--- v33
+++ v28
@@ -1,139 +1,281 @@
-Change the security_kernel_act_as interface to use a lsmblob
+Change the security_secctx_to_secid interface to use a lsmblob
structure in place of the single u32 secid in support of
-module stacking. Change its only caller, set_security_override,
-to do the same. Change that one's only caller,
-set_security_override_from_ctx, to call it with the new
-parameter type.
-
-The security module hook is unchanged, still taking a secid.
+module stacking. Change its callers to do the same.
+
+The security module hook is unchanged, still passing back a secid.
The infrastructure passes the correct entry from the lsmblob.
-lsmblob_init() is used to fill the lsmblob structure, however
-this will be removed later in the series when security_secctx_to_secid()
-is updated to provide a lsmblob instead of a secid.
-
+
+Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: John Johansen <john.johansen@canonical.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
-To: David Howells <dhowells@redhat.com>
+Cc: netdev@vger.kernel.org
+Cc: netfilter-devel@vger.kernel.org
+To: Pablo Neira Ayuso <pablo@netfilter.org>
---
- include/linux/cred.h | 3 ++-
- include/linux/security.h | 5 +++--
- kernel/cred.c | 10 ++++++----
- security/security.c | 14 ++++++++++++--
- 4 files changed, 23 insertions(+), 9 deletions(-)
-
-diff --git a/include/linux/cred.h b/include/linux/cred.h
-index fcbc6885cc09..eb02e8514239 100644
---- a/include/linux/cred.h
-+++ b/include/linux/cred.h
-@@ -18,6 +18,7 @@
-
- struct cred;
- struct inode;
-+struct lsmblob;
-
- /*
- * COW Supplementary groups list
-@@ -165,7 +166,7 @@ extern const struct cred *override_creds(const struct cred *);
- extern void revert_creds(const struct cred *);
- extern struct cred *prepare_kernel_cred(struct task_struct *);
- extern int change_create_files_as(struct cred *, struct inode *);
--extern int set_security_override(struct cred *, u32);
-+extern int set_security_override(struct cred *, struct lsmblob *);
- extern int set_security_override_from_ctx(struct cred *, const char *);
- extern int set_create_files_as(struct cred *, struct inode *);
- extern int cred_fscmp(const struct cred *, const struct cred *);
+ include/linux/security.h | 26 ++++++++++++++++++--
+ kernel/cred.c | 4 +---
+ net/netfilter/nft_meta.c | 10 ++++----
+ net/netfilter/xt_SECMARK.c | 7 +++++-
+ net/netlabel/netlabel_unlabeled.c | 23 +++++++++++-------
+ security/security.c | 40 ++++++++++++++++++++++++++-----
+ 6 files changed, 85 insertions(+), 25 deletions(-)
+
diff --git a/include/linux/security.h b/include/linux/security.h
-index d02af9b77f8c..4ce8dbeb3dad 100644
+index 332df8a1cd4d..986a8f4bcd54 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
-@@ -463,7 +463,7 @@ void security_cred_free(struct cred *cred);
- int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
- void security_transfer_creds(struct cred *new, const struct cred *old);
- void security_cred_getsecid(const struct cred *c, u32 *secid);
--int security_kernel_act_as(struct cred *new, u32 secid);
-+int security_kernel_act_as(struct cred *new, struct lsmblob *blob);
- int security_kernel_create_files_as(struct cred *new, struct inode *inode);
- int security_kernel_module_request(char *kmod_name);
- int security_kernel_load_data(enum kernel_load_data_id id, bool contents);
-@@ -1105,7 +1105,8 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid)
- *secid = 0;
- }
-
--static inline int security_kernel_act_as(struct cred *cred, u32 secid)
-+static inline int security_kernel_act_as(struct cred *cred,
-+ struct lsmblob *blob)
- {
- return 0;
+@@ -196,6 +196,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
+ extern int lsm_name_to_slot(char *name);
+ extern const char *lsm_slot_to_name(int slot);
+
++/**
++ * lsmblob_value - find the first non-zero value in an lsmblob structure.
++ * @blob: Pointer to the data
++ *
++ * This needs to be used with extreme caution, as the cases where
++ * it is appropriate are rare.
++ *
++ * Return the first secid value set in the lsmblob.
++ * There should only be one.
