--- v20
+++ v24
@@ -1,171 +1,212 @@
-Change the data used in UDS SO_PEERSEC processing from a
-secid to a more general struct lsmblob. Update the
-security_socket_getpeersec_dgram() interface to use the
-lsmblob. There is a small amount of scaffolding code
-that will come out when the security_secid_to_secctx()
-code is brought in line with the lsmblob.
-
+Change the secid parameter of security_audit_rule_match
+to a lsmblob structure pointer. Pass the entry from the
+lsmblob structure for the approprite slot to the LSM hook.
+
+Change the users of security_audit_rule_match to use the
+lsmblob instead of a u32. The scaffolding function lsmblob_init()
+fills the blob with the value of the old secid, ensuring that
+it is available to the appropriate module hook. The sources of
+the secid, security_task_getsecid() and security_inode_getsecid(),
+will be converted to use the blob structure later in the series.
+At the point the use of lsmblob_init() is dropped.
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Cc: linux-audit@redhat.com
+Cc: linux-integrity@vger.kernel.org
+To: Mimi Zohar <zohar@linux.ibm.com>
---
- include/linux/security.h | 7 +++++--
- include/net/af_unix.h | 2 +-
- include/net/scm.h | 8 +++++---
- net/ipv4/ip_sockglue.c | 8 +++++---
- net/unix/af_unix.c | 6 +++---
- security/security.c | 18 +++++++++++++++---
- 6 files changed, 34 insertions(+), 15 deletions(-)
+ include/linux/security.h | 7 ++++---
+ kernel/auditfilter.c | 6 ++++--
+ kernel/auditsc.c | 14 ++++++++++----
+ security/integrity/ima/ima.h | 4 ++--
+ security/integrity/ima/ima_policy.c | 7 +++++--
+ security/security.c | 10 ++++++++--
+ 6 files changed, 33 insertions(+), 15 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
-index e2ef982b3dd7..ae623b89cdf4 100644
+index a99a4307176f..112aadf3e7f9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
-@@ -1398,7 +1398,8 @@ int security_socket_shutdown(struct socket *sock, int how);
- int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
- int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
- int __user *optlen, unsigned len);
--int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
-+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
-+ struct lsmblob *blob);
- int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
- void security_sk_free(struct sock *sk);
- void security_sk_clone(const struct sock *sk, struct sock *newsk);
-@@ -1536,7 +1537,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
- return -ENOPROTOOPT;
- }
-
--static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
-+static inline int security_socket_getpeersec_dgram(struct socket *sock,
-+ struct sk_buff *skb,
-+ struct lsmblob *blob)
- {
- return -ENOPROTOOPT;
- }
-diff --git a/include/net/af_unix.h b/include/net/af_unix.h
-index f42fdddecd41..a86da0cb5ec1 100644
---- a/include/net/af_unix.h
-+++ b/include/net/af_unix.h
-@@ -36,7 +36,7 @@ struct unix_skb_parms {
- kgid_t gid;
- struct scm_fp_list *fp; /* Passed files */
- #ifdef CONFIG_SECURITY_NETWORK
-- u32 secid; /* Security ID */
-+ struct lsmblob lsmblob; /* Security LSM data */
- #endif
- u32 consumed;
- } __randomize_layout;
-diff --git a/include/net/scm.h b/include/net/scm.h
-index 1ce365f4c256..e2e71c4bf9d0 100644
---- a/include/net/scm.h
-+++ b/include/net/scm.h
-@@ -33,7 +33,7 @@ struct scm_cookie {
- struct scm_fp_list *fp; /* Passed files */
- struct scm_creds creds; /* Skb credentials */
- #ifdef CONFIG_SECURITY_NETWORK
-- u32 secid; /* Passed security ID */
-+ struct lsmblob lsmblob; /* Passed LSM data */
- #endif
- };
-
-@@ -46,7 +46,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl);
- #ifdef CONFIG_SECURITY_NETWORK
- static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
- {
-- security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
-+ security_socket_getpeersec_dgram(sock, NULL, &scm->lsmblob);
- }
+@@ -1902,7 +1902,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
+ #ifdef CONFIG_SECURITY
+ int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
