fear some future LSM author
getting clever with error codes and demanding the ultimate
position in all cases.
>>>> I'm still in favor of assigning the network hooks to the LSM at boot
>>>> based on the "security=" configuration.
>>> yeah dealing with selection at boot time is going to be needed
>>> at some point, whether its now or later ...
>> I'll have a go at it then. What that would mean is that:
>>
>> security=smack,selinux
>>
>> gives Smack NetLabel and SELinux xfrm and secmark while
>>
>> security=selinux,smack
>>
>> gives SELinux all three.
> That seems reasonable, it also keeps the door open for adding a specific
> network hook ordering option, e.g. "security_net=", at a later date if
> necessary.
>
>> I would still like it to be possible to explicitly configure the allocation
>> at build time.
> I suppose I have no object to that, I would just place my vote to have the
> dynamic FCFS (or LCFS if that makes more sense) assignment be the Kconfig
> default.
>
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-25 18:09 ` Casey Schaufler
@ 2013-04-25 19:14 ` Paul Moore
2013-04-25 20:21 ` Casey Schaufler
0 siblings, 1 reply; 27+ messages in thread
From: Paul Moore @ 2013-04-25 19:14 UTC (permalink / raw)
To: Casey Schaufler
Cc: John Johansen, LSM, LKLM, SE Linux, James Morris, Eric Paris,
Tetsuo Handa, Kees Cook
On Thursday, April 25, 2013 11:09:23 AM Casey Schaufler wrote:
> On 4/25/2013 8:01 AM, Paul Moore wrote:
> > On Wednesday, April 24, 2013 05:43:08 PM Casey Schaufler wrote:
> >> On 4/24/2013 4:00 PM, John Johansen wrote:
> >>> On 04/24/2013 02:15 PM, Paul Moore wrote:
> >>>> On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
> > ...
> >
> >>>>> An interesting aside that may be relevant is that the error
> >>>>> condition behavior makes it advisable to have the LSM you care
> >>>>> about most go last. If the networking components were strictly
> >>>>> FCFS you might have to chose an ordering you might not want for
> >>>>> other reasons.
> >>>>
> >>>> Well, maybe not ... I think. If we take a FCFS approach to the network
> >>>> controls then only one LSM is really ever going to throw an error on
> >>>> the
> >>>> network hooks, yes?
> >>
> >> You set up the order you want to get the networking handled
> >> correctly and you could get filesystem hooks in the wrong order.
> >> Not that that really ought to be a problem, but there are wonky
> >> admin tools out there.
> >
> > I don't quite follow; can you be a bit more explicit about getting the
> > filesystem hooks in the wrong order?
>
> Let's assume that there's a case for the stat() system call that
> would get EPERM from SELinux and EACCES from Smack. A carefully
> crafted admin tool might take different actions based on the return
> code. If Smack ahead of SELinux in the list the tool will respond
> one way, whereas if SELinux is ahead it will behave the other way.
>
> If this tool came with Fedora it will likely expect the SELinux
> error code. Thus, it will be somewhat important that Smack precede
> SELinux in the LSM ordering. That will grant Smack the NetLabel
> component. If you want SELinux to use NetLabel you'll have to
> explicitly configure that.
>
> It's probably not going to be an issue that often. Making the
> ordering implications clear to those who may be affected by them
> is probably the best choice and biggest challenge. It would be
> nice to keep them to a minimum. I fear some future LSM author
> getting clever with error codes and demanding the ultimate
> position in all cases.
I guess this begs the question, why does the stacking take the return value
from the last LSM and not the first? I'm sure there was a design decision
made here, I'm just curious about the reasons why.
To me, and maybe I'm the odd one out here, but I would think that the first
LSM in the stacking order should get precedence; this is why I'm pushing for a
FCFS for the network controls. If it turns out that the stacking patches give
preference for the last LSM in the stacking order (I think this will always
seem backwards to me) then we should probably give the networking controls to
the last LSM.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-25 19:14 ` Paul Moore
@ 2013-04-25 20:21 ` Casey Schaufler
2013-04-25 21:05 ` Kees Cook
2013-04-25 21:26 ` Paul Moore
0 siblings, 2 replies; 27+ messages in thread
From: Casey Schaufler @ 2013-04-25 20:21 UTC (permalink / raw)
To: Paul Moore
Cc: John Johansen, LSM, LKLM, SE Linux, James Morris, Eric Paris,
Tetsuo Handa, Kees Cook, Casey Schaufler
On 4/25/2013 12:14 PM, Paul Moore wrote:
> On Thursday, April 25, 2013 11:09:23 AM Casey Schaufler wrote:
>> On 4/25/2013 8:01 AM, Paul Moore wrote:
>>> On Wednesday, April 24, 2013 05:43:08 PM Casey Schaufler wrote:
>>>> On 4/24/2013 4:00 PM, John Johansen wrote:
>>>>> On 04/24/2013 02:15 PM, Paul Moore wrote:
>>>>>> On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
>>> ...