++ */
++static inline u32 lsmblob_value(const struct lsmblob *blob)
++{
++ int i;
++
++ for (i = 0; i < LSMBLOB_ENTRIES; i++)
++ if (blob->secid[i])
++ return blob->secid[i];
++
++ return 0;
++}
++
+ /* These functions are in security/commoncap.c */
+ extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
+ int cap, unsigned int opts);
+@@ -527,7 +548,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+ int security_netlink_send(struct sock *sk, struct sk_buff *skb);
+ int security_ismaclabel(const char *name);
+ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
++int security_secctx_to_secid(const char *secdata, u32 seclen,
++ struct lsmblob *blob);
+ void security_release_secctx(char *secdata, u32 seclen);
+ void security_inode_invalidate_secctx(struct inode *inode);
+ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+@@ -1382,7 +1404,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
+
+ static inline int security_secctx_to_secid(const char *secdata,
+ u32 seclen,
+- u32 *secid)
++ struct lsmblob *blob)
+ {
+ return -EOPNOTSUPP;
}
diff --git a/kernel/cred.c b/kernel/cred.c
-index 473d17c431f3..e5e41bd4efc3 100644
+index ea36ec6e1ad8..38b00a1390f4 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
-@@ -772,14 +772,14 @@ EXPORT_SYMBOL(prepare_kernel_cred);
- /**
- * set_security_override - Set the security ID in a set of credentials
- * @new: The credentials to alter
-- * @secid: The LSM security ID to set
-+ * @blob: The LSM security information to set
- *
- * Set the LSM security ID in a set of credentials so that the subjective
- * security is overridden when an alternative set of credentials is used.
- */
--int set_security_override(struct cred *new, u32 secid)
-+int set_security_override(struct cred *new, struct lsmblob *blob)
- {
-- return security_kernel_act_as(new, secid);
-+ return security_kernel_act_as(new, blob);
- }
- EXPORT_SYMBOL(set_security_override);
-
-@@ -795,6 +795,7 @@ EXPORT_SYMBOL(set_security_override);
- */
+@@ -798,14 +798,12 @@ EXPORT_SYMBOL(set_security_override);
int set_security_override_from_ctx(struct cred *new, const char *secctx)
{
-+ struct lsmblob blob;
- u32 secid;
+ struct lsmblob blob;
+- u32 secid;
int ret;
-@@ -802,7 +803,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx)
+- ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
++ ret = security_secctx_to_secid(secctx, strlen(secctx), &blob);
if (ret < 0)
return ret;
-- return set_security_override(new, secid);
-+ lsmblob_init(&blob, secid);
-+ return set_security_override(new, &blob);
+- lsmblob_init(&blob, secid);
+ return set_security_override(new, &blob);
}
EXPORT_SYMBOL(set_security_override_from_ctx);
-
+diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
+index a7e01e9952f1..f9448e81798e 100644
+--- a/net/netfilter/nft_meta.c
++++ b/net/netfilter/nft_meta.c
+@@ -809,21 +809,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
+
+ static int nft_secmark_compute_secid(struct nft_secmark *priv)
+ {
+- u32 tmp_secid = 0;
++ struct lsmblob blob;
+ int err;
+
+- err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
++ err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob);
+ if (err)
+ return err;
+
+- if (!tmp_secid)
++ if (!lsmblob_is_set(&blob))
+ return -ENOENT;
+
+- err = security_secmark_relabel_packet(tmp_secid);
++ err = security_secmark_relabel_packet(lsmblob_value(&blob));
+ if (err)
+ return err;
+
+- priv->secid = tmp_secid;
++ priv->secid = lsmblob_value(&blob);
+ return 0;
+ }
+
+diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
+index 498a0bf6f044..87ca3a537d1c 100644
+--- a/net/netfilter/xt_SECMARK.c
++++ b/net/netfilter/xt_SECMARK.c
+@@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info)
+
+ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
+ {
++ struct lsmblob blob;
+ int err;
+
+ info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
+ info->secid = 0;
+
+ err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
+- &info->secid);
++ &blob);
+ if (err) {
+ if (err == -EINVAL)
+ pr_info_ratelimited("invalid security context \'%s\'\n",
+@@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
+ return err;
+ }
+
++ /* xt_secmark_target_info can't be changed to use lsmblobs because
++ * it is exposed as an API. Use lsmblob_value() to get the one
++ * value that got set by security_secctx_to_secid(). */
++ info->secid = lsmblob_value(&blob);