+ int security_audit_rule_known(struct audit_krule *krule);
+-int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule);
++int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
++ void **lsmrule);
+ void security_audit_rule_free(void **lsmrule);
+
#else
- static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
-@@ -97,7 +97,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
- int err;
-
- if (test_bit(SOCK_PASSSEC, &sock->flags)) {
-- err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
-+ /* Scaffolding - it has to be element 0 for now */
-+ err = security_secid_to_secctx(scm->lsmblob.secid[0],
-+ &secdata, &seclen);
-
- if (!err) {
- put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
-diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index d2c223554ff7..551dfbc717e9 100644
---- a/net/ipv4/ip_sockglue.c
-+++ b/net/ipv4/ip_sockglue.c
-@@ -130,15 +130,17 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
-
- static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
- {
-+ struct lsmblob lb;
- char *secdata;
-- u32 seclen, secid;
-+ u32 seclen;
- int err;
-
-- err = security_socket_getpeersec_dgram(NULL, skb, &secid);
-+ err = security_socket_getpeersec_dgram(NULL, skb, &lb);
- if (err)
- return;
-
-- err = security_secid_to_secctx(secid, &secdata, &seclen);
-+ /* Scaffolding - it has to be element 0 */
-+ err = security_secid_to_secctx(lb.secid[0], &secdata, &seclen);
- if (err)
- return;
-
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 181ea6fb56a6..c15668b80d1d 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -138,17 +138,17 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
- #ifdef CONFIG_SECURITY_NETWORK
- static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
- {
-- UNIXCB(skb).secid = scm->secid;
-+ UNIXCB(skb).lsmblob = scm->lsmblob;
- }
-
- static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
- {
-- scm->secid = UNIXCB(skb).secid;
-+ scm->lsmblob = UNIXCB(skb).lsmblob;
- }
-
- static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
- {
-- return (scm->secid == UNIXCB(skb).secid);
-+ return lsmblob_equal(&scm->lsmblob, &(UNIXCB(skb).lsmblob));
- }
- #else
- static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
+@@ -1918,8 +1919,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
+ return 0;
+ }
+
+-static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
+- void **lsmrule)
++static inline int security_audit_rule_match(struct lsmblob *blob, u32 field,
++ u32 op, void **lsmrule)
+ {
+ return 0;
+ }
+diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
+index 45da229f9f1f..e27424216159 100644
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -1331,6 +1331,7 @@ int audit_filter(int msgtype, unsigned int listtype)
+ struct audit_field *f = &e->rule.fields[i];
+ pid_t pid;
+ u32 sid;
++ struct lsmblob blob;
+
+ switch (f->type) {
+ case AUDIT_PID:
+@@ -1361,8 +1362,9 @@ int audit_filter(int msgtype, unsigned int listtype)
+ case AUDIT_SUBJ_CLR:
+ if (f->lsm_isset) {
+ security_task_getsecid(current, &sid);
+- result = security_audit_rule_match(sid,
+- f->type, f->op,
++ lsmblob_init(&blob, sid);
++ result = security_audit_rule_match(
++ &blob, f->type, f->op,
+ f->lsm_rules);
+ }
+ break;
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index 9eea55525480..a8335cbe0091 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -472,6 +472,7 @@ static int audit_filter_rules(struct task_struct *tsk,
+ const struct cred *cred;
+ int i, need_sid = 1;
+ u32 sid;
++ struct lsmblob blob;
+ unsigned int sessionid;
+
+ cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
+@@ -670,7 +671,9 @@ static int audit_filter_rules(struct task_struct *tsk,
+ security_task_getsecid(tsk, &sid);
+ need_sid = 0;
+ }
+- result = security_audit_rule_match(sid, f->type,
++ lsmblob_init(&blob, sid);
++ result = security_audit_rule_match(&blob,
++ f->type,
+ f->op,
+ f->lsm_rules);
+ }
+@@ -685,15 +688,17 @@ static int audit_filter_rules(struct task_struct *tsk,
+ if (f->lsm_isset) {
