--- v38
+++ v28
@@ -1,124 +1,281 @@
-Create real functions for the ima_filter_rule interfaces.
-These replace #defines that obscure the reuse of audit
-interfaces. The new functions are put in security.c because
-they use security module registered hooks that we don't
-want exported.
+Change the security_secctx_to_secid interface to use a lsmblob
+structure in place of the single u32 secid in support of
+module stacking. Change its callers to do the same.
+
+The security module hook is unchanged, still passing back a secid.
+The infrastructure passes the correct entry from the lsmblob.
Acked-by: Paul Moore <paul@paul-moore.com>
-Reviewed-by: John Johansen <john.johansen@canonical.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
-To: Mimi Zohar <zohar@linux.ibm.com>
-Cc: linux-integrity@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Cc: netfilter-devel@vger.kernel.org
+To: Pablo Neira Ayuso <pablo@netfilter.org>
---
- include/linux/security.h | 24 ++++++++++++++++++++++++
- security/integrity/ima/ima.h | 26 --------------------------
- security/security.c | 21 +++++++++++++++++++++
- 3 files changed, 45 insertions(+), 26 deletions(-)
+ include/linux/security.h | 26 ++++++++++++++++++--
+ kernel/cred.c | 4 +---
+ net/netfilter/nft_meta.c | 10 ++++----
+ net/netfilter/xt_SECMARK.c | 7 +++++-
+ net/netlabel/netlabel_unlabeled.c | 23 +++++++++++-------
+ security/security.c | 40 ++++++++++++++++++++++++++-----
+ 6 files changed, 85 insertions(+), 25 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
-index c4696f14daac..fe3273a6498f 100644
+index 332df8a1cd4d..986a8f4bcd54 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
-@@ -1944,6 +1944,30 @@ static inline void security_audit_rule_free(void *lsmrule)
- #endif /* CONFIG_SECURITY */
- #endif /* CONFIG_AUDIT */
-
-+#if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY)
-+int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
-+int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
-+void ima_filter_rule_free(void *lsmrule);
-+
-+#else
-+
-+static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
-+ void **lsmrule)
+@@ -196,6 +196,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
+ extern int lsm_name_to_slot(char *name);
+ extern const char *lsm_slot_to_name(int slot);
+
++/**
++ * lsmblob_value - find the first non-zero value in an lsmblob structure.
++ * @blob: Pointer to the data
++ *
++ * This needs to be used with extreme caution, as the cases where
++ * it is appropriate are rare.
++ *
++ * Return the first secid value set in the lsmblob.
++ * There should only be one.
++ */
++static inline u32 lsmblob_value(const struct lsmblob *blob)
+{
++ int i;
++
++ for (i = 0; i < LSMBLOB_ENTRIES; i++)
++ if (blob->secid[i])
++ return blob->secid[i];
++
+ return 0;
+}
+
-+static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
-+ void *lsmrule)
-+{
-+ return 0;
-+}
-+
-+static inline void ima_filter_rule_free(void *lsmrule)
-+{ }
-+
-+#endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */
-+
- #ifdef CONFIG_SECURITYFS
-
- extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
-diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index be965a8715e4..1b5d70ac2dc9 100644
---- a/security/integrity/ima/ima.h
-+++ b/security/integrity/ima/ima.h
-@@ -418,32 +418,6 @@ static inline void ima_free_modsig(struct modsig *modsig)
- }
- #endif /* CONFIG_IMA_APPRAISE_MODSIG */
-
--/* LSM based policy rules require audit */
--#ifdef CONFIG_IMA_LSM_RULES
--
--#define ima_filter_rule_init security_audit_rule_init
--#define ima_filter_rule_free security_audit_rule_free
--#define ima_filter_rule_match security_audit_rule_match
--
--#else
--
--static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
-- void **lsmrule)
--{
-- return -EINVAL;
--}
--
--static inline void ima_filter_rule_free(void *lsmrule)
--{
--}
--
--static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
-- void *lsmrule)
--{
-- return -EINVAL;
--}
--#endif /* CONFIG_IMA_LSM_RULES */
