[PATCH 2/4] watch_queue: Add security hooks to rule on setting mount watches
From: David Howells <dhowells@redhat.com>
Date: 2020-07-24 13:11:53
Also in:
linux-api, linux-fsdevel, lkml
Subsystem:
security subsystem, the rest · Maintainers:
Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds
Add a security hook that will allow an LSM to rule on whether or not a watch may be set on a mount. Signed-off-by: David Howells <dhowells@redhat.com> cc: James Morris <redacted> cc: Casey Schaufler <casey@schaufler-ca.com> cc: Stephen Smalley <redacted> cc: linux-security-module@vger.kernel.org --- include/linux/lsm_hook_defs.h | 3 +++ include/linux/lsm_hooks.h | 6 ++++++ include/linux/security.h | 8 ++++++++ security/security.c | 7 +++++++ 4 files changed, 24 insertions(+)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index af998f93d256..f6eaf8bd617b 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h@@ -264,6 +264,9 @@ LSM_HOOK(int, 0, post_notification, const struct cred *w_cred, #if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS) LSM_HOOK(int, 0, watch_key, struct key *key) #endif /* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */ +#ifdef CONFIG_MOUNT_NOTIFICATIONS +LSM_HOOK(int, 0, watch_mount, struct watch *watch, struct path *path) +#endif #ifdef CONFIG_SECURITY_NETWORK LSM_HOOK(int, 0, unix_stream_connect, struct sock *sock, struct sock *other,
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 95b7c1d32062..56275145b91d 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h@@ -1468,6 +1468,12 @@ * from a key or keyring. * @key: The key to watch. * + * @watch_mount: + * Check to see if a process is allowed to watch for mount topology change + * notifications on a mount subtree. + * @watch: The watch object + * @path: The root of the subtree to watch. + * * Security hooks for using the eBPF maps and programs functionalities through * eBPF syscalls. *
diff --git a/include/linux/security.h b/include/linux/security.h
index 0a0a03b36a3b..318fdfe7f4d6 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h@@ -1314,6 +1314,14 @@ static inline int security_watch_key(struct key *key) return 0; } #endif +#if defined(CONFIG_SECURITY) && defined(CONFIG_MOUNT_NOTIFICATIONS) +int security_watch_mount(struct watch *watch, struct path *path); +#else +static inline int security_watch_mount(struct watch *watch, struct path *path) +{ + return 0; +} +#endif #ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/security.c b/security/security.c
index 70a7ad357bc6..3cdf5039f727 100644
--- a/security/security.c
+++ b/security/security.c@@ -2067,6 +2067,13 @@ int security_watch_key(struct key *key) } #endif +#ifdef CONFIG_MOUNT_NOTIFICATIONS +int security_watch_mount(struct watch *watch, struct path *path) +{ + return call_int_hook(watch_mount, 0, watch, path); +} +#endif + #ifdef CONFIG_SECURITY_NETWORK int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)