>>>
>>>>>>> An interesting aside that may be relevant is that the error
>>>>>>> condition behavior makes it advisable to have the LSM you care
>>>>>>> about most go last. If the networking components were strictly
>>>>>>> FCFS you might have to chose an ordering you might not want for
>>>>>>> other reasons.
>>>>>> Well, maybe not ... I think. If we take a FCFS approach to the network
>>>>>> controls then only one LSM is really ever going to throw an error on
>>>>>> the
>>>>>> network hooks, yes?
>>>> You set up the order you want to get the networking handled
>>>> correctly and you could get filesystem hooks in the wrong order.
>>>> Not that that really ought to be a problem, but there are wonky
>>>> admin tools out there.
>>> I don't quite follow; can you be a bit more explicit about getting the
>>> filesystem hooks in the wrong order?
>> Let's assume that there's a case for the stat() system call that
>> would get EPERM from SELinux and EACCES from Smack. A carefully
>> crafted admin tool might take different actions based on the return
>> code. If Smack ahead of SELinux in the list the tool will respond
>> one way, whereas if SELinux is ahead it will behave the other way.
>>
>> If this tool came with Fedora it will likely expect the SELinux
>> error code. Thus, it will be somewhat important that Smack precede
>> SELinux in the LSM ordering. That will grant Smack the NetLabel
>> component. If you want SELinux to use NetLabel you'll have to
>> explicitly configure that.
>>
>> It's probably not going to be an issue that often. Making the
>> ordering implications clear to those who may be affected by them
>> is probably the best choice and biggest challenge. It would be
>> nice to keep them to a minimum. I fear some future LSM author
>> getting clever with error codes and demanding the ultimate
>> position in all cases.
> I guess this begs the question, why does the stacking take the return value
> from the last LSM and not the first? I'm sure there was a design decision
> made here, I'm just curious about the reasons why.
The hook loop is trivially simpler if you return the last error than
if you return the first error:
if (thisrc)
rc = thisrc;
vs
if (thisrc && !rc)
rc = thisrc;
If I had decided to do shortcutting (return on first failure) it
would be a different story.
> To me, and maybe I'm the odd one out here,
I don't know that you're the only odd one here. :)
> but I would think that the first
> LSM in the stacking order should get precedence;
My desire and intent is that to the extent possible there should
be no "principle" LSM. The choice of last error is purely driven
by the fact that it's the easiest thing to do.
> this is why I'm pushing for a
> FCFS for the network controls. If it turns out that the stacking patches give
> preference for the last LSM in the stacking order (I think this will always
> seem backwards to me) then we should probably give the networking controls to
> the last LSM.
I actually think that FCFS for networking services and last error code
hits closest to the sweet spot. "security=yama,smack,selinux" would give
NetLabel to Smack and xfrm and secmark to SELinux. It would also give
SELinux error returns in cases where there are multiple reasons for
denial. Since SELinux has a more sophisticated runtime environment than
Smack this is likely to make Fedora (for example) happier.
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-25 20:21 ` Casey Schaufler
@ 2013-04-25 21:05 ` Kees Cook
2013-04-25 21:26 ` Paul Moore
1 sibling, 0 replies; 27+ messages in thread
From: Kees Cook @ 2013-04-25 21:05 UTC (permalink / raw)
To: Casey Schaufler
Cc: Paul Moore, John Johansen, LSM, LKLM, SE Linux, James Morris,
Eric Paris, Tetsuo Handa
On Thu, Apr 25, 2013 at 1:21 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 4/25/2013 12:14 PM, Paul Moore wrote:
>> On Thursday, April 25, 2013 11:09:23 AM Casey Schaufler wrote:
>>> On 4/25/2013 8:01 AM, Paul Moore wrote:
>>>> On Wednesday, April 24, 2013 05:43:08 PM Casey Schaufler wrote:
>>>>> On 4/24/2013 4:00 PM, John Johansen wrote:
>>>>>> On 04/24/2013 02:15 PM, Paul Moore wrote:
>>>>>>> On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
>>>> ...
>>>>
>>>>>>>> An interesting aside that may be relevant is that the error
>>>>>>>> condition behavior makes it advisable to have the LSM you care
>>>>>>>> about most go last. If the networking components were strictly
>>>>>>>> FCFS you might have to chose an ordering you might not want for
>>>>>>>> other reasons.
>>>>>>> Well, maybe not ... I think. If we take a FCFS approach to the network
>>>>>>> controls then only one LSM is really ever going to throw an error on
>>>>>>> the
>>>>>>> network hooks, yes?
>>>>> You set up the order you want to get the networking handled
>>>>> correctly and you could get filesystem hooks in the wrong order.