+ if (!info->secid) {
+ pr_info_ratelimited("unable to map security context \'%s\'\n",
+ info->secctx);
+diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
+index 2483df0bbd7c..c29a8d7a7070 100644
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -882,7 +882,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
+ void *addr;
+ void *mask;
+ u32 addr_len;
+- u32 secid;
++ struct lsmblob blob;
+ struct netlbl_audit audit_info;
+
+ /* Don't allow users to add both IPv4 and IPv6 addresses for a
+@@ -906,13 +906,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
+ ret_val = security_secctx_to_secid(
+ nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+ nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+- &secid);
++ &blob);
+ if (ret_val != 0)
+ return ret_val;
+
++ /* netlbl_unlhsh_add will be changed to pass a struct lsmblob *
++ * instead of a u32 later in this patch set. security_secctx_to_secid()
++ * will only be setting one entry in the lsmblob struct, so it is
++ * safe to use lsmblob_value() to get that one value. */
++
+ return netlbl_unlhsh_add(&init_net,
+- dev_name, addr, mask, addr_len, secid,
+- &audit_info);
++ dev_name, addr, mask, addr_len,
++ lsmblob_value(&blob), &audit_info);
+ }
+
+ /**
+@@ -933,7 +938,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
+ void *addr;
+ void *mask;
+ u32 addr_len;
+- u32 secid;
++ struct lsmblob blob;
+ struct netlbl_audit audit_info;
+
+ /* Don't allow users to add both IPv4 and IPv6 addresses for a
+@@ -955,13 +960,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
+ ret_val = security_secctx_to_secid(
+ nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+ nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+- &secid);
++ &blob);
+ if (ret_val != 0)
+ return ret_val;
+
++ /* security_secctx_to_secid() will only put one secid into the lsmblob
++ * so it's safe to use lsmblob_value() to get the secid. */
+ return netlbl_unlhsh_add(&init_net,
+- NULL, addr, mask, addr_len, secid,
+- &audit_info);
++ NULL, addr, mask, addr_len,
++ lsmblob_value(&blob), &audit_info);
+ }
+
+ /**
diff --git a/security/security.c b/security/security.c
-index 5b2dc867c57d..2178235529eb 100644
+index 69474918be8b..1621a28bf9c4 100644
--- a/security/security.c
+++ b/security/security.c
-@@ -1803,9 +1803,19 @@ void security_cred_getsecid(const struct cred *c, u32 *secid)
- }
- EXPORT_SYMBOL(security_cred_getsecid);
-
--int security_kernel_act_as(struct cred *new, u32 secid)
-+int security_kernel_act_as(struct cred *new, struct lsmblob *blob)
- {
-- return call_int_hook(kernel_act_as, 0, new, secid);
+@@ -2193,10 +2193,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+ }
+ EXPORT_SYMBOL(security_secid_to_secctx);
+
+-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
++int security_secctx_to_secid(const char *secdata, u32 seclen,
++ struct lsmblob *blob)
+ {
+- *secid = 0;
+- return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+ struct security_hook_list *hp;
+ int rc;
+
-+ hlist_for_each_entry(hp, &security_hook_heads.kernel_act_as, list) {
++ lsmblob_init(blob, 0);
++ hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+ continue;
-+ rc = hp->hook.kernel_act_as(new, blob->secid[hp->lsmid->slot]);
++ rc = hp->hook.secctx_to_secid(secdata, seclen,
++ &blob->secid[hp->lsmid->slot]);
+ if (rc != 0)
+ return rc;
+ }
+ return 0;
}
-
- int security_kernel_create_files_as(struct cred *new, struct inode *inode)
+ EXPORT_SYMBOL(security_secctx_to_secid);
+
+@@ -2347,10 +2359,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
+ optval, optlen, len);
+ }
+
+-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
++int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
++ u32 *secid)
+ {
+- return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
+- skb, secid);
++ struct security_hook_list *hp;
++ int rc = -ENOPROTOOPT;
++
++ /*
++ * Only one security module should provide a real hook for
++ * this. A stub or bypass like is used in BPF should either
++ * (somehow) leave rc unaltered or return -ENOPROTOOPT.
++ */
++ hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
++ list) {
++ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
++ continue;
++ rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid);
++ if (rc != -ENOPROTOOPT)
++ break;
++ }
++ return rc;
+ }
+ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
+
--
2.31.1