Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-01 10:42:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

lsm: create new security_cred_getlsmprop LSM hook

Browse Source 
Create a new LSM hook security_cred_getlsmprop() which, like
security_cred_getsecid(), fetches LSM specific attributes from the
cred structure.  The associated data elements in the audit sub-system
are changed from a secid to a lsm_prop to accommodate multiple possible
LSM audit users.

Cc: linux-integrity@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: selinux@vger.kernel.org
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subj line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Casey Schaufler 2024-10-09 10:32:18 -07:00 committed by Paul Moore
parent e0a8dcbd53
commit b0654ca429
6 changed files with 50 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/linux/lsm_hook_defs.h
View File

@ -218,6 +218,8 @@ LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old,
LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new, LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new,
const struct cred *old) const struct cred *old)
LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid) LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid)
LSM_HOOK(void, LSM_RET_VOID, cred_getlsmprop, const struct cred *c,
struct lsm_prop *prop)
LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid) LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid)
LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode) LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode)
LSM_HOOK(int, 0, kernel_module_request, char *kmod_name) LSM_HOOK(int, 0, kernel_module_request, char *kmod_name)

5
include/linux/security.h
View File

@ -488,6 +488,7 @@ void security_cred_free(struct cred *cred);
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
void security_transfer_creds(struct cred *new, const struct cred *old); void security_transfer_creds(struct cred *new, const struct cred *old);
void security_cred_getsecid(const struct cred *c, u32 *secid); void security_cred_getsecid(const struct cred *c, u32 *secid);
void security_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop);
int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_act_as(struct cred *new, u32 secid);
int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_create_files_as(struct cred *new, struct inode *inode);
int security_kernel_module_request(char *kmod_name); int security_kernel_module_request(char *kmod_name);
@ -1229,6 +1230,10 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid)
*secid = 0; *secid = 0;
} }
static inline void security_cred_getlsmprop(const struct cred *c,
struct lsm_prop *prop)
{ }
static inline int security_kernel_act_as(struct cred *cred, u32 secid) static inline int security_kernel_act_as(struct cred *cred, u32 secid)
{ {
return 0; return 0;

7
security/integrity/ima/ima_main.c
View File

@ -541,8 +541,7 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
static int ima_bprm_check(struct linux_binprm *bprm) static int ima_bprm_check(struct linux_binprm *bprm)
{ {
int ret; int ret;
u32 secid; struct lsm_prop prop;
struct lsm_prop prop = { };
security_current_getlsmprop_subj(&prop); security_current_getlsmprop_subj(&prop);
ret = process_measurement(bprm->file, current_cred(), ret = process_measurement(bprm->file, current_cred(),
@ -550,9 +549,7 @@ static int ima_bprm_check(struct linux_binprm *bprm)
if (ret) if (ret)
return ret; return ret;
security_cred_getsecid(bprm->cred, &secid); security_cred_getlsmprop(bprm->cred, &prop);
/* scaffolding */
prop.scaffold.secid = secid;
return process_measurement(bprm->file, bprm->cred, &prop, NULL, 0, return process_measurement(bprm->file, bprm->cred, &prop, NULL, 0,
MAY_EXEC, CREDS_CHECK); MAY_EXEC, CREDS_CHECK);
} }

15
security/security.c
View File

@ -3272,6 +3272,21 @@ void security_cred_getsecid(const struct cred *c, u32 *secid)
} }
EXPORT_SYMBOL(security_cred_getsecid); EXPORT_SYMBOL(security_cred_getsecid);
/**
* security_cred_getlsmprop() - Get the LSM data from a set of credentials
* @c: credentials
* @prop: destination for the LSM data
*
* Retrieve the security data of the cred structure @c. In case of
* failure, @prop will be cleared.
*/
void security_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)
{
lsmprop_init(prop);
call_void_hook(cred_getlsmprop, c, prop);
}
EXPORT_SYMBOL(security_cred_getlsmprop);
/** /**
* security_kernel_act_as() - Set the kernel credentials to act as secid * security_kernel_act_as() - Set the kernel credentials to act as secid
* @new: credentials * @new: credentials

8
security/selinux/hooks.c
View File

@ -4037,6 +4037,13 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
*secid = cred_sid(c); *secid = cred_sid(c);
} }
static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)
{
prop->selinux.secid = cred_sid(c);
/* scaffolding */
prop->scaffold.secid = prop->selinux.secid;
}
/* /*
* set the security data for a kernel service * set the security data for a kernel service
* - all the creation contexts are set to unlabelled * - all the creation contexts are set to unlabelled
@ -7203,6 +7210,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare), LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer), LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid), LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop),
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),

18
security/smack/smack_lsm.c
View File

@ -2150,6 +2150,23 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid)
rcu_read_unlock(); rcu_read_unlock();
} }
/**
* smack_cred_getlsmprop - get the Smack label for a creds structure
* @cred: the object creds
* @prop: where to put the data
*
* Sets the Smack part of the ref
*/
static void smack_cred_getlsmprop(const struct cred *cred,
struct lsm_prop *prop)
{
rcu_read_lock();
prop->smack.skp = smk_of_task(smack_cred(cred));
/* scaffolding */
prop->scaffold.secid = prop->smack.skp->smk_secid;
rcu_read_unlock();
}
/** /**
* smack_kernel_act_as - Set the subjective context in a set of credentials * smack_kernel_act_as - Set the subjective context in a set of credentials
* @new: points to the set of credentials to be modified. * @new: points to the set of credentials to be modified.
@ -5132,6 +5149,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), LSM_HOOK_INIT(cred_prepare, smack_cred_prepare),
LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), LSM_HOOK_INIT(cred_transfer, smack_cred_transfer),
LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid),
LSM_HOOK_INIT(cred_getlsmprop, smack_cred_getlsmprop),
LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as),
LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as),
LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),