>>>>> Not that that really ought to be a problem, but there are wonky
>>>>> admin tools out there.
>>>> I don't quite follow; can you be a bit more explicit about getting the
>>>> filesystem hooks in the wrong order?
>>> Let's assume that there's a case for the stat() system call that
>>> would get EPERM from SELinux and EACCES from Smack. A carefully
>>> crafted admin tool might take different actions based on the return
>>> code. If Smack ahead of SELinux in the list the tool will respond
>>> one way, whereas if SELinux is ahead it will behave the other way.
>>>
>>> If this tool came with Fedora it will likely expect the SELinux
>>> error code. Thus, it will be somewhat important that Smack precede
>>> SELinux in the LSM ordering. That will grant Smack the NetLabel
>>> component. If you want SELinux to use NetLabel you'll have to
>>> explicitly configure that.
>>>
>>> It's probably not going to be an issue that often. Making the
>>> ordering implications clear to those who may be affected by them
>>> is probably the best choice and biggest challenge. It would be
>>> nice to keep them to a minimum. I fear some future LSM author
>>> getting clever with error codes and demanding the ultimate
>>> position in all cases.
>> I guess this begs the question, why does the stacking take the return value
>> from the last LSM and not the first? I'm sure there was a design decision
>> made here, I'm just curious about the reasons why.
>
> The hook loop is trivially simpler if you return the last error than
> if you return the first error:
>
> if (thisrc)
> rc = thisrc;
>
> vs
>
> if (thisrc && !rc)
> rc = thisrc;
>
> If I had decided to do shortcutting (return on first failure) it
> would be a different story.
>
>> To me, and maybe I'm the odd one out here,
>
> I don't know that you're the only odd one here. :)
>
>> but I would think that the first
>> LSM in the stacking order should get precedence;
>
> My desire and intent is that to the extent possible there should
> be no "principle" LSM. The choice of last error is purely driven
> by the fact that it's the easiest thing to do.
>
>> this is why I'm pushing for a
>> FCFS for the network controls. If it turns out that the stacking patches give
>> preference for the last LSM in the stacking order (I think this will always
>> seem backwards to me) then we should probably give the networking controls to
>> the last LSM.
>
> I actually think that FCFS for networking services and last error code
> hits closest to the sweet spot. "security=yama,smack,selinux" would give
> NetLabel to Smack and xfrm and secmark to SELinux. It would also give
> SELinux error returns in cases where there are multiple reasons for
> denial. Since SELinux has a more sophisticated runtime environment than
> Smack this is likely to make Fedora (for example) happier.
Yeah, this seems good to me too.
-Kees
--
Kees Cook
Chrome OS Security
^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH v13 0/9] LSM: Multiple concurrent LSMs
2013-04-25 20:21 ` Casey Schaufler
2013-04-25 21:05 ` Kees Cook
@ 2013-04-25 21:26 ` Paul Moore
1 sibling, 0 replies; 27+ messages in thread
From: Paul Moore @ 2013-04-25 21:26 UTC (permalink / raw)
To: Casey Schaufler
Cc: John Johansen, LSM, LKLM, SE Linux, James Morris, Eric Paris,
Tetsuo Handa, Kees Cook
On Thursday, April 25, 2013 01:21:50 PM Casey Schaufler wrote:
> On 4/25/2013 12:14 PM, Paul Moore wrote:
> > On Thursday, April 25, 2013 11:09:23 AM Casey Schaufler wrote:
> >> On 4/25/2013 8:01 AM, Paul Moore wrote:
> >>> On Wednesday, April 24, 2013 05:43:08 PM Casey Schaufler wrote:
> >>>> On 4/24/2013 4:00 PM, John Johansen wrote:
> >>>>> On 04/24/2013 02:15 PM, Paul Moore wrote:
> >>>>>> On Wednesday, April 24, 2013 01:22:20 PM Casey Schaufler wrote:
> >>> ...
> >>>
> >>>>>>> An interesting aside that may be relevant is that the error
> >>>>>>> condition behavior makes it advisable to have the LSM you care
> >>>>>>> about most go last. If the networking components were strictly
> >>>>>>> FCFS you might have to chose an ordering you might not want for
> >>>>>>> other reasons.
> >>>>>>
> >>>>>> Well, maybe not ... I think. If we take a FCFS approach to the
> >>>>>> network
> >>>>>> controls then only one LSM is really ever going to throw an error on
> >>>>>> the
> >>>>>> network hooks, yes?
> >>>>
> >>>> You set up the order you want to get the networking handled
> >>>> correctly and you could get filesystem hooks in the wrong order.
> >>>> Not that that really ought to be a problem, but there are wonky
> >>>> admin tools out there.