+ /* Find files that match */
+ if (name) {
++ lsmblob_init(&blob, name->osid);
+ result = security_audit_rule_match(
+- name->osid,
++ &blob,
+ f->type,
+ f->op,
+ f->lsm_rules);
+ } else if (ctx) {
+ list_for_each_entry(n, &ctx->names_list, list) {
++ lsmblob_init(&blob, name->osid);
+ if (security_audit_rule_match(
+- n->osid,
++ &blob,
+ f->type,
+ f->op,
+ f->lsm_rules)) {
+@@ -705,7 +710,8 @@ static int audit_filter_rules(struct task_struct *tsk,
+ /* Find ipc objects that match */
+ if (!ctx || ctx->type != AUDIT_IPC)
+ break;
+- if (security_audit_rule_match(ctx->ipc.osid,
++ lsmblob_init(&blob, ctx->ipc.osid);
++ if (security_audit_rule_match(&blob,
+ f->type, f->op,
+ f->lsm_rules))
+ ++result;
+diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
+index 8e8b1e3cb847..0c520ea21677 100644
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -430,8 +430,8 @@ static inline void ima_filter_rule_free(void *lsmrule)
+ {
+ }
+
+-static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
+- void *lsmrule)
++static inline int ima_filter_rule_match(struct lsmblob *blob, u32 field,
++ u32 op, void *lsmrule)
+ {
+ return -EINVAL;
+ }
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index de72b719c90c..265184921eef 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -576,6 +576,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
+ for (i = 0; i < MAX_LSM_RULES; i++) {
+ int rc = 0;
+ u32 osid;
++ struct lsmblob lsmdata;
+
+ if (!ima_lsm_isset(rule, i)) {
+ if (!rule->lsm[i].args_p)
+@@ -588,14 +589,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
+ case LSM_OBJ_ROLE:
+ case LSM_OBJ_TYPE:
+ security_inode_getsecid(inode, &osid);
+- rc = ima_filter_rule_match(osid, rule->lsm[i].type,
++ lsmblob_init(&lsmdata, osid);
++ rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type,
+ Audit_equal,
+ rule->lsm[i].rules);
+ break;
+ case LSM_SUBJ_USER:
+ case LSM_SUBJ_ROLE:
+ case LSM_SUBJ_TYPE:
+- rc = ima_filter_rule_match(secid, rule->lsm[i].type,
++ lsmblob_init(&lsmdata, secid);
++ rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type,
+ Audit_equal,
+ rule->lsm[i].rules);
+ default:
diff --git a/security/security.c b/security/security.c
-index d6d882b1f7d5..c42873876954 100644
+index 05ce02ae7c46..291db266fdc2 100644
--- a/security/security.c
+++ b/security/security.c
-@@ -2219,10 +2219,22 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
- optval, optlen, len);
- }
-
--int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
-+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
-+ struct lsmblob *blob)
- {
-- return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
-- skb, secid);
-+ struct security_hook_list *hp;
-+ int rc = -ENOPROTOOPT;
-+
-+ hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
-+ list) {
-+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+@@ -2605,11 +2605,14 @@ void security_audit_rule_free(void **lsmrule)
+ hlist_for_each_entry(hp, &security_hook_heads.audit_rule_free, list) {
+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+ continue;
++ if (lsmrule[hp->lsmid->slot] == NULL)
+ continue;
-+ rc = hp->hook.socket_getpeersec_dgram(sock, skb,
-+ &blob->secid[hp->lsmid->slot]);
-+ if (rc != 0)
-+ break;
-+ }
-+ return rc;
- }
- EXPORT_SYMBOL(security_socket_getpeersec_dgram);
-
+ hp->hook.audit_rule_free(lsmrule[hp->lsmid->slot]);
+ }
+ }
+
+-int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule)
++int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
++ void **lsmrule)
+ {
+ struct security_hook_list *hp;
+ int rc;
+@@ -2617,7 +2620,10 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule)
+ hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) {
+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+ continue;
+- rc = hp->hook.audit_rule_match(secid, field, op,
++ if (lsmrule[hp->lsmid->slot] == NULL)
++ continue;
++ rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot],
++ field, op,
+ &lsmrule[hp->lsmid->slot]);
+ if (rc)
+ return rc;
--
-2.24.1
-
+2.25.4
+