--
- #ifdef CONFIG_IMA_READ_POLICY
- #define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR)
- #else
+ /* These functions are in security/commoncap.c */
+ extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
+ int cap, unsigned int opts);
+@@ -527,7 +548,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+ int security_netlink_send(struct sock *sk, struct sk_buff *skb);
+ int security_ismaclabel(const char *name);
+ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
++int security_secctx_to_secid(const char *secdata, u32 seclen,
++ struct lsmblob *blob);
+ void security_release_secctx(char *secdata, u32 seclen);
+ void security_inode_invalidate_secctx(struct inode *inode);
+ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+@@ -1382,7 +1404,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
+
+ static inline int security_secctx_to_secid(const char *secdata,
+ u32 seclen,
+- u32 *secid)
++ struct lsmblob *blob)
+ {
+ return -EOPNOTSUPP;
+ }
+diff --git a/kernel/cred.c b/kernel/cred.c
+index ea36ec6e1ad8..38b00a1390f4 100644
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -798,14 +798,12 @@ EXPORT_SYMBOL(set_security_override);
+ int set_security_override_from_ctx(struct cred *new, const char *secctx)
+ {
+ struct lsmblob blob;
+- u32 secid;
+ int ret;
+
+- ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
++ ret = security_secctx_to_secid(secctx, strlen(secctx), &blob);
+ if (ret < 0)
+ return ret;
+
+- lsmblob_init(&blob, secid);
+ return set_security_override(new, &blob);
+ }
+ EXPORT_SYMBOL(set_security_override_from_ctx);
+diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
+index a7e01e9952f1..f9448e81798e 100644
+--- a/net/netfilter/nft_meta.c
++++ b/net/netfilter/nft_meta.c
+@@ -809,21 +809,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
+
+ static int nft_secmark_compute_secid(struct nft_secmark *priv)
+ {
+- u32 tmp_secid = 0;
++ struct lsmblob blob;
+ int err;
+
+- err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
++ err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob);
+ if (err)
+ return err;
+
+- if (!tmp_secid)
++ if (!lsmblob_is_set(&blob))
+ return -ENOENT;
+
+- err = security_secmark_relabel_packet(tmp_secid);
++ err = security_secmark_relabel_packet(lsmblob_value(&blob));
+ if (err)
+ return err;
+
+- priv->secid = tmp_secid;
++ priv->secid = lsmblob_value(&blob);
+ return 0;
+ }
+
+diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
+index 498a0bf6f044..87ca3a537d1c 100644
+--- a/net/netfilter/xt_SECMARK.c
++++ b/net/netfilter/xt_SECMARK.c
+@@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info)
+
+ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
+ {
++ struct lsmblob blob;
+ int err;
+
+ info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
+ info->secid = 0;
+
+ err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
+- &info->secid);
++ &blob);
+ if (err) {
+ if (err == -EINVAL)
+ pr_info_ratelimited("invalid security context \'%s\'\n",
+@@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
+ return err;
+ }
+
++ /* xt_secmark_target_info can't be changed to use lsmblobs because
++ * it is exposed as an API. Use lsmblob_value() to get the one
++ * value that got set by security_secctx_to_secid(). */
++ info->secid = lsmblob_value(&blob);
+ if (!info->secid) {
+ pr_info_ratelimited("unable to map security context \'%s\'\n",
+ info->secctx);
+diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
+index 2483df0bbd7c..c29a8d7a7070 100644
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -882,7 +882,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
+ void *addr;
+ void *mask;
+ u32 addr_len;
+- u32 secid;
++ struct lsmblob blob;
+ struct netlbl_audit audit_info;
+
+ /* Don't allow users to add both IPv4 and IPv6 addresses for a
+@@ -906,13 +906,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
+ ret_val = security_secctx_to_secid(
+ nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+ nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+- &secid);
++ &blob);
+ if (ret_val != 0)
+ return ret_val;
+
++ /* netlbl_unlhsh_add will be changed to pass a struct lsmblob *
++ * instead of a u32 later in this patch set. security_secctx_to_secid()
++ * will only be setting one entry in the lsmblob struct, so it is
++ * safe to use lsmblob_value() to get that one value. */
++
+ return netlbl_unlhsh_add(&init_net,
+- dev_name, addr, mask, addr_len, secid,
+- &audit_info);
++ dev_name, addr, mask, addr_len,
++ lsmblob_value(&blob), &audit_info);
+ }
+
+ /**
+@@ -933,7 +938,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
+ void *addr;
+ void *mask;
+ u32 addr_len;
+- u32 secid;
++ struct lsmblob blob;
+ struct netlbl_audit audit_info;
+
+ /* Don't allow users to add both IPv4 and IPv6 addresses for a
+@@ -955,13 +960,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
+ ret_val = security_secctx_to_secid(
+ nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+ nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+- &secid);
++ &blob);
+ if (ret_val != 0)
+ return ret_val;
+
++ /* security_secctx_to_secid() will only put one secid into the lsmblob
++ * so it's safe to use lsmblob_value() to get the secid. */
+ return netlbl_unlhsh_add(&init_net,
+- NULL, addr, mask, addr_len, secid,
+- &audit_info);
++ NULL, addr, mask, addr_len,
++ lsmblob_value(&blob), &audit_info);
+ }
+
+ /**
diff --git a/security/security.c b/security/security.c
-index af62f4c1cc89..b916469388b0 100644
+index 69474918be8b..1621a28bf9c4 100644
--- a/security/security.c
+++ b/security/security.c
-@@ -2603,6 +2603,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
- }
- #endif /* CONFIG_AUDIT */
-
-+#ifdef CONFIG_IMA_LSM_RULES
-+/*
-+ * The integrity subsystem uses the same hooks as
-+ * the audit subsystem.
-+ */
-+int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
-+{
-+ return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
-+}
-+
-+void ima_filter_rule_free(void *lsmrule)
-+{
-+ call_void_hook(audit_rule_free, lsmrule);
-+}
-+
-+int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
-+{
-+ return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
-+}
-+#endif /* CONFIG_IMA_LSM_RULES */
-+
- #ifdef CONFIG_BPF_SYSCALL
- int security_bpf(int cmd, union bpf_attr *attr, unsigned int size)
- {
+@@ -2193,10 +2193,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+ }
+ EXPORT_SYMBOL(security_secid_to_secctx);
+
+-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
++int security_secctx_to_secid(const char *secdata, u32 seclen,
++ struct lsmblob *blob)
+ {
+- *secid = 0;
+- return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
++ struct security_hook_list *hp;
++ int rc;
++
++ lsmblob_init(blob, 0);
++ hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
++ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
++ continue;
++ rc = hp->hook.secctx_to_secid(secdata, seclen,
++ &blob->secid[hp->lsmid->slot]);
++ if (rc != 0)
++ return rc;
++ }
++ return 0;
+ }
+ EXPORT_SYMBOL(security_secctx_to_secid);
+
+@@ -2347,10 +2359,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
+ optval, optlen, len);
+ }
+
+-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
++int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
++ u32 *secid)
+ {
+- return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
+- skb, secid);
++ struct security_hook_list *hp;
++ int rc = -ENOPROTOOPT;
++
++ /*
++ * Only one security module should provide a real hook for
++ * this. A stub or bypass like is used in BPF should either
++ * (somehow) leave rc unaltered or return -ENOPROTOOPT.
++ */
++ hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
++ list) {
++ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
++ continue;
++ rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid);
++ if (rc != -ENOPROTOOPT)
++ break;
++ }
++ return rc;
+ }
+ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
+
--
-2.37.3
-
+2.31.1
+