> >>>
> >>> I don't quite follow; can you be a bit more explicit about getting the
> >>> filesystem hooks in the wrong order?
> >>
> >> Let's assume that there's a case for the stat() system call that
> >> would get EPERM from SELinux and EACCES from Smack. A carefully
> >> crafted admin tool might take different actions based on the return
> >> code. If Smack ahead of SELinux in the list the tool will respond
> >> one way, whereas if SELinux is ahead it will behave the other way.
> >>
> >> If this tool came with Fedora it will likely expect the SELinux
> >> error code. Thus, it will be somewhat important that Smack precede
> >> SELinux in the LSM ordering. That will grant Smack the NetLabel
> >> component. If you want SELinux to use NetLabel you'll have to
> >> explicitly configure that.
> >>
> >> It's probably not going to be an issue that often. Making the
> >> ordering implications clear to those who may be affected by them
> >> is probably the best choice and biggest challenge. It would be
> >> nice to keep them to a minimum. I fear some future LSM author
> >> getting clever with error codes and demanding the ultimate
> >> position in all cases.
> >
> > I guess this begs the question, why does the stacking take the return
> > value
> > from the last LSM and not the first? I'm sure there was a design decision
> > made here, I'm just curious about the reasons why.
>
> The hook loop is trivially simpler if you return the last error than
> if you return the first error:
>
> if (thisrc)
> rc = thisrc;
>
> vs
>
> if (thisrc && !rc)
> rc = thisrc;
>
> If I had decided to do shortcutting (return on first failure) it
> would be a different story.
Okay, fair enough. Thanks.
> > To me, and maybe I'm the odd one out here,
>
> I don't know that you're the only odd one here. :)
>
> > but I would think that the first LSM in the stacking order should get
> > precedence;
>
> My desire and intent is that to the extent possible there should
> be no "principle" LSM. The choice of last error is purely driven
> by the fact that it's the easiest thing to do.
I'm not sure if you can call it a "principle" LSM or not, but as long as we've
got portions of the kernel that don't support LSM stacked, e.g. the network
stack, we're always going to have one LSM that has a bit more control than
others.
> > this is why I'm pushing for a FCFS for the network controls. If it turns
> > out that the stacking patches give preference for the last LSM in the
> > stacking order (I think this will always seem backwards to me) then we
> > should probably give the networking controls to the last LSM.
>
> I actually think that FCFS for networking services and last error code
> hits closest to the sweet spot. "security=yama,smack,selinux" would give
> NetLabel to Smack and xfrm and secmark to SELinux. It would also give
> SELinux error returns in cases where there are multiple reasons for
> denial. Since SELinux has a more sophisticated runtime environment than
> Smack this is likely to make Fedora (for example) happier.
Okay, works for me. The thing I'm most concerned about is just making sure we
make the network bits a boot time configuration and not just a compile time
option.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 27+ messages in thread
end of thread, other threads:[~2013-04-25 21:26 UTC | newest]
Thread overview: 27+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <5176ABB7.5080300@schaufler-ca.com>
2013-04-23 16:04 ` [PATCH v13 0/9] LSM: Multiple concurrent LSMs Casey Schaufler
2013-04-24 18:57 ` Paul Moore
2013-04-24 20:22 ` Casey Schaufler
2013-04-24 21:15 ` Paul Moore
2013-04-24 23:00 ` John Johansen
2013-04-25 0:43 ` Casey Schaufler
2013-04-25 14:16 ` Tetsuo Handa
2013-04-25 15:01 ` Paul Moore
2013-04-25 18:09 ` Casey Schaufler
2013-04-25 19:14 ` Paul Moore
2013-04-25 20:21 ` Casey Schaufler
2013-04-25 21:05 ` Kees Cook
2013-04-25 21:26 ` Paul Moore
2013-04-23 16:04 ` [PATCH v13 1/9] LSM: Security blob abstraction Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 2/9] LSM: Complete conversion to kill_pid_info_as_cred Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 3/9] LSM: Multiple concurrent secids Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 4/9] LSM: Multiple security context maintenance Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 5/9] LSM: Networking component isolation Casey Schaufler
2013-04-24 18:51 ` Paul Moore
2013-04-24 19:09 ` Casey Schaufler
2013-04-24 21:04 ` Paul Moore
2013-04-23 16:04 ` [PATCH v13 6/9] LSM: Additional interfaces in /proc/pid/attr Casey Schaufler
2013-04-23 16:04 ` [PATCH v13 7/9] LSM: remove Yama special case stacking Casey Schaufler
2013-04-23 20:12 ` Kees Cook
2013-04-23 16:04 ` [PATCH v13 8/9] LSM: Hook list management Casey Schaufler
2013-04-23 16:05 ` [PATCH v13 9/9] LSM: Documentation and cleanup Casey Schaufler
2013-04-23 19:02 ` Randy Dunlap
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox